[gnutls-devel] GnuTLS | memleak found by fuzz (#1071)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Aug 20 05:21:15 CEST 2020



lutianxiong created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1071



## Description of problem:
I got a heap-buffer-overflow while fuzzing gnutls-master
```
==8==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000000 at pc 0x000000ba4514 bp 0x7ffe4031ba00 sp 0x7ffe4031b9f8
READ of size 4 at 0x602000000000 thread T0
SCARINESS: 17 (4-byte-read-heap-buffer-overflow)
    #0 0xba4513 in __gmpz_clear /src/gmp/mpz/clear.c:38:7
    #1 0x7be127 in wrap_nettle_mpi_release /src/gnutls/lib/nettle/mpi.c:212:2
    #2 0x80a21f in _gnutls_mpi_release /src/gnutls/lib/./mpi.h:71:2
    #3 0x80dea3 in gnutls_pk_params_release /src/gnutls/lib/pk.c:536:3
    #4 0x673445 in deinit_keys /src/gnutls/lib/state.c:380:3
    #5 0x672b86 in _gnutls_handshake_internal_state_clear /src/gnutls/lib/state.c:444:2
    #6 0x676a57 in gnutls_deinit /src/gnutls/lib/state.c:669:2
    #7 0x55475e in LLVMFuzzerTestOneInput /src/gnutls/fuzz/gnutls_psk_client_fuzzer.c:86:2
    #8 0x45a1c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #9 0x444de1 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #10 0x44aa9e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
    #11 0x474c12 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #12 0x7f1470de882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x41e198 in _start (/out/gnutls_psk_client_fuzzer+0x41e198)

0x602000000000 is located 16 bytes to the left of 16-byte region [0x602000000010,0x602000000020)
freed by thread T0 here:
    #0 0x52176d in __interceptor_free /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0xb8de31 in _asn1_delete_list /src/libtasn1/lib/parser_aux.c:590:7
    #2 0xb947c8 in asn1_array2tree /src/libtasn1/lib/structure.c:278:5
    #3 0x64b073 in _gnutls_global_init /src/gnutls/lib/global.c:293:8
    #4 0x64a936 in gnutls_global_init /src/gnutls/lib/global.c:224:9
    #5 0x553da4 in init /src/gnutls/fuzz/./fuzzer.h:36:2
    #6 0xcdfa1c in __libc_csu_init (/out/gnutls_psk_client_fuzzer+0xcdfa1c)

previously allocated by thread T0 here:
    #0 0x5219ed in malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0xb8a993 in _asn1_add_static_node /src/libtasn1/lib/parser_aux.c:76:7
    #2 0xb93d03 in asn1_array2tree /src/libtasn1/lib/structure.c:199:11
    #3 0x64b073 in _gnutls_global_init /src/gnutls/lib/global.c:293:8
    #4 0x64a936 in gnutls_global_init /src/gnutls/lib/global.c:224:9
    #5 0x553da4 in init /src/gnutls/fuzz/./fuzzer.h:36:2
    #6 0xcdfa1c in __libc_csu_init (/out/gnutls_psk_client_fuzzer+0xcdfa1c)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/gmp/mpz/clear.c:38:7 in __gmpz_clear
```

## Version of gnutls used:
master

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu 16.04

## How reproducible:
run oss-fuzz locally

Steps to Reproduce:
use attach file as the corpus to reproduce, like:
python infra/helper.py reproduce gnutls gnutls_psk_client_fuzzer gnutls_psk_client_fuzzer-heap-buffer-overflow
[gnutls_psk_client_fuzzer-heap-buffer-overflow](/uploads/aa77b510adb163e3890c7dfcc40083a7/gnutls_psk_client_fuzzer-heap-buffer-overflow)

## Actual results:
as description, ASAN report a heap-buffer-overflow bug

## Expected results:
no error report

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1071
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200820/b03858b4/attachment.html>


More information about the Gnutls-devel mailing list