[Bug 4075] CryptoPkg: RsaGetPrivateKeyFromPem() crashed in Libfuzzer test


bugzilla-daemon@...
 

https://bugzilla.tianocore.org/show_bug.cgi?id=4075

--- Comment #2 from yi1.li@... <yi1.li@...> ---
The root cause is the inappropriate implementation of BIO_snprintf():
https://github.com/tianocore/edk2/blob/2c17d676e402d75a3a674499342f7ddaccf387bd/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c#L489-L498
For the crashed case, RsaGetPrivateKeyFromPem() will:
1)malloc a piece of memory S,
(edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_print.c:73:11)

2)and use BIO_snprintf() to print a NULL-terminated string to S,
(edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_print.c:104:11)

3)finally call strlen(S) to get length.
(edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c:486:17)

Due to BIO_snprintf() does nothing but just return a good status 0, program
will consider this string to be written successfully, then strlen() will
heap-buffer-overflow.

There are two solution choice:
1. Add true implementation to OpensslLib, but this will increase the
8kb DXE driver binary size.
https://github.com/tianocore/edk2/pull/3361
2. Fake BIO_snprintf() need to return error status -1.
https://github.com/tianocore/edk2/pull/3360

--
You are receiving this mail because:
You are on the CC list for the bug.