[Bug 4075] New: CryptoPkg: RsaGetPrivateKeyFromPem() crashed in Libfuzzer test


bugzilla-daemon@...
 

https://bugzilla.tianocore.org/show_bug.cgi?id=4075

Bug ID: 4075
Summary: CryptoPkg: RsaGetPrivateKeyFromPem() crashed in
Libfuzzer test
Product: EDK2
Version: Current
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Lowest
Component: Code
Assignee: unassigned@...
Reporter: yi1.li@...
CC: edk2+bugs+int+994+563148131503455288@groups.io

Used Libfuzzer (clang+llvm-11.0.0) as the fuzzer,based on HBFA.

Test case:
https://github.com/liyi77/edk2-staging/blob/HBFA/HBFA/UefiHostFuzzTestCasePkg/TestCase/CryptoPkg/Pem/TestPem.c

Log:
/home/liyi4/wpa3fuzz/Build/UefiHostFuzzTestCryptoPkg/DEBUG_LIBFUZZER/X64/TestPem:
Running 1 inputs 1 time(s) each.
Running: /home/liyi4/wpa3fuzz/TlsSetKeySeed/crash2
=================================================================
==13339==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000000471 at pc 0x000000557b67 bp 0x7fffffffce20 sp 0x7fffffffce18
READ of size 1 at 0x603000000471 thread T0
#0 0x557b66 in AsciiStrnLenS
/home/liyi4/wpa3fuzz/edk2-staging/HBFA/UefiHostTestPkg/Library/BaseLibHost/SafeString.c:1772:10
#1 0x591427 in OBJ_obj2txt
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c:486:17
#2 0x6109e2 in i2t_ASN1_OBJECT
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_object.c:182:12
#3 0x6a3d9b in EVP_PKCS82PKEY
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/evp/evp_pkey.c:37:9
#4 0x599a52 in PEM_read_bio_PrivateKey
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_pkey.c:45:15
#5 0x594477 in PEM_read_bio_RSAPrivateKey
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_all.c:67:13
#6 0x54fb17 in RsaGetPrivateKeyFromPem
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c:116:17
#7 0x54dea0 in RunTestHarness
/home/liyi4/wpa3fuzz/edk2-staging/HBFA/UefiHostFuzzTestCasePkg/TestCase/CryptoPkg/Pem/TestPem.c:72:7
#8 0x54dbf7 in LLVMFuzzerTestOneInput
/home/liyi4/wpa3fuzz/edk2-staging/HBFA/UefiHostFuzzTestPkg/Library/ToolChainHarnessLib/ToolChainHarnessLib.c:138:3
#9 0x4586e1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long)
(/home/liyi4/wpa3fuzz/Build/UefiHostFuzzTestCryptoPkg/DEBUG_LIBFUZZER/X64/TestPem+0x4586e1)
#10 0x443e52 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned
long)
(/home/liyi4/wpa3fuzz/Build/UefiHostFuzzTestCryptoPkg/DEBUG_LIBFUZZER/X64/TestPem+0x443e52)
#11 0x449906 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long))
(/home/liyi4/wpa3fuzz/Build/UefiHostFuzzTestCryptoPkg/DEBUG_LIBFUZZER/X64/TestPem+0x449906)
#12 0x4725c2 in main
(/home/liyi4/wpa3fuzz/Build/UefiHostFuzzTestCryptoPkg/DEBUG_LIBFUZZER/X64/TestPem+0x4725c2)
#13 0x7ffff7a6d082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#14 0x41e51d in _start
(/home/liyi4/wpa3fuzz/Build/UefiHostFuzzTestCryptoPkg/DEBUG_LIBFUZZER/X64/TestPem+0x41e51d)

0x603000000471 is located 0 bytes to the right of 17-byte region
[0x603000000460,0x603000000471)
allocated by thread T0 here:
#0 0x51e24d in malloc
(/home/liyi4/wpa3fuzz/Build/UefiHostFuzzTestCryptoPkg/DEBUG_LIBFUZZER/X64/TestPem+0x51e24d)
#1 0x57ffdf in CRYPTO_malloc
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/mem.c:222:11
#2 0x655290 in BN_bn2dec
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_print.c:73:11
#3 0x59140a in OBJ_obj2txt
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/objects/obj_dat.c:483:21
#4 0x6109e2 in i2t_ASN1_OBJECT
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_object.c:182:12
#5 0x6a3d9b in EVP_PKCS82PKEY
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/evp/evp_pkey.c:37:9
#6 0x599a52 in PEM_read_bio_PrivateKey
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_pkey.c:45:15
#7 0x594477 in PEM_read_bio_RSAPrivateKey
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_all.c:67:13
#8 0x54fb17 in RsaGetPrivateKeyFromPem
/home/liyi4/wpa3fuzz/edk2/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c:116:17
#9 0x54dea0 in RunTestHarness
/home/liyi4/wpa3fuzz/edk2-staging/HBFA/UefiHostFuzzTestCasePkg/TestCase/CryptoPkg/Pem/TestPem.c:72:7

--
You are receiving this mail because:
You are on the CC list for the bug.