Skip to content

Commit

Permalink
[unber] fix buffer overrun in the BER introspection and debugging too…
Browse files Browse the repository at this point in the history
…l (unber)
  • Loading branch information
vlm committed Jan 22, 2019
1 parent ccfaf2a commit 6ccf743
Show file tree
Hide file tree
Showing 8 changed files with 300 additions and 101 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ stamp-h*
# /asn1c-tools
/asn1-tools/enber/enber
/asn1-tools/unber/unber
/asn1-tools/unber/check_unber

# /skeletons
/skeletons/check-*
Expand Down
1 change: 1 addition & 0 deletions AUTHORS
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ Bi-Ruei, Chiu <[email protected]>
Daniele Varrazzo <[email protected]>
Denis Filatov (DanyaFilatov @ github)
daa @ github
Eric Sesterhenn <[email protected]>
Erika Thorsen (akire @ github)
gareins @ github
johvik @ github
Expand Down
28 changes: 16 additions & 12 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -24,18 +24,22 @@
* uper_encode() API got new argument (breaks API compatibility).
* asn1c -gen-XXX flags are deprecated. Use -no-gen-XXX to disable codecs.

FIXES:
* CVE-2017-12966 verified not present.
* Fix incomplete (failed) CHOICE XER decoding memory leak.
(Severity: medium; Security impact: medium)
* Fix REAL type overwrite conversion memory leak.
(Severity: low; Security impact: medium)
* Fix UPER string decoding constrained only by lower bound > 0
(Severity: low; Security impact: none)
* Fix UPER decoding of large [bit-]strings of size a multiple of 16K
(Severity: low; Security impact: none)
* Fix XER decoder crash on maliciously constructed ENUMERATED input.
(Severity: medium; Security impact: medium)
FIXES IN COMPILER-GENERATED OUTPUT:
* Fix incomplete (failed) CHOICE XER decoding memory leak.
(Severity: medium; Security impact: medium)
* Fix REAL type overwrite conversion memory leak.
(Severity: low; Security impact: medium)
* Fix UPER string decoding constrained only by lower bound > 0
(Severity: low; Security impact: none)
* Fix UPER decoding of large [bit-]strings of size a multiple of 16K
(Severity: low; Security impact: none)
* Fix XER decoder crash on maliciously constructed ENUMERATED input.
(Severity: medium; Security impact: medium)

FIXES IN TOOLING:
* CVE-2017-12966 verified not present.
* Fix `unber` buffer overrun. Reported by Eric Sesterhenn.
(Severity: low; Security impact: high)

0.9.28: 2017-03-26
* PER decoding: avoid memory leak on error. By github.com/simo5
Expand Down
16 changes: 15 additions & 1 deletion asn1-tools/unber/Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,21 @@ noinst_LTLIBRARIES = libasn1-unber-tool.la
libasn1_unber_tool_la_SOURCES = \
libasn1_unber_tool.c libasn1_unber_tool.h

bin_PROGRAMS = unber

unber_LDADD = libasn1-unber-tool.la \
$(top_builddir)/libasn1common/libasn1common.la

bin_PROGRAMS = unber
check_PROGRAMS = check_unber
check_unber_CFLAGS = $(TESTSUITE_CFLAGS) $(LIBFUZZER_CFLAGS)
check_unber_LDADD = libasn1-unber-tool.la \
$(top_builddir)/libasn1common/libasn1common.la

dist_check_SCRIPTS=check_unber.sh

# This jump through the shell is needed to run ./check_unber binary with
# proper fuzzing options.
TESTS_ENVIRONMENT= \
ASAN_ENV_FLAGS="@ASAN_ENV_FLAGS@" \
builddir=${builddir}
TESTS= check_unber.sh
65 changes: 65 additions & 0 deletions asn1-tools/unber/check_unber.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
#include "asn1_common.h"
#include "libasn1_unber_tool.h"

// An abstraction for getting data from the in-memory buffer.
struct memory_buffer_stream {
input_stream_t istream;
const uint8_t *data;
size_t size;
size_t offset;
};

static int memory_buffer_stream_nextChar(input_stream_t *ibs) {
struct memory_buffer_stream *bs = (struct memory_buffer_stream *)ibs;

if(bs->offset < bs->size) {
return bs->data[bs->offset++];
} else {
return -1;
}
}

static off_t memory_buffer_stream_bytesRead(input_stream_t *ibs) {
struct memory_buffer_stream *bs = (struct memory_buffer_stream *)ibs;

return (off_t)bs->offset;
}

static int
ignore_vprintf(output_stream_t *os, const char *fmt, va_list ap) {
(void)os;
(void)fmt;
(void)ap;
// Ignore all output.
return 0;
}

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);

int
LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {

// Read from a memory buffer.
struct memory_buffer_stream mbs;
mbs.istream.nextChar = memory_buffer_stream_nextChar;
mbs.istream.bytesRead = memory_buffer_stream_bytesRead;
mbs.data = Data;
mbs.size = Size;
mbs.offset = 0;

// Do not print anywhere.
struct output_stream nullstream;
nullstream.vprintf = ignore_vprintf;
nullstream.vprintfError = ignore_vprintf;

(void)unber_stream("<fuzzed-input>", &mbs.istream, &nullstream);

return 0;
}

#ifndef ENABLE_LIBFUZZER
int main() {
printf("libfuzzer is not compiled-in, pretend the test went OK.\n");
return 0;
}
#endif
9 changes: 9 additions & 0 deletions asn1-tools/unber/check_unber.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/bin/sh

FUZZ_TIME=${FUZZ_TIME:-10}
builddir=${builddir:-.}

env ${ASAN_ENV_FLAGS:-} ${builddir}/check_unber \
-timeout=3 \
-max_total_time=${FUZZ_TIME} \
-max_len=500
Loading

0 comments on commit 6ccf743

Please sign in to comment.