Good morning. I'm reporting a segfault in openssl via the command line "openssl x509 -x509toreq -in testcase -out /dev/null -signkey test.key" using a malformed certificate. I'm using american fuzzy lop ( http://lcamtuf.coredump.cx/afl/) to fuzz openssl.
The testcase, which I've attached to this email, is a mutation of a valid ssl certificate. Doesn't appear to be exploitable according to CERTs exploitable plugin (https://github.com/jfoote/exploitable) for GDB, but there are smarter people than I out there in the world. I compiled openssl with the afl-gcc included with american fuzzy lop for instrumenting binaries: CC=/path/to/afl-gcc ./config AFL_HARDEN=1 make -j8 OpenSSL 1.1.0-dev xx XXX xxxx Here is the output from GDB: Getting request Private Key Generating certificate request Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a --> 0x7372004645444e55 ('UNDEF') RBX: 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a --> 0x7372004645444e55 ('UNDEF') RCX: 0x0 RDX: 0x0 RSI: 0x7fffffffd7a0 --> 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a --> 0x7372004645444e55 ('UNDEF') RDI: 0x1 RBP: 0x1016bf8 --> 0x10165b0 --> 0x1016f00 --> 0xd230c0 --> 0xd1c02a --> 0x7372004645444e55 ('UNDEF') RSP: 0x7fffffffd7f0 --> 0x10170e0 --> 0x1016410 --> 0x1017380 --> 0x200000001 RIP: 0x93bbd0 (<X509_PUBKEY_set+240>: mov rax,QWORD PTR [r12+0x10]) R8 : 0x1019170 --> 0x6e4135700000000d ('\r') R9 : 0x0 R10: 0xa ('\n') R11: 0x7ffff78d0556 (<__memset_sse2+230>: mov QWORD PTR [rdi-0x10],rdx) R12: 0x0 R13: 0x0 R14: 0x1016f60 --> 0x600000006 R15: 0x0 EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x93bbbe <X509_PUBKEY_set+222>: mov rcx,QWORD PTR [rsp+0x8] 0x93bbc3 <X509_PUBKEY_set+227>: mov rax,QWORD PTR [rsp+0x10] 0x93bbc8 <X509_PUBKEY_set+232>: lea rsp,[rsp+0x98] => 0x93bbd0 <X509_PUBKEY_set+240>: mov rax,QWORD PTR [r12+0x10] 0x93bbd5 <X509_PUBKEY_set+245>: test rax,rax 0x93bbd8 <X509_PUBKEY_set+248>: je 0x93beb8 <X509_PUBKEY_set+984> 0x93bbde <X509_PUBKEY_set+254>: xchg ax,ax 0x93bbe0 <X509_PUBKEY_set+256>: lea rsp,[rsp-0x98] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffd7f0 --> 0x10170e0 --> 0x1016410 --> 0x1017380 --> 0x200000001 0008| 0x7fffffffd7f8 --> 0x7bd4d239a33a7400 0016| 0x7fffffffd800 --> 0x1016580 --> 0x1016bd0 --> 0x0 0024| 0x7fffffffd808 --> 0x1016bd0 --> 0x0 0032| 0x7fffffffd810 --> 0x1018b10 --> 0x200000001 0040| 0x7fffffffd818 --> 0x9e9cee (<X509_to_X509_REQ+398>: mov rdi,r13) 0048| 0x7fffffffd820 --> 0x7fffffffd840 --> 0x10170e0 --> 0x1016410 --> 0x1017380 --> 0x200000001 0056| 0x7fffffffd828 --> 0x7bd4d239a33a7400 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x000000000093bbd0 in X509_PUBKEY_set () gdb-peda$ exploit Description: Access violation near NULL on source operand Short description: SourceAvNearNull (16/22) Hash: edf4ff3908740b6c9ac6ab3fe1b764d4.edf4ff3908740b6c9ac6ab3fe1b764d4 Exploitability Classification: PROBABLY_NOT_EXPLOITABLE Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor. Other tags: AccessViolation (21/22) and Valgrind: Getting request Private Key Generating certificate request ==59041== Invalid read of size 8 ==59041== at 0x93BBD0: X509_PUBKEY_set (x_pubkey.c:99) ==59041== by 0x9E9CED: X509_to_X509_REQ (x509_req.c:95) ==59041== by 0x46F925: x509_main (x509.c:941) ==59041== by 0x40C377: do_cmd (openssl.c:472) ==59041== by 0x40B78D: main (openssl.c:366) ==59041== Address 0x10 is not stack'd, malloc'd or (recently) free'd ==59041== ==59041== ==59041== Process terminating with default action of signal 11 (SIGSEGV) ==59041== Access not within mapped region at address 0x10 ==59041== at 0x93BBD0: X509_PUBKEY_set (x_pubkey.c:99) ==59041== by 0x9E9CED: X509_to_X509_REQ (x509_req.c:95) ==59041== by 0x46F925: x509_main (x509.c:941) ==59041== by 0x40C377: do_cmd (openssl.c:472) ==59041== by 0x40B78D: main (openssl.c:366) ==59041== If you believe this happened as a result of a stack ==59041== overflow in your program's main thread (unlikely but ==59041== possible), you can try to increase the size of the ==59041== main thread stack using the --main-stacksize= flag. ==59041== The main thread stack size used in this run was 8388608. Segmentation fault
test76crash.gz
Description: GNU Zip compressed data
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
