[openssl-dev] [openssl.org #3800] malformed asn1 definition causes segfault in openssl asn1parse

Mon, 13 Apr 2015 01:29:22 -0700 

Attached file will crash the asn1 definitions parser.
To test:
openssl asn1parse -genconf segfault.asn

I tried to create a stack trace with gdb to see what's going on and it
is several megabytes in size and contains lines like:
#24353 0x00007ffff78665be in asn1_multi (cnf=0x7fffffffd410,
section=<optimized out>, utype=16) at asn1_gen.c:456 #24354
ASN1_generate_v3 (str=<optimized out>, cnf=cnf@entry=0x7fffffffd410) at
asn1_gen.c:165 #24355 0x00007ffff78665be in asn1_multi
(cnf=0x7fffffffd410, section=<optimized out>, utype=16) at
asn1_gen.c:456

Looks to me like some endless recursion loop is happening which causes
a stack overflow.

Address sanitizer will sometimes report a "Bus error" and sometimes a
stack overflow (depending on combination of CFLAGS and compiler):

==15366==ERROR: AddressSanitizer: stack-overflow on address
0x7fff71055ff8 (pc 0x000000477982 bp 0x000000000030 sp 0x7fff71056000 T0)
o    #0 0x477981 in
__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, 
__sanitizer::SizeClassMap<17ul, 128ul, 16ul>, 
__asan::AsanMapUnmapCallback>::AllocateBatch(__sanitizer::AllocatorStats*, 
__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul,
 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, 
__asan::AsanMapUnmapCallback> >*, unsigned long) 
(/data/openssl/openssl-1.0.2a-clang-asan-ubsan/apps/openssl+0x477981)
    #1 0x47780e in
    
__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul,
    4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>,
    __asan::AsanMapUnmapCallback>
    >::Refill(__sanitizer::SizeClassAllocator64<105553116266496ul,
    4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>,
    __asan::AsanMapUnmapCallback>*, unsigned long)
    (/data/openssl/openssl-1.0.2a-clang-asan-ubsan/apps/openssl+0x47780e)



As it is unlikely that asn1 definitions are attacker-controlled I don't
assume this has any security impact.

Found with the help of american fuzzy lop.

Attachment: segfault.asn
Description: Binary data

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to