xmlsec-nss: CERT_FindCertByNameString does not work in all cases #3
Comments
vmiklos
pushed a commit
to vmiklos/xmlsec
that referenced
this issue
Mar 6, 2017
Due to reading uninitialized memory. gdb says:
Assertion failure: dest == NULL || dest->data == NULL, at secasn1e.c:1483
Program received signal SIGABRT, Aborted.
0x00007ffff74748d7 in raise () from /lib64/libc.so.6
(gdb) up
lsh123#1 0x00007ffff7475caa in abort () from /lib64/libc.so.6
(gdb)
lsh123#2 0x00007fffe57f96ae in PR_Assert (s=0x7fffe1cbf298 "dest == NULL || dest->data == NULL", file=0x7fffe1cbef60 "secasn1e.c", ln=1483) at ../../../../pr/src/io/prlog.c:553
553 abort();
(gdb)
lsh123#3 0x00007fffe1cb1941 in SEC_ASN1EncodeItem_Util (poolp=0x0, dest=0x7fffffff95f0, src=0x7fffffff9530, theTemplate=0x7fffe55ae180 <DSA_SignatureTemplate>) at secasn1e.c:1483
1483 PORT_Assert(dest == NULL || dest->data == NULL);
lsh123
pushed a commit
that referenced
this issue
Mar 6, 2017
Due to reading uninitialized memory. gdb says:
Assertion failure: dest == NULL || dest->data == NULL, at secasn1e.c:1483
Program received signal SIGABRT, Aborted.
0x00007ffff74748d7 in raise () from /lib64/libc.so.6
(gdb) up
#1 0x00007ffff7475caa in abort () from /lib64/libc.so.6
(gdb)
#2 0x00007fffe57f96ae in PR_Assert (s=0x7fffe1cbf298 "dest == NULL || dest->data == NULL", file=0x7fffe1cbef60 "secasn1e.c", ln=1483) at ../../../../pr/src/io/prlog.c:553
553 abort();
(gdb)
#3 0x00007fffe1cb1941 in SEC_ASN1EncodeItem_Util (poolp=0x0, dest=0x7fffffff95f0, src=0x7fffffff9530, theTemplate=0x7fffe55ae180 <DSA_SignatureTemplate>) at secasn1e.c:1483
1483 PORT_Assert(dest == NULL || dest->data == NULL);
vmiklos
pushed a commit
to vmiklos/xmlsec
that referenced
this issue
Apr 20, 2017
Due to reading uninitialized memory. gdb says:
Assertion failure: dest == NULL || dest->data == NULL, at secasn1e.c:1483
Program received signal SIGABRT, Aborted.
0x00007ffff74748d7 in raise () from /lib64/libc.so.6
(gdb) up
lsh123#1 0x00007ffff7475caa in abort () from /lib64/libc.so.6
(gdb)
lsh123#2 0x00007fffe57f96ae in PR_Assert (s=0x7fffe1cbf298 "dest == NULL || dest->data == NULL", file=0x7fffe1cbef60 "secasn1e.c", ln=1483) at ../../../../pr/src/io/prlog.c:553
553 abort();
(gdb)
lsh123#3 0x00007fffe1cb1941 in SEC_ASN1EncodeItem_Util (poolp=0x0, dest=0x7fffffff95f0, src=0x7fffffff9530, theTemplate=0x7fffe55ae180 <DSA_SignatureTemplate>) at secasn1e.c:1483
1483 PORT_Assert(dest == NULL || dest->data == NULL);
vmiklos
added a commit
to vmiklos/xmlsec
that referenced
this issue
Sep 7, 2018
When building with clang -fsanitize=undefined, ubsan says:
x509.c:1750:46: runtime error: shift exponent 64 is too large for 64-bit type 'PRUint64' (aka 'unsigned long')
#0 0x444d45 in xmlSecNssASN1IntegerWrite src/nss/x509.c:1750:46
lsh123#1 0x4443ec in xmlSecNssX509IssuerSerialNodeWrite src/nss/x509.c:1259:11
lsh123#2 0x4403ba in xmlSecNssKeyDataX509XmlWrite src/nss/x509.c:769:19
lsh123#3 0x45962a in xmlSecKeyInfoNodeWrite src/keyinfo.c:180:19
lsh123#4 0x480149 in xmlSecDSigCtxProcessKeyInfoNode src/xmldsig.c:807:15
lsh123#5 0x47c774 in xmlSecDSigCtxProcessSignatureNode src/xmldsig.c:506:11
lsh123#6 0x47bfb2 in xmlSecDSigCtxSign src/xmldsig.c:289:11
And indeed shifting a 64bit value by 64 bits happens in practice there
as num->len is 9. At the same time (at least in case of the test) in all
3 cases the value that would be shifted is 0.
Avoid undefined behavior by simply not shifting if the value is 0
anyway.
Testcase: make check-crypto-nss XMLSEC_TEST_NAME="aleksey-xmldsig-01/x509data-sn-test"
lsh123
pushed a commit
that referenced
this issue
Sep 8, 2018
When building with clang -fsanitize=undefined, ubsan says:
x509.c:1750:46: runtime error: shift exponent 64 is too large for 64-bit type 'PRUint64' (aka 'unsigned long')
#0 0x444d45 in xmlSecNssASN1IntegerWrite src/nss/x509.c:1750:46
#1 0x4443ec in xmlSecNssX509IssuerSerialNodeWrite src/nss/x509.c:1259:11
#2 0x4403ba in xmlSecNssKeyDataX509XmlWrite src/nss/x509.c:769:19
#3 0x45962a in xmlSecKeyInfoNodeWrite src/keyinfo.c:180:19
#4 0x480149 in xmlSecDSigCtxProcessKeyInfoNode src/xmldsig.c:807:15
#5 0x47c774 in xmlSecDSigCtxProcessSignatureNode src/xmldsig.c:506:11
#6 0x47bfb2 in xmlSecDSigCtxSign src/xmldsig.c:289:11
And indeed shifting a 64bit value by 64 bits happens in practice there
as num->len is 9. At the same time (at least in case of the test) in all
3 cases the value that would be shifted is 0.
Avoid undefined behavior by simply not shifting if the value is 0
anyway.
Testcase: make check-crypto-nss XMLSEC_TEST_NAME="aleksey-xmldsig-01/x509data-sn-test"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
xmlsec-nss: CERT_FindCertByNameString does not work in all cases
NSS bug: http://bugzilla.mozilla.org/show_bug.cgi?id=210709
Migrated from: https://bugzilla.gnome.org/show_bug.cgi?id=118631
The text was updated successfully, but these errors were encountered: