[gnutls-devel] GnuTLS | Certtool core dump when parsing the file which has certificates more than 16. (#1527)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sun Jan 28 02:54:11 CET 2024 


yixiangzhike yixiangzhike created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1527



Certtool core dump when use it to verify a PEM encoded certificate chain if more than 16 certificates.

Steps to Reproduce:
`# certtool --infile=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -e`

The stacks:
`Reading symbols from certtool...
Reading symbols from /usr/lib/debug//usr/bin/certtool-3.8.0-3.x86_64.debug...
[New LWP 113834]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib64/libthread_db.so.1".
Core was generated by `certtool --infile=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -e'.
Program terminated with signal SIGABRT, Aborted.
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo at entry=6, no_tid=no_tid at entry=0)
    at pthread_kill.c:44
44	      return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo at entry=6, no_tid=no_tid at entry=0)
    at pthread_kill.c:44
#1  0x00007fe0c54fdf53 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007fe0c54b1d56 in __GI_raise (sig=sig at entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007fe0c549d197 in __GI_abort () at abort.c:79
#4  0x00007fe0c54f2037 in __libc_message (action=action at entry=do_abort, 
    fmt=fmt at entry=0x7fe0c562b5d9 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
#5  0x00007fe0c558dd3a in __GI___fortify_fail (msg=msg at entry=0x7fe0c562b57f "buffer overflow detected")
    at fortify_fail.c:26
#6  0x00007fe0c558c656 in __GI___chk_fail () at chk_fail.c:28
#7  0x00007fe0c5c5bebd in memcpy (__len=1160, __src=0x555bd8056110, __dest=0x7ffdcaec35a0)
    at /usr/include/bits/string_fortified.h:29
#8  gnutls_x509_trust_list_verify_crt2 (list=0x555bd80548d0, cert_list=0x555bd8056110, cert_list_size=145, 
    data=data at entry=0x0, elements=elements at entry=0, flags=4, voutput=0x7ffdcaec3758, 
    func=0x555bd61b2190 <detailed_verification>) at verify-high.c:1475
#9  0x00007fe0c5c5cdc5 in gnutls_x509_trust_list_verify_crt (list=<optimized out>, cert_list=<optimized out>, 
    cert_list_size=<optimized out>, flags=<optimized out>, voutput=<optimized out>, func=<optimized out>)
    at verify-high.c:1337
#10 0x0000555bd61b2dd5 in _verify_x509_mem (cert=0x7fe0c52bc010, cert_size=223196, cinfo=<optimized out>, 
    use_system_trust=<optimized out>, purpose=0x0, hostname=0x0, email=0x0) at certtool.c:2496
#11 0x0000555bd61b771f in verify_certificate (cinfo=<optimized out>) at certtool.c:2584
#12 cmd_parser (argc=<optimized out>, argv=<optimized out>) at certtool.c:1493
#13 0x0000555bd61b084a in main (argc=3, argv=0x7ffdcaec3b88) at certtool.c:131
(gdb) f 8
#8  gnutls_x509_trust_list_verify_crt2 (list=0x555bd80548d0, cert_list=0x555bd8056110, cert_list_size=145, 
    data=data at entry=0x0, elements=elements at entry=0, flags=4, voutput=0x7ffdcaec3758, 
    func=0x555bd61b2190 <detailed_verification>) at verify-high.c:1475
1475		**memcpy**(**sorted**, cert_list, **cert_list_size** * sizeof(gnutls_x509_crt_t));
(gdb) p cert_list_size
$1 = **145**
(gdb) ptype **sorted**
type = struct gnutls_x509_crt_int {
    asn1_node cert;
    int use_extensions;
    unsigned int expanded;
    unsigned int modified;
    unsigned int flags;
    struct pin_info_st pin;
    gnutls_datum_t raw_dn;
    gnutls_datum_t raw_issuer_dn;
    gnutls_datum_t raw_spki;
    gnutls_datum_t der;
    gnutls_subject_alt_names_t san;
    gnutls_subject_alt_names_t ian;
    gnutls_x509_dn_st dn;
    gnutls_x509_dn_st idn;
} *[**16**]
(gdb) 
`

Missing the checking of cert_list_size for function gnutls_x509_trust_list_verify_crt2 in the commit [x509: rework issuer callback ](https://gitlab.com/gnutls/gnutls/-/commit/ebb19db9165fed30d73c83bab1b1b8740c132dfd#354f9842fb374676880f1b9cfcbb4c28abe5b38f_1314_1376).

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1527
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240128/7c21769a/attachment.html>

More information about the Gnutls-devel mailing list