<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #777;">

<a href="https://gitlab.com/ltx2018">lutianxiong</a> created an issue <a href="https://gitlab.com/gnutls/gnutls/-/issues/1071">#1071</a>:

</p>

<div></div>

<h2 dir="auto">

<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>

<p dir="auto">I got a heap-buffer-overflow while fuzzing gnutls-master</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">==8==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000000 at pc 0x000000ba4514 bp 0x7ffe4031ba00 sp 0x7ffe4031b9f8</span>

<span id="LC2" class="line" lang="plaintext">READ of size 4 at 0x602000000000 thread T0</span>

<span id="LC3" class="line" lang="plaintext">SCARINESS: 17 (4-byte-read-heap-buffer-overflow)</span>

<span id="LC4" class="line" lang="plaintext">    #0 0xba4513 in __gmpz_clear /src/gmp/mpz/clear.c:38:7</span>

<span id="LC5" class="line" lang="plaintext">    #1 0x7be127 in wrap_nettle_mpi_release /src/gnutls/lib/nettle/mpi.c:212:2</span>

<span id="LC6" class="line" lang="plaintext">    #2 0x80a21f in _gnutls_mpi_release /src/gnutls/lib/./mpi.h:71:2</span>

<span id="LC7" class="line" lang="plaintext">    #3 0x80dea3 in gnutls_pk_params_release /src/gnutls/lib/pk.c:536:3</span>

<span id="LC8" class="line" lang="plaintext">    #4 0x673445 in deinit_keys /src/gnutls/lib/state.c:380:3</span>

<span id="LC9" class="line" lang="plaintext">    #5 0x672b86 in _gnutls_handshake_internal_state_clear /src/gnutls/lib/state.c:444:2</span>

<span id="LC10" class="line" lang="plaintext">    #6 0x676a57 in gnutls_deinit /src/gnutls/lib/state.c:669:2</span>

<span id="LC11" class="line" lang="plaintext">    #7 0x55475e in LLVMFuzzerTestOneInput /src/gnutls/fuzz/gnutls_psk_client_fuzzer.c:86:2</span>

<span id="LC12" class="line" lang="plaintext">    #8 0x45a1c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15</span>

<span id="LC13" class="line" lang="plaintext">    #9 0x444de1 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6</span>

<span id="LC14" class="line" lang="plaintext">    #10 0x44aa9e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9</span>

<span id="LC15" class="line" lang="plaintext">    #11 0x474c12 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10</span>

<span id="LC16" class="line" lang="plaintext">    #12 0x7f1470de882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)</span>

<span id="LC17" class="line" lang="plaintext">    #13 0x41e198 in _start (/out/gnutls_psk_client_fuzzer+0x41e198)</span>

<span id="LC18" class="line" lang="plaintext"></span>

<span id="LC19" class="line" lang="plaintext">0x602000000000 is located 16 bytes to the left of 16-byte region [0x602000000010,0x602000000020)</span>

<span id="LC20" class="line" lang="plaintext">freed by thread T0 here:</span>

<span id="LC21" class="line" lang="plaintext">    #0 0x52176d in __interceptor_free /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3</span>

<span id="LC22" class="line" lang="plaintext">    #1 0xb8de31 in _asn1_delete_list /src/libtasn1/lib/parser_aux.c:590:7</span>

<span id="LC23" class="line" lang="plaintext">    #2 0xb947c8 in asn1_array2tree /src/libtasn1/lib/structure.c:278:5</span>

<span id="LC24" class="line" lang="plaintext">    #3 0x64b073 in _gnutls_global_init /src/gnutls/lib/global.c:293:8</span>

<span id="LC25" class="line" lang="plaintext">    #4 0x64a936 in gnutls_global_init /src/gnutls/lib/global.c:224:9</span>

<span id="LC26" class="line" lang="plaintext">    #5 0x553da4 in init /src/gnutls/fuzz/./fuzzer.h:36:2</span>

<span id="LC27" class="line" lang="plaintext">    #6 0xcdfa1c in __libc_csu_init (/out/gnutls_psk_client_fuzzer+0xcdfa1c)</span>

<span id="LC28" class="line" lang="plaintext"></span>

<span id="LC29" class="line" lang="plaintext">previously allocated by thread T0 here:</span>

<span id="LC30" class="line" lang="plaintext">    #0 0x5219ed in malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3</span>

<span id="LC31" class="line" lang="plaintext">    #1 0xb8a993 in _asn1_add_static_node /src/libtasn1/lib/parser_aux.c:76:7</span>

<span id="LC32" class="line" lang="plaintext">    #2 0xb93d03 in asn1_array2tree /src/libtasn1/lib/structure.c:199:11</span>

<span id="LC33" class="line" lang="plaintext">    #3 0x64b073 in _gnutls_global_init /src/gnutls/lib/global.c:293:8</span>

<span id="LC34" class="line" lang="plaintext">    #4 0x64a936 in gnutls_global_init /src/gnutls/lib/global.c:224:9</span>

<span id="LC35" class="line" lang="plaintext">    #5 0x553da4 in init /src/gnutls/fuzz/./fuzzer.h:36:2</span>

<span id="LC36" class="line" lang="plaintext">    #6 0xcdfa1c in __libc_csu_init (/out/gnutls_psk_client_fuzzer+0xcdfa1c)</span>

<span id="LC37" class="line" lang="plaintext"></span>

<span id="LC38" class="line" lang="plaintext">SUMMARY: AddressSanitizer: heap-buffer-overflow /src/gmp/mpz/clear.c:38:7 in __gmpz_clear</span></code></pre>

<h2 dir="auto">

<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>

<p dir="auto">master</p>

<h2 dir="auto">

<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>

<p dir="auto">Ubuntu 16.04</p>

<h2 dir="auto">

<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>

<p dir="auto">run oss-fuzz locally</p>

<p dir="auto">Steps to Reproduce:

use attach file as the corpus to reproduce, like:

python infra/helper.py reproduce gnutls gnutls_psk_client_fuzzer gnutls_psk_client_fuzzer-heap-buffer-overflow

<a href="https://gitlab.com/gnutls/gnutls/uploads/aa77b510adb163e3890c7dfcc40083a7/gnutls_psk_client_fuzzer-heap-buffer-overflow" data-link="true" class="gfm">gnutls_psk_client_fuzzer-heap-buffer-overflow</a></p>

<h2 dir="auto">

<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>

<p dir="auto">as description, ASAN report a heap-buffer-overflow bug</p>

<h2 dir="auto">

<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>

<p dir="auto">no error report</p>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1071">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/-/sent_notifications/3bbf0b50d6dac890f07044b680fca96e/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1071"}}</script>

</p>

</div>

</body>

</html>