Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GnuTLS GnuTLS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 271
    • Issues 271
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 18
    • Merge requests 18
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • gnutlsgnutls
  • GnuTLSGnuTLS
  • Issues
  • #1071
Closed
Open
Issue created Aug 20, 2020 by lutianxiong@ltx2018

CVE-2020-24659: read-heap-buffer-overflow found by fuzz

Description of problem:

I got a heap-buffer-overflow while fuzzing gnutls-master

==8==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000000 at pc 0x000000ba4514 bp 0x7ffe4031ba00 sp 0x7ffe4031b9f8
READ of size 4 at 0x602000000000 thread T0
SCARINESS: 17 (4-byte-read-heap-buffer-overflow)
    #0 0xba4513 in __gmpz_clear /src/gmp/mpz/clear.c:38:7
    #1 0x7be127 in wrap_nettle_mpi_release /src/gnutls/lib/nettle/mpi.c:212:2
    #2 0x80a21f in _gnutls_mpi_release /src/gnutls/lib/./mpi.h:71:2
    #3 0x80dea3 in gnutls_pk_params_release /src/gnutls/lib/pk.c:536:3
    #4 0x673445 in deinit_keys /src/gnutls/lib/state.c:380:3
    #5 0x672b86 in _gnutls_handshake_internal_state_clear /src/gnutls/lib/state.c:444:2
    #6 0x676a57 in gnutls_deinit /src/gnutls/lib/state.c:669:2
    #7 0x55475e in LLVMFuzzerTestOneInput /src/gnutls/fuzz/gnutls_psk_client_fuzzer.c:86:2
    #8 0x45a1c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #9 0x444de1 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #10 0x44aa9e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
    #11 0x474c12 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #12 0x7f1470de882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x41e198 in _start (/out/gnutls_psk_client_fuzzer+0x41e198)

0x602000000000 is located 16 bytes to the left of 16-byte region [0x602000000010,0x602000000020)
freed by thread T0 here:
    #0 0x52176d in __interceptor_free /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0xb8de31 in _asn1_delete_list /src/libtasn1/lib/parser_aux.c:590:7
    #2 0xb947c8 in asn1_array2tree /src/libtasn1/lib/structure.c:278:5
    #3 0x64b073 in _gnutls_global_init /src/gnutls/lib/global.c:293:8
    #4 0x64a936 in gnutls_global_init /src/gnutls/lib/global.c:224:9
    #5 0x553da4 in init /src/gnutls/fuzz/./fuzzer.h:36:2
    #6 0xcdfa1c in __libc_csu_init (/out/gnutls_psk_client_fuzzer+0xcdfa1c)

previously allocated by thread T0 here:
    #0 0x5219ed in malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0xb8a993 in _asn1_add_static_node /src/libtasn1/lib/parser_aux.c:76:7
    #2 0xb93d03 in asn1_array2tree /src/libtasn1/lib/structure.c:199:11
    #3 0x64b073 in _gnutls_global_init /src/gnutls/lib/global.c:293:8
    #4 0x64a936 in gnutls_global_init /src/gnutls/lib/global.c:224:9
    #5 0x553da4 in init /src/gnutls/fuzz/./fuzzer.h:36:2
    #6 0xcdfa1c in __libc_csu_init (/out/gnutls_psk_client_fuzzer+0xcdfa1c)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/gmp/mpz/clear.c:38:7 in __gmpz_clear

Version of gnutls used:

master

Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Ubuntu 16.04

How reproducible:

run oss-fuzz locally

Steps to Reproduce: use attach file as the corpus to reproduce, like: python infra/helper.py reproduce gnutls gnutls_psk_client_fuzzer gnutls_psk_client_fuzzer-heap-buffer-overflow gnutls_psk_client_fuzzer-heap-buffer-overflow

Actual results:

as description, ASAN report a heap-buffer-overflow bug

Expected results:

no error report

Edited Aug 26, 2020 by Daiki Ueno
Assignee
Assign to
Time tracking