x509: crash during chain building/verification
Description of problem:
I'm reporting a crash observed during chain building/verification. I've turned into a reproducer (not minimal yet, but reliably crashes for me), which I'm attaching to this issue.
As additional context: this reproducer comes from Netflix's BetterTLS project; specifically, it's testcase 61 in their "path validation" suite. As such, it's already public on the Internet. However, nobody appears to have run BetterTLS against a recent version of GnuTLS, so I'm filing this as a private issue for triage.
Version of gnutls used:
This crash has been observed on GnuTLS 3.8.3, via certtool.
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
I'm using the Homebrew distribution of GnuTLS 3.8.3: https://formulae.brew.sh/formula/gnutls#default
How reproducible:
I'm attaching a reproducer in the form of a PEM bundle (bug.pem).
Steps to Reproduce:
certtool --verify-chain --infile bug.pemObserved output:
Note that no verification profile was selected. In the future the medium profile will be enabled by default.
Use --verify-profile low to apply the default verification of NORMAL priority string.
|<1>| There was a non-CA certificate in the trusted list: O=bettertls.com,CN=D,serialNumber=9d9b1ac3-6af5-47f2-9cdb-2201652648a0.
Trace/BPT trap: 5macOS IPS crash log: gnutls-certtool-2024-01-23-161956.ips
Relevant translated part of the report:
-------------------------------------
Translated Report (Full Report Below)
-------------------------------------
Process: gnutls-certtool [68069]
Path: /opt/homebrew/*/gnutls-certtool
Identifier: gnutls-certtool
Version: ???
Code Type: ARM-64 (Native)
Parent Process: bash [67709]
Responsible: Terminal [67706]
User ID: 501
Date/Time: 2024-01-23 16:19:55.8577 -0500
OS Version: macOS 14.1.2 (23B92)
Report Version: 12
Anonymous UUID: AD2BD55F-14F0-0787-13F3-FF2A9759559E
Sleep/Wake UUID: 5864A6BE-405B-4E35-85E8-99A8328CF181
Time Awake Since Boot: 2300000 seconds
Time Since Wake: 602014 seconds
System Integrity Protection: enabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x0000000187f72e54
Termination Reason: Namespace SIGNAL, Code 5 Trace/BPT trap: 5
Terminating Process: exc handler [68069]
Application Specific Information:
detected buffer overflow
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_c.dylib 0x187f72e54 __chk_fail_overflow + 24
1 libsystem_c.dylib 0x187f03b48 __memcpy_chk + 40
2 libgnutls.30.dylib 0x104879828 gnutls_x509_trust_list_verify_crt2 + 400
3 gnutls-certtool 0x104176854 _verify_x509_mem + 264
4 gnutls-certtool 0x104171614 main + 3128
5 dyld 0x187ce90e0 start + 2360
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000000000000 x1: 0x0000000000000000 x2: 0x0000000000000000 x3: 0x0000000000000000
x4: 0x0000000000000000 x5: 0x0000000000000000 x6: 0x0000000000000000 x7: 0x0000000000000000
x8: 0x79670bf9db4f0070 x9: 0x79670bf9db4f0070 x10: 0xfffffffe7818133f x11: 0x0000000000000100
x12: 0x000060000314923c x13: 0x00000000001ff800 x14: 0x00000000000007fb x15: 0x0000000081e1c009
x16: 0xfffffffffffffff4 x17: 0x00000001e72049d8 x18: 0x0000000000000000 x19: 0x0000000000000025
x20: 0x000000016bc93210 x21: 0x0000600001748180 x22: 0x0000000104176b5c x23: 0x0000000152816e00
x24: 0x0000000000000000 x25: 0x0000000000000000 x26: 0x000000010493c450 x27: 0x0000000000000004
x28: 0x0000000000000000 fp: 0x000000016bc92fd0 lr: 0x5d00800187f72e54
sp: 0x000000016bc92fd0 pc: 0x0000000187f72e54 cpsr: 0x60001000
far: 0x0000000000000000 esr: 0xf2000001 (Breakpoint) brk 1
Binary Images:
0x1047bc000 - 0x10492bfff libgnutls.30.dylib (*) <a91b58df-f86f-3f61-8248-0baa31d899fd> /opt/homebrew/*/libgnutls.30.dylib
0x104988000 - 0x104a7ffff libp11-kit.0.dylib (*) <47b51415-5fe7-30b7-8cfb-a94db701c48b> /opt/homebrew/*/libp11-kit.0.dylib
0x104634000 - 0x104663fff libidn2.0.dylib (*) <a175329c-87e6-3190-9803-d5280096f1cb> /opt/homebrew/*/libidn2.0.dylib
0x104ca8000 - 0x104e3ffff libunistring.5.dylib (*) <5d9892e9-f566-3bc0-8295-cc8c07b641b7> /opt/homebrew/*/libunistring.5.dylib
0x1046c8000 - 0x1046fffff libnettle.8.8.dylib (*) <2707e071-fed6-3ad3-97cb-34412f98afe3> /opt/homebrew/*/libnettle.8.8.dylib
0x10471c000 - 0x104757fff libhogweed.6.8.dylib (*) <6425d81e-98e1-37ba-8fd0-3aaae3d18871> /opt/homebrew/*/libhogweed.6.8.dylib
0x104b60000 - 0x104bb7fff libgmp.10.dylib (*) <f6a7b957-4314-3ea5-ac52-39a649bd3a58> /opt/homebrew/*/libgmp.10.dylib
0x104610000 - 0x10461bfff libtasn1.6.dylib (*) <380f4926-ec53-3343-baab-c41c4236d747> /opt/homebrew/*/libtasn1.6.dylib
0x10469c000 - 0x1046b3fff libintl.8.dylib (*) <00fe864a-7259-3f14-8dc2-ad6e85504fef> /opt/homebrew/*/libintl.8.dylib
0x10416c000 - 0x10418ffff gnutls-certtool (*) <17856a9c-b93a-30ad-b020-c93e6ac88ff1> /opt/homebrew/*/gnutls-certtool
0x187efe000 - 0x187f7cffb libsystem_c.dylib (*) <decb8685-f34a-3979-afcb-71fb55747e41> /usr/lib/system/libsystem_c.dylib
0x187ce3000 - 0x187d77317 dyld (*) <ec7a3ba0-f9bf-3ab8-a0f4-8622e5606b20> /usr/lib/dyld
0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???
Actual results:
The program crashes with SIGTRAP, which is probably just because macOS catches the SIGSEGV for triage.
Expected results:
I expected a normal program exit, with an exit code of 1 or 0.