Skip to content

When I called the d2i_PrivateKey in openssl1.1.1k, there was a bug. #15958

New issue
New issue
Closed
prchander/openssl
#3
Closed
When I called the d2i_PrivateKey in openssl1.1.1k, there was a bug.#15958
prchander/openssl
#3
Labels
branch: 1.1.1Applies to OpenSSL_1_1_1-stable branch (EOL)branch: masterApplies to master branchtriaged: documentationThe issue/pr deals with documentation (errors)
@1185129439

Description

@1185129439
1185129439
opened on Jun 30, 2021

Hi, When I fuzzed the d2i_PrivateKey interface in openssl1.1.1k, it ran for 23 hours and found cransh. there was a bug.

As shown in the figure, the memcpy() is performed when len = 2 and data is unusable in ASN1_STRING_set:304.
image

gdb
For fuzzing, my initial input and cransh are as follows:
wdw

My code is as follows

int FuzzerInitialize(int *argc, char ***argv)
{
    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
    ERR_clear_error();
    CRYPTO_free_ex_index(0, -1);
    return 1;
}
int type[4] = {EVP_PKEY_NONE, EVP_PKEY_RSA, EVP_PKEY_DSA, EVP_PKEY_EC};
int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
    int n;
    if (len == 0)
        return 0;
    for(n=0; n<4;++n) {
		EVP_PKEY *pkey;
		unsigned char *out = NULL;
		pkey = d2i_PrivateKey(type[n], NULL, &buf, len);
		if (pkey != NULL) {
			i2d_PrivateKey(pkey,&out);
			OPENSSL_free(out);
			EVP_PKEY_free(pkey);
		}
	}

    ERR_clear_error();

    return 0;
}

void FuzzerCleanup(void)
{
}

My test data is as follows:
Data.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    branch: 1.1.1Applies to OpenSSL_1_1_1-stable branch (EOL)branch: masterApplies to master branchtriaged: documentationThe issue/pr deals with documentation (errors)

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions