-
-
Notifications
You must be signed in to change notification settings - Fork 11.1k
Closed
Description
I built using recent gcc and OpenSSL-1_1_0-stable
./config -g -fsanitize=address -fno-omit-frame-pointer
make
make test V=1 2>&1 | tee test.log
in test.log I got
depth=0 C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Client cipher list: 0x0000=================================================================
==25110==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000004f3 at pc 0x2b15e44b2391 bp 0x7ffe30b7cc00 sp 0x7ffe30b7cbf8
READ of size 1 at 0x6020000004f3 thread T0
DONE
#0 0x2b15e44b2390 in ssl3_get_cipher_by_char ssl/s3_lib.c:3550
#1 0x4757c7 in print_raw_cipherlist apps/s_cb.c:975
#2 0x4757c7 in print_ssl_summary apps/s_cb.c:1073
#3 0x482caf in rev_body apps/s_server.c:3089
#4 0x48a474 in do_server apps/s_socket.c:179
#5 0x488547 in s_server_main apps/s_server.c:1934
#6 0x41ef90 in do_cmd apps/openssl.c:471
#7 0x4202fc in main apps/openssl.c:177
#8 0x2b15e5351f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#9 0x4209f6 (/home/ed/OPC/openssl/apps/openssl+0x4209f6)
0x6020000004f3 is located 0 bytes to the right of 3-byte region [0x6020000004f0,0x6020000004f3)
allocated by thread T0 here:
#0 0x2b15e3585ef0 in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x2b15e4a8e687 in CRYPTO_memdup crypto/o_str.c:67
#2 0x2b15e4507f83 in PACKET_memdup ssl/statem/../packet_locl.h:385
#3 0x2b15e4507f83 in ssl_bytes_to_cipher_list ssl/statem/statem_srvr.c:3271
#4 0x2b15e4507f83 in tls_process_client_hello ssl/statem/statem_srvr.c:1175
#5 0x2b15e44e7133 in read_state_machine ssl/statem/statem.c:589
#6 0x2b15e44e7133 in state_machine ssl/statem/statem.c:385
#7 0x2b15e44d4724 in SSL_do_handshake ssl/ssl_lib.c:3025
#8 0x2b15e4490eca in ssl_ctrl ssl/bio_ssl.c:349
#9 0x2b15e48f34b8 in buffer_ctrl crypto/bio/bf_buff.c:343
#10 0x482c7a in rev_body apps/s_server.c:3063
#11 0x48a474 in do_server apps/s_socket.c:179
#12 0x488547 in s_server_main apps/s_server.c:1934
#13 0x41ef90 in do_cmd apps/openssl.c:471
#14 0x4202fc in main apps/openssl.c:177
#15 0x2b15e5351f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-buffer-overflow ssl/s3_lib.c:3550 in ssl3_get_cipher_by_char
Shadow bytes around the buggy address:
0x0c047fff8040: fa fa 00 01 fa fa 00 00 fa fa 03 fa fa fa 00 06
0x0c047fff8050: fa fa fd fa fa fa fd fd fa fa 00 06 fa fa 00 06
0x0c047fff8060: fa fa 03 fa fa fa 00 06 fa fa fd fa fa fa fd fd
0x0c047fff8070: fa fa 00 00 fa fa 00 fa fa fa 03 fa fa fa 05 fa
0x0c047fff8080: fa fa 00 00 fa fa 00 01 fa fa 00 00 fa fa 00 fa
=>0x0c047fff8090: fa fa fd fd fa fa fd fa fa fa fd fd fa fa[03]fa
0x0c047fff80a0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff80b0: fa fa 00 fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff80c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff80d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff80e0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25110==ABORTING
engine "ossltest" set.
engine "ossltest" set.
CONNECTION FAILURE
47964245314304:error:1417D0FC:SSL routines:tls_process_client_hello:unknown protocol:ssl/statem/statem_srvr.c:956:
write:errno=0
I don't know how to locate the problematic test case.
Probably near "../test/recipes/70-test_sslextension.t ....."
The cipher list is 3 bytes long, thus rlistlen=3 is not a multiple of num=2
rlist = [0x00 0x00 0x2F]
Although this is a fatal error (with non-zero return code),
make test prints at the end:
All tests successful.
Files=90, Tests=479, 329 wallclock secs ( 2.94 usr 0.50 sys + 186.48 cusr 152.72 csys = 342.64 CPU)
Result: PASS
make[1]: Leaving directory `/home/ed/OPC/openssl'
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels