<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><div class=""><br class=""><div class=""><div class=""><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Feb 17, 2015, at 4:49 PM, Brian Carpenter via RT <<a href="mailto:rt@openssl.org" class="">rt@openssl.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">Good morning. I'm reporting a segfault in openssl via the command line<br class="">"openssl x509 -x509toreq -in testcase -out /dev/null -signkey test.key"<br class="">using a malformed certificate. I'm using american fuzzy lop (<br class=""><a href="http://lcamtuf.coredump.cx/afl/" class="">http://lcamtuf.coredump.cx/afl/</a>) to fuzz openssl.<br class=""><br class="">The testcase, which I've attached to this email, is a mutation of a valid<br class="">ssl certificate. Doesn't appear to be exploitable according to CERTs<br class="">exploitable plugin (<a href="https://github.com/jfoote/exploitable" class="">https://github.com/jfoote/exploitable</a>) for GDB, but<br class="">there are smarter people than I out there in the world.<br class=""><br class="">I compiled openssl with the afl-gcc included with american fuzzy lop for<br class="">instrumenting binaries:<br class="">CC=/path/to/afl-gcc ./config<br class="">AFL_HARDEN=1 make -j8<br class=""><br class="">OpenSSL 1.1.0-dev xx XXX xxxx<br class=""><br class="">Here is the output from GDB:<br class="">Getting request Private Key<br class="">Generating certificate request<br class=""><br class="">Program received signal SIGSEGV, Segmentation fault.<br class="">[----------------------------------registers-----------------------------------]<br class="">RAX: 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a --><br class="">0x7372004645444e55 ('UNDEF')<br class="">RBX: 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a --><br class="">0x7372004645444e55 ('UNDEF')<br class="">RCX: 0x0<br class="">RDX: 0x0<br class="">RSI: 0x7fffffffd7a0 --> 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a<br class="">--> 0x7372004645444e55 ('UNDEF')<br class="">RDI: 0x1<br class="">RBP: 0x1016bf8 --> 0x10165b0 --> 0x1016f00 --> 0xd230c0 --> 0xd1c02a --><br class="">0x7372004645444e55 ('UNDEF')<br class="">RSP: 0x7fffffffd7f0 --> 0x10170e0 --> 0x1016410 --> 0x1017380 --><br class="">0x200000001<br class="">RIP: 0x93bbd0 (<X509_PUBKEY_set+240>: mov    rax,QWORD PTR [r12+0x10])<br class="">R8 : 0x1019170 --> 0x6e4135700000000d ('\r')<br class="">R9 : 0x0<br class="">R10: 0xa ('\n')<br class="">R11: 0x7ffff78d0556 (<__memset_sse2+230>: mov    QWORD PTR [rdi-0x10],rdx)<br class="">R12: 0x0<br class="">R13: 0x0<br class="">R14: 0x1016f60 --> 0x600000006<br class="">R15: 0x0<br class="">EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction<br class="">overflow)<br class="">[-------------------------------------code-------------------------------------]<br class="">   0x93bbbe <X509_PUBKEY_set+222>: mov    rcx,QWORD PTR [rsp+0x8]<br class="">   0x93bbc3 <X509_PUBKEY_set+227>: mov    rax,QWORD PTR [rsp+0x10]<br class="">   0x93bbc8 <X509_PUBKEY_set+232>: lea    rsp,[rsp+0x98]<br class="">=> 0x93bbd0 <X509_PUBKEY_set+240>: mov    rax,QWORD PTR [r12+0x10]<br class="">   0x93bbd5 <X509_PUBKEY_set+245>: test   rax,rax<br class="">   0x93bbd8 <X509_PUBKEY_set+248>: je     0x93beb8 <X509_PUBKEY_set+984><br class="">   0x93bbde <X509_PUBKEY_set+254>: xchg   ax,ax<br class="">   0x93bbe0 <X509_PUBKEY_set+256>: lea    rsp,[rsp-0x98]<br class="">[------------------------------------stack-------------------------------------]<br class="">0000| 0x7fffffffd7f0 --> 0x10170e0 --> 0x1016410 --> 0x1017380 --><br class="">0x200000001<br class="">0008| 0x7fffffffd7f8 --> 0x7bd4d239a33a7400<br class="">0016| 0x7fffffffd800 --> 0x1016580 --> 0x1016bd0 --> 0x0<br class="">0024| 0x7fffffffd808 --> 0x1016bd0 --> 0x0<br class="">0032| 0x7fffffffd810 --> 0x1018b10 --> 0x200000001<br class="">0040| 0x7fffffffd818 --> 0x9e9cee (<X509_to_X509_REQ+398>: mov    rdi,r13)<br class="">0048| 0x7fffffffd820 --> 0x7fffffffd840 --> 0x10170e0 --> 0x1016410 --><br class="">0x1017380 --> 0x200000001<br class="">0056| 0x7fffffffd828 --> 0x7bd4d239a33a7400<br class="">[------------------------------------------------------------------------------]<br class="">Legend: code, data, rodata, value<br class="">Stopped reason: SIGSEGV<br class="">0x000000000093bbd0 in X509_PUBKEY_set ()<br class="">gdb-peda$ exploit<br class="">Description: Access violation near NULL on source operand<br class="">Short description: SourceAvNearNull (16/22)<br class="">Hash: edf4ff3908740b6c9ac6ab3fe1b764d4.edf4ff3908740b6c9ac6ab3fe1b764d4<br class="">Exploitability Classification: PROBABLY_NOT_EXPLOITABLE<br class="">Explanation: The target crashed on an access violation at an address<br class="">matching the source operand of the current instruction. This likely<br class="">indicates a read access violation, which may mean the application crashed<br class="">on a simple NULL dereference to data structure that has no immediate effect<br class="">on control of the processor.<br class="">Other tags: AccessViolation (21/22)<br class=""><br class="">and Valgrind:<br class="">Getting request Private Key<br class="">Generating certificate request<br class="">==59041== Invalid read of size 8<br class="">==59041==    at 0x93BBD0: X509_PUBKEY_set (x_pubkey.c:99)<br class="">==59041==    by 0x9E9CED: X509_to_X509_REQ (x509_req.c:95)<br class="">==59041==    by 0x46F925: x509_main (x509.c:941)<br class="">==59041==    by 0x40C377: do_cmd (openssl.c:472)<br class="">==59041==    by 0x40B78D: main (openssl.c:366)<br class="">==59041==  Address 0x10 is not stack'd, malloc'd or (recently) free'd<br class="">==59041==<br class="">==59041==<br class="">==59041== Process terminating with default action of signal 11 (SIGSEGV)<br class="">==59041==  Access not within mapped region at address 0x10<br class="">==59041==    at 0x93BBD0: X509_PUBKEY_set (x_pubkey.c:99)<br class="">==59041==    by 0x9E9CED: X509_to_X509_REQ (x509_req.c:95)<br class="">==59041==    by 0x46F925: x509_main (x509.c:941)<br class="">==59041==    by 0x40C377: do_cmd (openssl.c:472)<br class="">==59041==    by 0x40B78D: main (openssl.c:366)<br class="">==59041==  If you believe this happened as a result of a stack<br class="">==59041==  overflow in your program's main thread (unlikely but<br class="">==59041==  possible), you can try to increase the size of the<br class="">==59041==  main thread stack using the --main-stacksize= flag.<br class="">==59041==  The main thread stack size used in this run was 8388608.<br class="">Segmentation fault<br class=""><br class=""><span id="cid:31E61C1C-8AF7-4622-A36D-BDC15E1E801C"><test76crash.gz></span>_______________________________________________<br class="">openssl-dev mailing list<br class="">To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-dev" class="">https://mta.openssl.org/mailman/listinfo/openssl-dev</a><br class=""></div></blockquote></div><br class=""></div></div></div></div></div></body></html>