[openssl-dev] [openssl.org #3800] malformed asn1 definition causes segfault in openssl asn1parse

Hanno Boeck via RT rt at openssl.org
Mon Apr 13 08:28:29 UTC 2015 

Attached file will crash the asn1 definitions parser.
To test:
openssl asn1parse -genconf segfault.asn

I tried to create a stack trace with gdb to see what's going on and it
is several megabytes in size and contains lines like:
#24353 0x00007ffff78665be in asn1_multi (cnf=0x7fffffffd410,
section=<optimized out>, utype=16) at asn1_gen.c:456 #24354
ASN1_generate_v3 (str=<optimized out>, cnf=cnf at entry=0x7fffffffd410) at
asn1_gen.c:165 #24355 0x00007ffff78665be in asn1_multi
(cnf=0x7fffffffd410, section=<optimized out>, utype=16) at
asn1_gen.c:456

Looks to me like some endless recursion loop is happening which causes
a stack overflow.

Address sanitizer will sometimes report a "Bus error" and sometimes a
stack overflow (depending on combination of CFLAGS and compiler):

==15366==ERROR: AddressSanitizer: stack-overflow on address
0x7fff71055ff8 (pc 0x000000477982 bp 0x000000000030 sp 0x7fff71056000 T0)
o    #0 0x477981 in
__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback>::AllocateBatch(__sanitizer::AllocatorStats*, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback> >*, unsigned long) (/data/openssl/openssl-1.0.2a-clang-asan-ubsan/apps/openssl+0x477981)
    #1 0x47780e in
    __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul,
    4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>,
    __asan::AsanMapUnmapCallback>
    >::Refill(__sanitizer::SizeClassAllocator64<105553116266496ul,
    4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>,
    __asan::AsanMapUnmapCallback>*, unsigned long)
    (/data/openssl/openssl-1.0.2a-clang-asan-ubsan/apps/openssl+0x47780e)



As it is unlikely that asn1 definitions are attacker-controlled I don't
assume this has any security impact.

Found with the help of american fuzzy lop.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: segfault.asn
Type: application/octet-stream
Size: 83 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150413/37aad0d7/attachment.obj>

More information about the openssl-dev mailing list