[unber] fix buffer overrun in the BER introspection and debugging tool (unber)

.gitignore

@@ -38,6 +38,7 @@ stamp-h*
 # /asn1c-tools
 /asn1-tools/enber/enber
 /asn1-tools/unber/unber
+/asn1-tools/unber/check_unber
 
 # /skeletons
 /skeletons/check-*

AUTHORS

@@ -6,6 +6,7 @@ Bi-Ruei, Chiu <biruei.chiu@gmail.com>
 Daniele Varrazzo <daniele.varrazzo@gmail.com>
 Denis Filatov (DanyaFilatov @ github)
 daa @ github
+Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
 Erika Thorsen (akire @ github)
 gareins @ github
 johvik @ github

ChangeLog

@@ -24,18 +24,22 @@
     * uper_encode() API got new argument (breaks API compatibility).
     * asn1c -gen-XXX flags are deprecated. Use -no-gen-XXX to disable codecs.
 
-    FIXES:
-    * CVE-2017-12966 verified not present.
-    * Fix incomplete (failed) CHOICE XER decoding memory leak.
-      (Severity: medium; Security impact: medium)
-    * Fix REAL type overwrite conversion memory leak.
-      (Severity: low; Security impact: medium)
-    * Fix UPER string decoding constrained only by lower bound > 0
-      (Severity: low; Security impact: none)
-    * Fix UPER decoding of large [bit-]strings of size a multiple of 16K
-      (Severity: low; Security impact: none)
-    * Fix XER decoder crash on maliciously constructed ENUMERATED input.
-      (Severity: medium; Security impact: medium)
+    FIXES IN COMPILER-GENERATED OUTPUT:
+      * Fix incomplete (failed) CHOICE XER decoding memory leak.
+        (Severity: medium; Security impact: medium)
+      * Fix REAL type overwrite conversion memory leak.
+        (Severity: low; Security impact: medium)
+      * Fix UPER string decoding constrained only by lower bound > 0
+        (Severity: low; Security impact: none)
+      * Fix UPER decoding of large [bit-]strings of size a multiple of 16K
+        (Severity: low; Security impact: none)
+      * Fix XER decoder crash on maliciously constructed ENUMERATED input.
+        (Severity: medium; Security impact: medium)
+
+    FIXES IN TOOLING:
+      * CVE-2017-12966 verified not present.
+      * Fix `unber` buffer overrun. Reported by Eric Sesterhenn.
+        (Severity: low; Security impact: high)
 
 0.9.28: 2017-03-26
     * PER decoding: avoid memory leak on error. By github.com/simo5

asn1-tools/unber/Makefile.am

@@ -11,7 +11,21 @@ noinst_LTLIBRARIES = libasn1-unber-tool.la
 libasn1_unber_tool_la_SOURCES =     \
     libasn1_unber_tool.c libasn1_unber_tool.h
 
+bin_PROGRAMS = unber
+
 unber_LDADD = libasn1-unber-tool.la                 \
     $(top_builddir)/libasn1common/libasn1common.la
 
-bin_PROGRAMS = unber
+check_PROGRAMS = check_unber
+check_unber_CFLAGS = $(TESTSUITE_CFLAGS) $(LIBFUZZER_CFLAGS)
+check_unber_LDADD = libasn1-unber-tool.la           \
+    $(top_builddir)/libasn1common/libasn1common.la
+
+dist_check_SCRIPTS=check_unber.sh
+
+# This jump through the shell is needed to run ./check_unber binary with
+# proper fuzzing options.
+TESTS_ENVIRONMENT=                      \
+    ASAN_ENV_FLAGS="@ASAN_ENV_FLAGS@"   \
+    builddir=${builddir}
+TESTS= check_unber.sh

asn1-tools/unber/check_unber.c

+#include "asn1_common.h"
+#include "libasn1_unber_tool.h"
+
+// An abstraction for getting data from the in-memory buffer.
+struct memory_buffer_stream {
+    input_stream_t istream;
+    const uint8_t *data;
+    size_t size;
+    size_t offset;
+};
+
+static int memory_buffer_stream_nextChar(input_stream_t *ibs) {
+    struct memory_buffer_stream *bs = (struct memory_buffer_stream *)ibs;
+
+    if(bs->offset < bs->size) {
+        return bs->data[bs->offset++];
+    } else {
+        return -1;
+    }
+}
+
+static off_t memory_buffer_stream_bytesRead(input_stream_t *ibs) {
+    struct memory_buffer_stream *bs = (struct memory_buffer_stream *)ibs;
+
+    return (off_t)bs->offset;
+}
+
+static int
+ignore_vprintf(output_stream_t *os, const char *fmt, va_list ap) {
+    (void)os;
+    (void)fmt;
+    (void)ap;
+    // Ignore all output.
+    return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+
+    // Read from a memory buffer.
+    struct memory_buffer_stream mbs;
+    mbs.istream.nextChar = memory_buffer_stream_nextChar;
+    mbs.istream.bytesRead = memory_buffer_stream_bytesRead;
+    mbs.data = Data;
+    mbs.size = Size;
+    mbs.offset = 0;
+
+    // Do not print anywhere.
+    struct output_stream nullstream;
+    nullstream.vprintf = ignore_vprintf;
+    nullstream.vprintfError = ignore_vprintf;
+
+    (void)unber_stream("<fuzzed-input>", &mbs.istream, &nullstream);
+
+    return 0;
+}
+
+#ifndef  ENABLE_LIBFUZZER
+int main() {
+    printf("libfuzzer is not compiled-in, pretend the test went OK.\n");
+    return 0;
+}
+#endif

asn1-tools/unber/check_unber.sh

+#!/bin/sh
+
+FUZZ_TIME=${FUZZ_TIME:-10}
+builddir=${builddir:-.}
+
+env ${ASAN_ENV_FLAGS:-} ${builddir}/check_unber \
+    -timeout=3                      \
+    -max_total_time=${FUZZ_TIME}    \
+    -max_len=500

asn1-tools/unber/libasn1_unber_tool.h

@@ -38,6 +38,32 @@ int set_indent_size(int indent_size);
  */
 int unber_file(const char *fname);
 
+typedef struct input_stream {
+    /*
+     * Return the next character as if it were an unsigned int converted to
+     * an int. Returns -1 on EOF or error.
+     */
+    int (*nextChar)(struct input_stream *);
+    /*
+     * Return the number of bytes consumed from the stream so far.
+     */
+    off_t (*bytesRead)(struct input_stream *);
+} input_stream_t;
+
+typedef struct output_stream {
+    /*
+     * Return the next character as if it were an unsigned int converted to
+     * an int. Returns -1 on EOF or error.
+     */
+    int (*vprintf)(struct output_stream *, const char *fmt, va_list);
+    int (*vprintfError)(struct output_stream *, const char *fmt, va_list);
+} output_stream_t;
+
+/*
+ * Lower level converter.
+ */
+int unber_stream(const char *fname, input_stream_t *, output_stream_t *);
+
 /*
  * Decode the TLV given by the given string.
  */