[unber] fix buffer overrun in the BER introspection and debugging tool (unber)

6ccf7437 · Lev Walkin · ccfaf2ab · 6ccf7437 · 6ccf7437 · 6ccf7437
Commit 6ccf7437 authored Jan 21, 2019 by Lev Walkin
8 changed files
--- a/.gitignore
+++ b/.gitignore
@@ -38,6 +38,7 @@ stamp-h*
 # /asn1c-tools
 /asn1-tools/enber/enber
 /asn1-tools/unber/unber
+/asn1-tools/unber/check_unber
 # /skeletons
 /skeletons/check-*

--- a/AUTHORS
+++ b/AUTHORS
@@ -6,6 +6,7 @@ Bi-Ruei, Chiu <biruei.chiu@gmail.com>
 Daniele Varrazzo <daniele.varrazzo@gmail.com>
 Denis Filatov (DanyaFilatov @ github)
 daa @ github
+Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
 Erika Thorsen (akire @ github)
 gareins @ github
 johvik @ github

--- a/ChangeLog
+++ b/ChangeLog
@@ -24,8 +24,7 @@
    * uper_encode() API got new argument (breaks API compatibility).
    * asn1c -gen-XXX flags are deprecated. Use -no-gen-XXX to disable codecs.
-    FIXES:
+    FIXES IN COMPILER-GENERATED OUTPUT:
-    * CVE-2017-12966 verified not present.
      * Fix incomplete (failed) CHOICE XER decoding memory leak.
        (Severity: medium; Security impact: medium)
      * Fix REAL type overwrite conversion memory leak.
@@ -37,6 +36,11 @@
      * Fix XER decoder crash on maliciously constructed ENUMERATED input.
        (Severity: medium; Security impact: medium)
+    FIXES IN TOOLING:
+      * CVE-2017-12966 verified not present.
+      * Fix `unber` buffer overrun. Reported by Eric Sesterhenn.
+        (Severity: low; Security impact: high)
 0.9.28: 2017-03-26
    * PER decoding: avoid memory leak on error. By github.com/simo5
    * Constness patch #46 by Wim L <wiml@omnigroup.com> (41bbf1c..78d604f).

--- a/asn1-tools/unber/Makefile.am
+++ b/asn1-tools/unber/Makefile.am
@@ -11,7 +11,21 @@ noinst_LTLIBRARIES = libasn1-unber-tool.la
 libasn1_unber_tool_la_SOURCES =     \
    libasn1_unber_tool.c libasn1_unber_tool.h
+bin_PROGRAMS = unber
 unber_LDADD = libasn1-unber-tool.la                 \
    $(top_builddir)/libasn1common/libasn1common.la
-bin_PROGRAMS = unber
+check_PROGRAMS = check_unber
+check_unber_CFLAGS = $(TESTSUITE_CFLAGS) $(LIBFUZZER_CFLAGS)
+check_unber_LDADD = libasn1-unber-tool.la           \
+    $(top_builddir)/libasn1common/libasn1common.la
+dist_check_SCRIPTS=check_unber.sh
+# This jump through the shell is needed to run ./check_unber binary with
+# proper fuzzing options.
+TESTS_ENVIRONMENT=                      \
+    ASAN_ENV_FLAGS="@ASAN_ENV_FLAGS@"   \
+    builddir=${builddir}
+TESTS= check_unber.sh
--- a/asn1-tools/unber/check_unber.c
+++ b/asn1-tools/unber/check_unber.c
+#include "asn1_common.h"
+#include "libasn1_unber_tool.h"
+// An abstraction for getting data from the in-memory buffer.
+struct memory_buffer_stream {
+    input_stream_t istream;
+    const uint8_t *data;
+    size_t size;
+    size_t offset;
+};
+static int memory_buffer_stream_nextChar(input_stream_t *ibs) {
+    struct memory_buffer_stream *bs = (struct memory_buffer_stream *)ibs;
+    if(bs->offset < bs->size) {
+        return bs->data[bs->offset++];
+    } else {
+        return -1;
+    }
+}
+static off_t memory_buffer_stream_bytesRead(input_stream_t *ibs) {
+    struct memory_buffer_stream *bs = (struct memory_buffer_stream *)ibs;
+    return (off_t)bs->offset;
+}
+static int
+ignore_vprintf(output_stream_t *os, const char *fmt, va_list ap) {
+    (void)os;
+    (void)fmt;
+    (void)ap;
+    // Ignore all output.
+    return 0;
+}
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+int
+LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+    // Read from a memory buffer.
+    struct memory_buffer_stream mbs;
+    mbs.istream.nextChar = memory_buffer_stream_nextChar;
+    mbs.istream.bytesRead = memory_buffer_stream_bytesRead;
+    mbs.data = Data;
+    mbs.size = Size;
+    mbs.offset = 0;
+    // Do not print anywhere.
+    struct output_stream nullstream;
+    nullstream.vprintf = ignore_vprintf;
+    nullstream.vprintfError = ignore_vprintf;
+    (void)unber_stream("<fuzzed-input>", &mbs.istream, &nullstream);
+    return 0;
+}
+#ifndef  ENABLE_LIBFUZZER
+int main() {
+    printf("libfuzzer is not compiled-in, pretend the test went OK.\n");
+    return 0;
+}
+#endif
--- a/asn1-tools/unber/check_unber.sh
+++ b/asn1-tools/unber/check_unber.sh
+#!/bin/sh
+FUZZ_TIME=${FUZZ_TIME:-10}
+builddir=${builddir:-.}
+env ${ASAN_ENV_FLAGS:-} ${builddir}/check_unber \
+    -timeout=3                      \
+    -max_total_time=${FUZZ_TIME}    \
+    -max_len=500
--- a/asn1-tools/unber/libasn1_unber_tool.c
+++ b/asn1-tools/unber/libasn1_unber_tool.c
--- a/asn1-tools/unber/libasn1_unber_tool.h
+++ b/asn1-tools/unber/libasn1_unber_tool.h
@@ -38,6 +38,32 @@ int set_indent_size(int indent_size);
 */
 int unber_file(const char *fname);
+typedef struct input_stream {
+    /*
+     * Return the next character as if it were an unsigned int converted to
+     * an int. Returns -1 on EOF or error.
+     */
+    int (*nextChar)(struct input_stream *);
+    /*
+     * Return the number of bytes consumed from the stream so far.
+     */
+    off_t (*bytesRead)(struct input_stream *);
+} input_stream_t;
+typedef struct output_stream {
+    /*
+     * Return the next character as if it were an unsigned int converted to
+     * an int. Returns -1 on EOF or error.
+     */
+    int (*vprintf)(struct output_stream *, const char *fmt, va_list);
+    int (*vprintfError)(struct output_stream *, const char *fmt, va_list);
+} output_stream_t;
+/*
+ * Lower level converter.
+ */
+int unber_stream(const char *fname, input_stream_t *, output_stream_t *);
 /*
 * Decode the TLV given by the given string.
 */