Open mmeinander opened 6 years ago
what makes you sure that the given bytes you used are correct?
The thinking behind the fuzz testing was to verify that the library would cleanly handle all error scenarios, also when the given input bytes are tampered. The tampering might be accidential or malicious.
Hi, While running fuzz testing (with afl and Kelinci) on the jasn1 generated java classes for PKIX1Explicit88.asn (ftp://ftp3.itu.int/t/fl/ietf/rfc/rfc3280/PKIX1Explicit88.html), crashes were discovered in five different locations during certificate decoding.
This was the Driver class used for the fuzzing:
import pkix1explicit88.Certificate; import java.io.*;
public class Driver { public static void main (String[] args) { if (args.length != 1) { System.err.println("driver: usage: driver file"); System.exit(1); } FileInputStream fis = null; try { fis = new FileInputStream(args[0]); } catch (FileNotFoundException e) { System.err.println("FileNotFound: " + args[0]); System.exit(1); } try { Certificate c = new Certificate(); c.decode(fis); } catch (IOException e) { System.err.println(e); } try { fis.close(); } catch (IOException e) { } } }
Crashes (inputs, i.e the der encoded certificates, to be decoded are in hex format):
Crash location: Exception occurred: java.lang.IndexOutOfBoundsException (uncaught)"thread=main", java.io.FileInputStream.readBytes(), line=-1 bci=-1
main[1] where [1] java.io.FileInputStream.readBytes (native method) [2] java.io.FileInputStream.read (FileInputStream.java:255) [3] org.openmuc.jasn1.ber.internal.Util.readFully (Util.java:18) [4] org.openmuc.jasn1.ber.types.BerAny.decode (BerAny.java:61) [5] pkix1explicit88.AlgorithmIdentifier.decode (AlgorithmIdentifier.java:121) [6] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:238) [7] pkix1explicit88.Certificate.decode (Certificate.java:119) [8] pkix1explicit88.Certificate.decode (Certificate.java:98) [9] Driver.main (Driver.java:19)
Crash location: Exception occurred: java.lang.NegativeArraySizeException (uncaught)"thread=main", org.openmuc.jasn1.ber.types.BerBitString.decode(), line=126 bci=42
main[1] where [1] org.openmuc.jasn1.ber.types.BerBitString.decode (BerBitString.java:126) [2] pkix1explicit88.SubjectPublicKeyInfo.decode (SubjectPublicKeyInfo.java:117) [3] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:264) [4] pkix1explicit88.Certificate.decode (Certificate.java:119) [5] pkix1explicit88.Certificate.decode (Certificate.java:98) [6] Driver.main (Driver.java:19)
Crash location: Exception occurred: java.lang.NegativeArraySizeException (uncaught)"thread=main", org.openmuc.jasn1.ber.types.BerObjectIdentifier.decode(), line=123 bci=56
main[1] where [1] org.openmuc.jasn1.ber.types.BerObjectIdentifier.decode (BerObjectIdentifier.java:123) [2] pkix1explicit88.AlgorithmIdentifier.decode (AlgorithmIdentifier.java:110) [3] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:238) [4] pkix1explicit88.Certificate.decode (Certificate.java:119) [5] pkix1explicit88.Certificate.decode (Certificate.java:98) [6] Driver.main (Driver.java:19)
Crash location: Exception occurred: java.lang.NegativeArraySizeException (uncaught)"thread=main", org.openmuc.jasn1.ber.types.string.BerVisibleString.decode(), line=67 bci=40
main[1] where [1] org.openmuc.jasn1.ber.types.string.BerVisibleString.decode (BerVisibleString.java:67) [2] org.openmuc.jasn1.ber.types.BerUtcTime.decode (BerUtcTime.java:57) [3] pkix1explicit88.Time.decode (Time.java:92) [4] pkix1explicit88.Validity.decode (Validity.java:107) [5] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:251) [6] pkix1explicit88.Certificate.decode (Certificate.java:119) [7] pkix1explicit88.Certificate.decode (Certificate.java:98) [8] Driver.main (Driver.java:19)
Crash location: Exception occurred: java.lang.NegativeArraySizeException (uncaught)"thread=main", org.openmuc.jasn1.ber.types.BerOctetString.decode(), line=64 bci=40
main[1] where [1] org.openmuc.jasn1.ber.types.BerOctetString.decode (BerOctetString.java:64) [2] pkix1explicit88.Extension.decode (Extension.java:136) [3] pkix1explicit88.Extensions.decode (Extensions.java:92) [4] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:295) [5] pkix1explicit88.Certificate.decode (Certificate.java:119) [6] pkix1explicit88.Certificate.decode (Certificate.java:98) [7] Driver.main (Driver.java:19)