search

hannestschofenig / mbedtls

An open source, portable, easy to use, readable and flexible SSL library
https://tls.mbed.org
Apache License 2.0
15 stars 8 forks source link

Add size check in ssl_session_load to fix a bug found in fuzzing #367

Closed zhihan closed 2 years ago

zhihan commented 3 years ago

This is a bug we found while fuzzing the session load functionalities by modifying the ticket buffer. The failure looks like the following:

==18960==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500067fe70 at pc 0x00000048c734 bp 0x7ffdd9e68cb0 sp 0x7ffdd9e68460
WRITE of size 165 at 0x61500067fe70 thread T0
SCARINESS: 45 (multi-byte-write-heap-buffer-overflow)
    #0 0x48c733 in __asan_memcpy (/harnesses/a5806c367b90/MNSDecodeSessionDataMbedFuzzer+0x48c733)

    #1 0x2c78e9 in ssl_session_load xplat/mobilenetwork/third-party/mbedtls/library/ssl_tls.c:6547

    #2 0x2c78e9 in mbedtls_ssl_session_load xplat/mobilenetwork/third-party/mbedtls/library/ssl_tls.c:6804

Content of the input data buffer to mbedtls_ssl_session_load, len=194:

0x612000000684: 0x02    0x19    0x00    0x00    0x03    0x00    0xff    0xa8
0x61200000068c: 0x00    0x00    0x00    0xff    0xff    0x66    0xa5    0xa5
0x612000000694: 0xa5    0xa5    0xa5    0xa5    0xa5    0xa5    0xa5    0xa5
0x61200000069c: 0xa5    0xa5    0xa5    0xa5    0xa5    0xa5    0xa5    0xa5
0x6120000006a4: 0xa5    0xa5    0xa5    0xa5    0xa5    0xa5    0xa5    0xa5
0x6120000006ac: 0xa5    0xa5    0xa5    0xa5    0xa5    0xa5    0xa5    0x02
0x6120000006b4: 0x19    0x00    0x00    0x32    0x0e    0x03    0x00    0x00
0x6120000006bc: 0x00    0x00    0x00    0x06    0x00    0x06    0x19    0x00
0x6120000006c4: 0x00    0x03    0x00    0x00    0x00    0x00    0x00    0x00
0x6120000006cc: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x03
0x6120000006d4: 0x00    0x00    0x00    0x0c    0x43    0x00    0x00    0x00
0x6120000006dc: 0x00    0x00    0x00    0x00    0xa5    0xa5    0xa5    0xa5
0x6120000006e4: 0xa5    0xa5    0xa5    0xa5    0xa5    0x02    0x19    0x00
0x6120000006ec: 0x00    0x32    0x0e    0x03    0x00    0x00    0x00    0x00
0x6120000006f4: 0x00    0x06    0x00    0x06    0x19    0x00    0x00    0x03
0x6120000006fc: 0x00    0x00    0x19    0x00    0x00    0x32    0x0e    0x03
0x612000000704: 0x00    0x00    0x00    0x00    0x00    0x06    0x00    0x06
0x61200000070c: 0x19    0x00    0x00    0x03    0x00    0x00    0x00    0x00
0x612000000714: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x61200000071c: 0x00    0x03    0x00    0x00    0x00    0x0c    0x43    0x00
0x612000000724: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x61200000072c: 0x00    0x00    0x00    0x03    0x00    0x00    0x00    0x00
0x612000000734: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x61200000073c: 0x00    0x03    0x00    0x00    0x00    0x0c    0x43    0x00
0x612000000744: 0x00    0x00
zhihan commented 3 years ago

Hi @hanno-arm, I replied and updated the description with the input from fuzzer. Hopefully it is clear now.