From 248971348b36d0dc5473499f19981ee51f877de0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= Date: Thu, 19 Jan 2023 20:57:44 +0100 Subject: [PATCH 1/3] Replace fuzzer-generated PKCS7 regression tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit adds well-formed reproducers for the memory management issues fixed in the following commits: 290f01b3f54a16045be201699becda8f500eebd5 e7f8c616d0b9388fd20ffd6c9730ea8188f27716 f7641544eafeaf0c71d109fbbec1d9f8aa2e74d8 Signed-off-by: Bence Szépkúti --- tests/data_files/Makefile | 12 ++++++++++++ ...info_set-leak-fuzz_pkcs7-4541044530479104.der | Bin 108 -> 0 bytes ...-missing_free-fuzz_pkcs7-6213931373035520.der | Bin 108 -> 0 bytes ...Info_1_serial_invalid_tag_after_long_name.der | Bin 0 -> 810 bytes .../pkcs7_signerInfo_2_invalid_tag.der | Bin 0 -> 1185 bytes tests/suites/test_suite_pkcs7.data | 12 ++++++------ 6 files changed, 18 insertions(+), 6 deletions(-) delete mode 100644 tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der delete mode 100644 tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der create mode 100644 tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der create mode 100644 tests/data_files/pkcs7_signerInfo_2_invalid_tag.der diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 622a28977..a7517bf78 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1369,6 +1369,18 @@ pkcs7_data_signed_badsigner.der: pkcs7_data_cert_signed_sha256.der echo -en '\xa1' | dd of=$@ bs=1 seek=918 conv=notrunc all_final += pkcs7_data_signed_badsigner.der +# pkcs7 signature file with invalid tag in signerInfo[1].serial after long issuer name +pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der: pkcs7_data_multiple_signed.der + cp $< $@ + echo -en '\xa1' | dd of=$@ bs=1 seek=498 conv=notrunc +all_final += pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der + +# pkcs7 signature file with invalid tag in signerInfo[2] +pkcs7_signerInfo_2_invalid_tag.der: pkcs7_data_3_signed.der + cp $< $@ + echo -en '\xa1' | dd of=$@ bs=1 seek=810 conv=notrunc +all_final += pkcs7_signerInfo_2_invalid_tag.der + # pkcs7 file with version 2 pkcs7_data_cert_signed_v2.der: pkcs7_data_cert_signed_sha256.der cp pkcs7_data_cert_signed_sha256.der $@ diff --git a/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der b/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der deleted file mode 100644 index 51aef0d0929043a6c080846758c96bf08a945216..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 108 zcmXrWVq#=8FQ)N1o+`_9YA&S+?7APZDrz-_=`$Y#L8#=yhC l!~mq36ch}Y*cezCVA3LnLJ(;XDFadhBo)BmKZH_H004ib3yc5& diff --git a/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der b/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der deleted file mode 100644 index ce4fb3bd49fdaf0ccd10069af549eb55ec9554fe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 108 zcmXrWVq#=8FQ)N1o+`_9YA&S>avAPZDrz-_=`$Y#L8#=y+L V!~mq36ch}Y*cezC2uLd+0|0Qt3R(aF diff --git a/tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der b/tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der new file mode 100644 index 0000000000000000000000000000000000000000..fe5539006c9ec85d67bb841a63c2767a643c1179 GIT binary patch literal 810 zcmXqLVpe10)N1o+`_9YA&a|M3S=^wBS(u5D(U9MOmyI)_&4V$OnT3gwmBD};p^(wA ziRqm|6Js$@p@ENqi6OTECmVAp3!5;LpN}D*0S}17#lsrl?Hp`wC~6=K;xqH`fcXl} zsYN9UhD;*W_wHVD@ws^RUyS1l0iDk6_w{o2qgx7e1JrelKsT^7F)~EIxluUv;JyD7 z4*5(}n;p9OL*^c(7^56RAF05K{C^@R4EFhXAGg_McCxH|i(`iR?3Z#i_iH3AvK~n! z70wl2yx{+b23t4Iq)%s8n2WTu8wDM{&g#2E#7>(-%0lcd2g|8|nd{=;ys(YYF>l^D zqubl<&XlL2?F-poiMs7qy41y4pQ`1Mc1JT+Z9?XH{lK!_Jugq?3jRzF|6s)OJ*>dA z{Q}n&mCBq+f2v;Rd%76ToOjD$CZB(JakAc}h<{9F>83Mp<)1S>yS7|y!EPp>wKKCj z9-N-h>hn5=JMXy1&7bG8a;})ScCXnXlGvrL|9Oe%u?O|G8)meZ|9#UEHGO}rfbIp# zg57ALNSJS^gX;Roc}4}5n~L~8@P4lOT|+q7SrTU4iPxU_c#qz-6y18R#P_QY##kIr zHr{jQ-8-{c{$9~{SGiufEP22YUvi1{cFwg3#x2dhuO0V4g zu_IChH$WOk=G!d%3Z2+p)Uqhct5budx5I zF#Y(RLe6#1uRokH`*O?gKZ%q3{w$U0oP1n%vv@JT*z@OQZBDcuZZyRM%7_+Yxjn=Du9|G|F06a(g4FRyN7+$p#GY3%KPB8-6r r>DM<%X>nA3=!og`YCpfN$G7gqganVqbvtX6E`BzDKgo_cDun?6%%4K* literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_signerInfo_2_invalid_tag.der b/tests/data_files/pkcs7_signerInfo_2_invalid_tag.der new file mode 100644 index 0000000000000000000000000000000000000000..3a4287426c1758419224ca36729255bee68c32c5 GIT binary patch literal 1185 zcmXqLVwuavsnzDu_MMlJooPW6OP@g#OBWL(qanWmFB@k(-%0lcd2g|8|nd{=;ys(YYF>l^D zqubl<&XlL2?F-poiMs7qy41y4pQ`1Mc1JT+Z9?XH{lK!_Jugq?3jRzF|6s)OJ*>dA z{Q}n&mCBq+f2v;Rd%76ToOjD$CZB(JakAc}h<{9F>83Mp<)1S>yS7|y!EPp>wKKCj z9-N-h>hn5=JMXy1&7bG8a;})ScCXnXlGvrL|9Oe%u?O|G8)meZ|9#UEHGO}rfbIp# zg58KoB+NI|L3MrPJfnijO+|bkct6+tt|1)kED1C2#B0xdyhra^if%nu;``MHV=Rs* z8}B*u?w#2zf3N7fD_%vaIjTI-{Lp5UVS9UF^?o(orfvIvS^J4Jm}m9W+tk)+rC09$ z*p#%Ywf4m!E}?CU&h`1$8{Uv^Xk1bi{OewV&VC<6HM)LV`!*x}7yj7eAZ7pJc}zmBO%)qSS88B$DJ_G^2E0 zA4_4^(`33vX}Q9+54o_a4zHC=QW;J zd&MqqdMTrq_`<+u@%6WhE9-A;j#;j~(OYzpci8TNJHj5WsSS++|6{lIgneJ&9LE0m zaM15BUjx}b&EUU$*2%JVf1&xidO4%B4U4z07TS^{Hc3Ifw_JRCmyPQ+%P3*4?uZtd zJ(_&}jkS-L{1ba~q5PEbf>o-IOwZJ(g|6UUvF=U#gy>DnLn62DIl9pJ(@c}eTjc+I fv$?)_;^SxE8>XCc(P Date: Tue, 28 Feb 2023 16:40:27 +0100 Subject: [PATCH 2/3] Fix expected error code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was overlooked during the rebase. Signed-off-by: Bence Szépkúti --- tests/suites/test_suite_pkcs7.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index 2a71e7a45..da8146bc1 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -80,7 +80,7 @@ pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PK PKCS7 Signed Data Parse Fail Corrupt signerInfos[2] (6213931373035520) depends_on:MBEDTLS_SHA256_C -pkcs7_parse:"data_files/pkcs7_signerInfo_2_invalid_tag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) +pkcs7_parse:"data_files/pkcs7_signerInfo_2_invalid_tag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) PKCS7 Signed Data Parse Fail Corrupt signerInfos[1].issuerAndSerialNumber.serialNumber, after multi-element .name (4541044530479104) depends_on:MBEDTLS_SHA256_C From 35d674a6eec5da754519effca8239a3c852b4b41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= Date: Tue, 28 Feb 2023 16:59:50 +0100 Subject: [PATCH 3/3] Replace usage of echo -e in pkcs7 data Makefile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This use of the shell builtin is not portable. Signed-off-by: Bence Szépkúti --- tests/data_files/Makefile | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index a7517bf78..2029f4f1c 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1272,7 +1272,7 @@ pkcs7_test_cert_3 = pkcs7-rsa-sha256-3.crt pkcs7_test_file = pkcs7_data.bin $(pkcs7_test_file): - echo -e "Hello\xd" > $@ + printf "Hello\15\n" > $@ all_final += $(pkcs7_test_file) pkcs7_zerolendata.bin: @@ -1280,7 +1280,7 @@ pkcs7_zerolendata.bin: all_final += pkcs7_zerolendata.bin pkcs7_data_1.bin: - echo -e "2\xd" > $@ + printf "2\15\n" > $@ all_final += pkcs7_data_1.bin # Generate signing cert @@ -1360,31 +1360,31 @@ all_final += pkcs7_data_multiple_certs_signed.der # pkcs7 signature file with corrupted CERT pkcs7_data_signed_badcert.der: pkcs7_data_cert_signed_sha256.der cp pkcs7_data_cert_signed_sha256.der $@ - echo -en '\xa1' | dd of=$@ bs=1 seek=547 conv=notrunc + echo 'a1' | xxd -r -p | dd of=$@ bs=1 seek=547 conv=notrunc all_final += pkcs7_data_signed_badcert.der # pkcs7 signature file with corrupted signer info pkcs7_data_signed_badsigner.der: pkcs7_data_cert_signed_sha256.der cp pkcs7_data_cert_signed_sha256.der $@ - echo -en '\xa1' | dd of=$@ bs=1 seek=918 conv=notrunc + echo 'a1' | xxd -r -p | dd of=$@ bs=1 seek=918 conv=notrunc all_final += pkcs7_data_signed_badsigner.der # pkcs7 signature file with invalid tag in signerInfo[1].serial after long issuer name pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der: pkcs7_data_multiple_signed.der cp $< $@ - echo -en '\xa1' | dd of=$@ bs=1 seek=498 conv=notrunc + echo 'a1' | xxd -r -p | dd of=$@ bs=1 seek=498 conv=notrunc all_final += pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der # pkcs7 signature file with invalid tag in signerInfo[2] pkcs7_signerInfo_2_invalid_tag.der: pkcs7_data_3_signed.der cp $< $@ - echo -en '\xa1' | dd of=$@ bs=1 seek=810 conv=notrunc + echo 'a1' | xxd -r -p | dd of=$@ bs=1 seek=810 conv=notrunc all_final += pkcs7_signerInfo_2_invalid_tag.der # pkcs7 file with version 2 pkcs7_data_cert_signed_v2.der: pkcs7_data_cert_signed_sha256.der cp pkcs7_data_cert_signed_sha256.der $@ - echo -en '\x02' | dd of=$@ bs=1 seek=25 conv=notrunc + echo '02' | xxd -r -p | dd of=$@ bs=1 seek=25 conv=notrunc all_final += pkcs7_data_cert_signed_v2.der pkcs7_data_cert_encrypted.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) @@ -1395,12 +1395,12 @@ all_final += pkcs7_data_cert_encrypted.der # For some interesting sizes, what happens if we make them off-by-one? pkcs7_signerInfo_issuer_invalid_size.der: pkcs7_data_cert_signed_sha256.der cp $< $@ - echo -en '\x35' | dd of=$@ seek=919 bs=1 conv=notrunc + echo '35' | xxd -r -p | dd of=$@ seek=919 bs=1 conv=notrunc all_final += pkcs7_signerInfo_issuer_invalid_size.der pkcs7_signerInfo_serial_invalid_size.der: pkcs7_data_cert_signed_sha256.der cp $< $@ - echo -en '\x15' | dd of=$@ seek=973 bs=1 conv=notrunc + echo '15' | xxd -r -p | dd of=$@ seek=973 bs=1 conv=notrunc all_final += pkcs7_signerInfo_serial_invalid_size.der # pkcs7 signature file just with signed data