-
Notifications
You must be signed in to change notification settings - Fork 705
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSS-Fuzz issues #3140
OSS-Fuzz issues #3140
Conversation
I do not see how the first commit fixes the referenced issue. Can you clarify? It just improves the checking of the SW (which is certainly good), but if the fuzzer will come with the SW 90 00, it will fail again, isn't it? This sounds like some issue that the For the second commit, could you add also a reproducer unit tests with some similar input to the fuzzer one to better understand the issue? |
The starcos_gen_key() correctly checks for SW to be 0x9000, but the starcos_gen_key() does not check for SW2. The error is not propagated and key generation works with not allocated values. Thanks OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68040
Limiting the size and not returning an error leads to infinite recursion if the macro value is a macro name that is longer than the given limitation. Thank OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68061
Sure, the problem is OpenSC/src/libopensc/card-starcos.c Lines 1535 to 1536 in df58bfc
considered as error, but Thanks for pointing out, it should be clarified in the commit message now. The reproducer for the second one is also added to unit tests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer to get the formatting right, but otherwise lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The fuzzer reports a memory leak, which seems to be unrelated, but should be fixed at some point anyway:
Direct leak of 160 byte(s) in 1 object(s) allocated from:
#0 0x5627fe57931e in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x5627fe6477ba in sc_pkcs15_read_cached_file /src/opensc/src/libopensc/pkcs15-cache.c:158:10
#2 0x5627fe5fde87 in sc_pkcs15_read_file /src/opensc/src/libopensc/pkcs15.c:2488:7
#3 0x5627fe610644 in sc_pkcs15_read_certificate /src/opensc/src/libopensc/pkcs15-cert.c:387:7
#4 0x5627fe9fba34 in sc_pkcs15emu_cac_init /src/opensc/src/libopensc/pkcs15-cac.c:277:8
#5 0x5627fe9f8329 in sc_pkcs15emu_cac_init_ex /src/opensc/src/libopensc/pkcs15-cac.c:380:9
#6 0x5627fe649d0f in sc_pkcs15_bind_synthetic /src/opensc/src/libopensc/pkcs15-syn.c:139:8
#7 0x5627fe5f5d35 in sc_pkcs15_bind /src/opensc/src/libopensc/pkcs15.c:1359:8
#8 0x5627fe5b6955 in LLVMFuzzerTestOneInput /src/opensc/src/tests/fuzzing/fuzz_pkcs15_decode.c:78:2
#9 0x5627fe46ad80 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#10 0x5627fe46a5a5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
#11 0x5627fe46bd75 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:760:19
#12 0x5627fe46cb65 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:905:5
#13 0x5627fe45ae76 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
#14 0x5627fe4873a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#15 0x7fd2e47ba082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 87b331c034a6458c64ce09c03939e947212e18ce)
I cannot reproduce it or either find a place, where the reported leak is happening. |
Would not it be something like this?
If I see right, the memory is allocated in |
Thanks, I missed the |
When sc_pkcs15_read_cached_file allocates data pointer but following sc_select_file fails, the data pointer is rewritten by another malloc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you
Recently reported issues by OSS-Fuzz.
Checklist