From bc07d371865095643ec4f7190f26b174830a2f02 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Tue, 13 Dec 2022 22:10:47 +0100 Subject: [PATCH] Add PEM fuzzer This fuzzer can find CVE-2022-4450 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/20242) --- fuzz/build.info | 12 +++++-- fuzz/pem.c | 59 +++++++++++++++++++++++++++++++++ test/recipes/99-test_fuzz_pem.t | 22 ++++++++++++ 3 files changed, 91 insertions(+), 2 deletions(-) create mode 100644 fuzz/pem.c create mode 100644 test/recipes/99-test_fuzz_pem.t diff --git a/fuzz/build.info b/fuzz/build.info index bdeb075fdd..af5f550f00 100644 --- a/fuzz/build.info +++ b/fuzz/build.info @@ -10,7 +10,7 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}] PROGRAMS{noinst}=asn1 asn1parse bignum bndiv client conf crl server smime x509 - PROGRAMS{noinst}=punycode + PROGRAMS{noinst}=punycode pem PROGRAMS{noinst}=v3name IF[{- !$disabled{"cmp"} -}] @@ -65,6 +65,10 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}] INCLUDE[ct]=../include {- $ex_inc -} DEPEND[ct]=../libcrypto {- $ex_lib -} + SOURCE[pem]=pem.c driver.c + INCLUDE[pem]=../include {- $ex_inc -} + DEPEND[pem]=../libcrypto.a {- $ex_lib -} + SOURCE[punycode]=punycode.c driver.c INCLUDE[punycode]=../include {- $ex_inc -} DEPEND[punycode]=../libcrypto.a {- $ex_lib -} @@ -88,7 +92,7 @@ ENDIF IF[{- !$disabled{tests} -}] PROGRAMS{noinst}=asn1-test asn1parse-test bignum-test bndiv-test client-test conf-test crl-test server-test smime-test x509-test - PROGRAMS{noinst}=punycode-test + PROGRAMS{noinst}=punycode-test pem-test PROGRAMS{noinst}=v3name-test IF[{- !$disabled{"cmp"} -}] @@ -144,6 +148,10 @@ IF[{- !$disabled{tests} -}] INCLUDE[ct-test]=../include DEPEND[ct-test]=../libcrypto + SOURCE[pem-test]=pem.c test-corpus.c + INCLUDE[pem-test]=../include + DEPEND[pem-test]=../libcrypto.a + SOURCE[punycode-test]=punycode.c test-corpus.c INCLUDE[punycode-test]=../include DEPEND[punycode-test]=../libcrypto.a diff --git a/fuzz/pem.c b/fuzz/pem.c new file mode 100644 index 0000000000..4b2cf701e7 --- /dev/null +++ b/fuzz/pem.c @@ -0,0 +1,59 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +#include +#include +#include "fuzzer.h" + +int FuzzerInitialize(int *argc, char ***argv) +{ + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); + ERR_clear_error(); + CRYPTO_free_ex_index(0, -1); + return 1; +} + +int FuzzerTestOneInput(const uint8_t *buf, size_t len) +{ + BIO *in; + char *name = NULL, *header = NULL; + unsigned char *data = NULL; + long outlen; + + if (len <= 1) + return 0; + + in = BIO_new(BIO_s_mem()); + OPENSSL_assert((size_t)BIO_write(in, buf + 1, len - 1) == len - 1); + if (PEM_read_bio_ex(in, &name, &header, &data, &outlen, buf[0]) == 1) { + /* Try to read all the data we get to see if allocated properly. */ + BIO_write(in, name, strlen(name)); + BIO_write(in, header, strlen(header)); + BIO_write(in, data, outlen); + } + if (buf[0] & PEM_FLAG_SECURE) { + OPENSSL_secure_free(name); + OPENSSL_secure_free(header); + OPENSSL_secure_free(data); + } else { + OPENSSL_free(name); + OPENSSL_free(header); + OPENSSL_free(data); + } + + BIO_free(in); + ERR_clear_error(); + + return 0; +} + +void FuzzerCleanup(void) +{ +} diff --git a/test/recipes/99-test_fuzz_pem.t b/test/recipes/99-test_fuzz_pem.t new file mode 100644 index 0000000000..a0ca846afd --- /dev/null +++ b/test/recipes/99-test_fuzz_pem.t @@ -0,0 +1,22 @@ +#!/usr/bin/env perl +# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use warnings; + +use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test::Utils; + +my $fuzzer = "pem"; +setup("test_fuzz_${fuzzer}"); + +plan tests => 2; # one more due to below require_ok(...) + +require_ok(srctop_file('test','recipes','fuzz.pl')); + +fuzz_ok($fuzzer); -- 2.39.5