| Subject: | NULL pointer passing error in asn1_encode.c |
| To: | krb5-bugs@mit.edu |
| Date: | Thu, 5 Jun 2025 17:50:38 +0300 |
| From: | "Kirill Furman" <kfurman@astralinux.ru> |
Hello!
Fuzzing krb5 project with oss-fuzz harness fuzz_krb5_ticket
I have found a null pointer passing error.
This error is caused by an incorrect check of the val pointer
and the len length. This can result in a situation where
len is equal 0 and val points to NULL. When this happens, the
function insert_bytes is run with a NULL pointer passed as the 2nd
argument to the memcpy function.
Here is the stacktrace of this error:
asn1_encode.c:53:32: runtime error: null pointer passed as argument 2,
which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
#0 0x5f43f102d8a6 in insert_bytes
/krb5/src/lib/krb5/asn.1/asn1_encode.c:53:9
#1 0x5f43f102d8a6 in k5_asn1_encode_bytestring
/krb5/src/lib/krb5/asn.1/asn1_encode.c:108:5
#2 0x5f43f10318c8 in encode_cntype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:792:15
#3 0x5f43f102fbe5 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:696:16
#4 0x5f43f1032397 in encode_atype_and_tag
/krb5/src/lib/krb5/asn.1/asn1_encode.c:768:11
#5 0x5f43f1032397 in encode_sequence_of
/krb5/src/lib/krb5/asn.1/asn1_encode.c:858:15
#6 0x5f43f1031982 in encode_cntype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:807:15
#7 0x5f43f102fbe5 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:696:16
#8 0x5f43f102fcc0 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:713:15
#9 0x5f43f102faa8 in encode_atype_and_tag
/krb5/src/lib/krb5/asn.1/asn1_encode.c:768:11
#10 0x5f43f102faa8 in encode_sequence
/krb5/src/lib/krb5/asn.1/asn1_encode.c:838:15
#11 0x5f43f102faa8 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:662:15
#12 0x5f43f102fcc0 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:713:15
#13 0x5f43f102faa8 in encode_atype_and_tag
/krb5/src/lib/krb5/asn.1/asn1_encode.c:768:11
#14 0x5f43f102faa8 in encode_sequence
/krb5/src/lib/krb5/asn.1/asn1_encode.c:838:15
#15 0x5f43f102faa8 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:662:15
#16 0x5f43f102fcc0 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:713:15
#17 0x5f43f102f2ee in encode_atype_and_tag
/krb5/src/lib/krb5/asn.1/asn1_encode.c:768:11
#18 0x5f43f102f2ee in k5_asn1_full_encode
/krb5/src/lib/krb5/asn.1/asn1_encode.c:1549:11
#19 0x5f43f102bfb3 in LLVMFuzzerTestOneInput
/krb5/src/../fuzz_krb5_ticket.c:72:11
#20 0x5f43f1028c59 in ExecuteFilesOnyByOne
/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:260:7
#21 0x5f43f1028a59 in LLVMFuzzerRunDriver
/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#22 0x5f43f10285fb in main
/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:316:10
#23 0x7adcce11809a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a) (BuildId:
79cd7beb3903a9b34e306f52a988d970e13524a6)
#24 0x5f43f0ffb139 in _start (/krb5/fuzz_krb5_ticket+0x9b139)
(BuildId: c8547e2c9649a35fb80969cc7bf5ca7eb73f0703)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior asn1_encode.c:53:32
Here is diff, that fixes this error:
diff --git a/src/lib/krb5/asn.1/asn1_encode.c
b/src/lib/krb5/asn.1/asn1_encode.c
index c4140021e..cf311403a 100644
--- a/src/lib/krb5/asn.1/asn1_encode.c
+++ b/src/lib/krb5/asn.1/asn1_encode.c
@@ -103,7 +103,8 @@ k5_asn1_encode_uint(asn1buf *buf, uintmax_t val)
krb5_error_code
k5_asn1_encode_bytestring(asn1buf *buf, uint8_t *const *val, size_t len)
{
- if (len > 0 && val == NULL)
+
+ if (val == NULL && len >= 0)
return ASN1_MISSING_FIELD;
insert_bytes(buf, *val, len);
return 0;
Steps to reproduce:
1. Build project with UBSAN sanitizer
2. Create crash input, as shown:
echo -e
"\x61\x82\x01\xd20\x82\x01\xce\xa0\x03\x02\x01\x05\xa1\x0d\x1b\x0b000\x540000000\xa2\x190\x17\xa0\x03\x02\x01\x00\xa1\x100\x0e\x1b\x04000\x74\x1b\x00\x1b\x04\x00000\xa3\x82\x01\x9b0\x82\x01\x97\xa0\x03\x02\x01\x12\xa1\x03\x02\x01\x01\xa2\x82\x01\x89\x04\x82\x01\x85\x9e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\xea00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
3. Build fuzz_krb5_ticket target
4. Run this target with crash input
Fuzzing krb5 project with oss-fuzz harness fuzz_krb5_ticket
I have found a null pointer passing error.
This error is caused by an incorrect check of the val pointer
and the len length. This can result in a situation where
len is equal 0 and val points to NULL. When this happens, the
function insert_bytes is run with a NULL pointer passed as the 2nd
argument to the memcpy function.
Here is the stacktrace of this error:
asn1_encode.c:53:32: runtime error: null pointer passed as argument 2,
which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
#0 0x5f43f102d8a6 in insert_bytes
/krb5/src/lib/krb5/asn.1/asn1_encode.c:53:9
#1 0x5f43f102d8a6 in k5_asn1_encode_bytestring
/krb5/src/lib/krb5/asn.1/asn1_encode.c:108:5
#2 0x5f43f10318c8 in encode_cntype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:792:15
#3 0x5f43f102fbe5 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:696:16
#4 0x5f43f1032397 in encode_atype_and_tag
/krb5/src/lib/krb5/asn.1/asn1_encode.c:768:11
#5 0x5f43f1032397 in encode_sequence_of
/krb5/src/lib/krb5/asn.1/asn1_encode.c:858:15
#6 0x5f43f1031982 in encode_cntype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:807:15
#7 0x5f43f102fbe5 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:696:16
#8 0x5f43f102fcc0 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:713:15
#9 0x5f43f102faa8 in encode_atype_and_tag
/krb5/src/lib/krb5/asn.1/asn1_encode.c:768:11
#10 0x5f43f102faa8 in encode_sequence
/krb5/src/lib/krb5/asn.1/asn1_encode.c:838:15
#11 0x5f43f102faa8 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:662:15
#12 0x5f43f102fcc0 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:713:15
#13 0x5f43f102faa8 in encode_atype_and_tag
/krb5/src/lib/krb5/asn.1/asn1_encode.c:768:11
#14 0x5f43f102faa8 in encode_sequence
/krb5/src/lib/krb5/asn.1/asn1_encode.c:838:15
#15 0x5f43f102faa8 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:662:15
#16 0x5f43f102fcc0 in encode_atype
/krb5/src/lib/krb5/asn.1/asn1_encode.c:713:15
#17 0x5f43f102f2ee in encode_atype_and_tag
/krb5/src/lib/krb5/asn.1/asn1_encode.c:768:11
#18 0x5f43f102f2ee in k5_asn1_full_encode
/krb5/src/lib/krb5/asn.1/asn1_encode.c:1549:11
#19 0x5f43f102bfb3 in LLVMFuzzerTestOneInput
/krb5/src/../fuzz_krb5_ticket.c:72:11
#20 0x5f43f1028c59 in ExecuteFilesOnyByOne
/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:260:7
#21 0x5f43f1028a59 in LLVMFuzzerRunDriver
/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#22 0x5f43f10285fb in main
/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:316:10
#23 0x7adcce11809a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a) (BuildId:
79cd7beb3903a9b34e306f52a988d970e13524a6)
#24 0x5f43f0ffb139 in _start (/krb5/fuzz_krb5_ticket+0x9b139)
(BuildId: c8547e2c9649a35fb80969cc7bf5ca7eb73f0703)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior asn1_encode.c:53:32
Here is diff, that fixes this error:
diff --git a/src/lib/krb5/asn.1/asn1_encode.c
b/src/lib/krb5/asn.1/asn1_encode.c
index c4140021e..cf311403a 100644
--- a/src/lib/krb5/asn.1/asn1_encode.c
+++ b/src/lib/krb5/asn.1/asn1_encode.c
@@ -103,7 +103,8 @@ k5_asn1_encode_uint(asn1buf *buf, uintmax_t val)
krb5_error_code
k5_asn1_encode_bytestring(asn1buf *buf, uint8_t *const *val, size_t len)
{
- if (len > 0 && val == NULL)
+
+ if (val == NULL && len >= 0)
return ASN1_MISSING_FIELD;
insert_bytes(buf, *val, len);
return 0;
Steps to reproduce:
1. Build project with UBSAN sanitizer
2. Create crash input, as shown:
echo -e
"\x61\x82\x01\xd20\x82\x01\xce\xa0\x03\x02\x01\x05\xa1\x0d\x1b\x0b000\x540000000\xa2\x190\x17\xa0\x03\x02\x01\x00\xa1\x100\x0e\x1b\x04000\x74\x1b\x00\x1b\x04\x00000\xa3\x82\x01\x9b0\x82\x01\x97\xa0\x03\x02\x01\x12\xa1\x03\x02\x01\x01\xa2\x82\x01\x89\x04\x82\x01\x85\x9e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\xea00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
Show quoted text
> crash
3. Build fuzz_krb5_ticket target
4. Run this target with crash input