New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 603893 link

Starred by 0 users
Status: Fixed
Owner:
davidben@chromium.org
Closed: Apr 2016
Cc:
davidben@chromium.org
kcc@chromium.org
eroman@chromium.org
mmoroz@google.com
aizatsky@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Direct-leak in ec_group_new

Project Member Reported by ClusterFuzz, Apr 15 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5297781836611584

Fuzzer: webcrypto_ec_import_key_spki_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  ec_group_new
  EC_GROUP_new_curve_GFp
  ec_group_new_from_data
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95LSciO_-qXhD7GALC-LV17RXYV2DC4rzxrOSQL4ig8q-ql1mJlb31PC86RCVN1bspnWEmeXIbcTQ03WcVIy67ATkIFpqOhnvm22LPqVwnZWzwHzLcAULmgwwBrWsZmpuzwKGU0UkBKe1QHGfpMZM6Gbxl5FQ


Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmoroz@chromium.org, Apr 15 2016

Cc: kcc@chromium.org aizatsky@chromium.org
Owner: eroman@chromium.org

Comment 2 by eroman@chromium.org, Apr 15 2016

Cc: eroman@chromium.org
Components: Blink>WebCrypto
Owner: davidben@chromium.org
David, mind taking a look?
Thanks!

Comment 3 by kcc@chromium.org, Apr 15 2016 

Another question to David: is this something you can add a boringssl fuzz target for?

Comment 4 by davidben@chromium.org, Apr 15 2016 

This should be reachable from the X.509 fuzzer, but yeah we should have fuzzers that cover these functions and some others directly ( https://bugs.chromium.org/p/boringssl/issues/detail?id=15 ).

Comment 5 by davidben@chromium.org, Apr 15 2016

Status: Started (was: Available)
Oh, pfft. Yeah, I forgot to free the group in one codepath of the new parsers.

https://boringssl-review.googlesource.com/7685
Project Member

Comment 6 by bugdroid1@chromium.org, Apr 15 2016 

The following revision refers to this bug:
  https://boringssl.googlesource.com/boringssl.git/+/919610b4c43ab394977eba70ceec66aaa0070472

commit 919610b4c43ab394977eba70ceec66aaa0070472
Author: David Benjamin <davidben@google.com>
Date: Fri Apr 15 19:34:30 2016

Fix memory leak on invalid ecPublicKey parameters.

One of the codepaths didn't free the group. Found by libFuzzer.

BUG= chromium:603893 

Change-Id: Icb81f2f89a8c1a52e29069321498986b193a0e56
Reviewed-on: https://boringssl-review.googlesource.com/7685
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: Adam Langley <agl@google.com>

[modify] https://crrev.com/919610b4c43ab394977eba70ceec66aaa0070472/crypto/evp/evp_tests.txt
[modify] https://crrev.com/919610b4c43ab394977eba70ceec66aaa0070472/crypto/evp/p_ec_asn1.c

Comment 7 by davidben@chromium.org, Apr 15 2016

Status: Fixed (was: Started)
(I'll go ahead and mark this as fixed, though it won't show up until the next DEPS roll.)

Comment 8 by davidben@chromium.org, Apr 21 2016

Cc: davidben@chromium.org
 Issue 605461  has been merged into this issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment