From rt-comment at kerborg-prod-app-1.mit.edu  Thu Jun  5 11:37:09 2025
From: rt-comment at kerborg-prod-app-1.mit.edu (Kirill Furman via RT)
Date: Thu, 05 Jun 2025 11:37:09 -0400
Subject: [krbdev.mit.edu #9175] NULL pointer passing error in asn1_encode.c
In-Reply-To: <b9b63002-2e74-4ee9-92fa-f33ab7da2da9@astralinux.ru>
References: <RT-Ticket-9175@kerborg-prod-app-1.mit.edu>
 <b9b63002-2e74-4ee9-92fa-f33ab7da2da9@astralinux.ru>
Message-ID: <rt-4.4.3-2-413975-1749137829-1082.9175-4-0@kerborg-prod-app-1.mit.edu>


Thu Jun 05 11:37:09 2025: Request 9175 was acted upon.
 Transaction: Ticket created by kfurman at astralinux.ru
       Queue: krb5
     Subject: NULL pointer passing error in asn1_encode.c
       Owner: Nobody
  Requestors: kfurman at astralinux.ru
      Status: new
 Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9175 >


Hello!

Fuzzing krb5 project with oss-fuzz harness fuzz_krb5_ticket
I have found a null pointer passing error.
This error is caused by an incorrect check of the val pointer
and the len length. This can result in a situation where
len is equal 0 and val points to NULL. When this happens, the
function insert_bytes is run with a NULL pointer passed as the 2nd
argument to the memcpy function.

Here is the stacktrace of this error:

asn1_encode.c:53:32: runtime error: null pointer passed as argument 2, 
which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
     #0 0x5f43f102d8a6 in insert_bytes 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:53:9
     #1 0x5f43f102d8a6 in k5_asn1_encode_bytestring 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:108:5
     #2 0x5f43f10318c8 in encode_cntype 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:792:15
     #3 0x5f43f102fbe5 in encode_atype 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:696:16
     #4 0x5f43f1032397 in encode_atype_and_tag 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:768:11
     #5 0x5f43f1032397 in encode_sequence_of 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:858:15
     #6 0x5f43f1031982 in encode_cntype 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:807:15
     #7 0x5f43f102fbe5 in encode_atype 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:696:16
     #8 0x5f43f102fcc0 in encode_atype 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:713:15
     #9 0x5f43f102faa8 in encode_atype_and_tag 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:768:11
     #10 0x5f43f102faa8 in encode_sequence 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:838:15
     #11 0x5f43f102faa8 in encode_atype 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:662:15
     #12 0x5f43f102fcc0 in encode_atype 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:713:15
     #13 0x5f43f102faa8 in encode_atype_and_tag 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:768:11
     #14 0x5f43f102faa8 in encode_sequence 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:838:15
     #15 0x5f43f102faa8 in encode_atype 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:662:15
     #16 0x5f43f102fcc0 in encode_atype 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:713:15
     #17 0x5f43f102f2ee in encode_atype_and_tag 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:768:11
     #18 0x5f43f102f2ee in k5_asn1_full_encode 
/krb5/src/lib/krb5/asn.1/asn1_encode.c:1549:11
     #19 0x5f43f102bfb3 in LLVMFuzzerTestOneInput 
/krb5/src/../fuzz_krb5_ticket.c:72:11
     #20 0x5f43f1028c59 in ExecuteFilesOnyByOne 
/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:260:7
     #21 0x5f43f1028a59 in LLVMFuzzerRunDriver 
/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
     #22 0x5f43f10285fb in main 
/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:316:10
     #23 0x7adcce11809a in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a) (BuildId: 
79cd7beb3903a9b34e306f52a988d970e13524a6)
     #24 0x5f43f0ffb139 in _start (/krb5/fuzz_krb5_ticket+0x9b139) 
(BuildId: c8547e2c9649a35fb80969cc7bf5ca7eb73f0703)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior asn1_encode.c:53:32


Here is diff, that fixes this error:

diff --git a/src/lib/krb5/asn.1/asn1_encode.c 
b/src/lib/krb5/asn.1/asn1_encode.c
index c4140021e..cf311403a 100644
--- a/src/lib/krb5/asn.1/asn1_encode.c
+++ b/src/lib/krb5/asn.1/asn1_encode.c
@@ -103,7 +103,8 @@ k5_asn1_encode_uint(asn1buf *buf, uintmax_t val)
  krb5_error_code
  k5_asn1_encode_bytestring(asn1buf *buf, uint8_t *const *val, size_t len)
  {
-    if (len > 0 && val == NULL)
+
+    if (val == NULL && len >= 0)
          return ASN1_MISSING_FIELD;
      insert_bytes(buf, *val, len);
      return 0;


Steps to reproduce:

1. Build project with UBSAN sanitizer

2. Create crash input, as shown:

echo -e 
"\x61\x82\x01\xd20\x82\x01\xce\xa0\x03\x02\x01\x05\xa1\x0d\x1b\x0b000\x540000000\xa2\x190\x17\xa0\x03\x02\x01\x00\xa1\x100\x0e\x1b\x04000\x74\x1b\x00\x1b\x04\x00000\xa3\x82\x01\x9b0\x82\x01\x97\xa0\x03\x02\x01\x12\xa1\x03\x02\x01\x01\xa2\x82\x01\x89\x04\x82\x01\x85\x9e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\xea00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 
 > crash

3. Build fuzz_krb5_ticket target

4. Run this target with crash input