From 66070bc19d510fbe1164666c7cc949fb6a7bc965 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 22 Jan 2020 13:54:56 +0100 Subject: [PATCH 1/3] Checks mbedtls_rsa_export return in fuzz targets --- programs/fuzz/fuzz_privkey.c | 4 +++- programs/fuzz/fuzz_pubkey.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c index 533a647dc..3685592f3 100644 --- a/programs/fuzz/fuzz_privkey.c +++ b/programs/fuzz/fuzz_privkey.c @@ -29,7 +29,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP ); rsa = mbedtls_pk_rsa( pk ); - mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E ); + if ( mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E ) != 0 ) { + abort(); + } mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP ); mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q ); diff --git a/programs/fuzz/fuzz_pubkey.c b/programs/fuzz/fuzz_pubkey.c index df42f7d53..3a59125bd 100644 --- a/programs/fuzz/fuzz_pubkey.c +++ b/programs/fuzz/fuzz_pubkey.c @@ -20,7 +20,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP ); rsa = mbedtls_pk_rsa( pk ); - ret = mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E ); + if ( mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E ) != 0 ) { + abort(); + } ret = mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP ); mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q ); From 7d4bd6f15f801c8eabda769f3793335388ebd5ab Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 22 Jan 2020 14:13:08 +0100 Subject: [PATCH 2/3] Checks mbedtls_rsa_export_crt return in fuzz targets --- programs/fuzz/fuzz_privkey.c | 4 +++- programs/fuzz/fuzz_pubkey.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c index 3685592f3..ce5e7c43a 100644 --- a/programs/fuzz/fuzz_privkey.c +++ b/programs/fuzz/fuzz_privkey.c @@ -32,7 +32,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if ( mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E ) != 0 ) { abort(); } - mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP ); + if ( mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP ) != 0 ) { + abort(); + } mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &D ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &DP ); diff --git a/programs/fuzz/fuzz_pubkey.c b/programs/fuzz/fuzz_pubkey.c index 3a59125bd..e5149586c 100644 --- a/programs/fuzz/fuzz_pubkey.c +++ b/programs/fuzz/fuzz_pubkey.c @@ -23,7 +23,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if ( mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E ) != 0 ) { abort(); } - ret = mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP ); + if ( mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP ) != MBEDTLS_ERR_RSA_BAD_INPUT_DATA ) { + abort(); + } mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &D ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &DP ); From 8b1ed1cf0eabbf737d2eaf4bcf5cc91fc78372d5 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 22 Jan 2020 16:22:36 +0100 Subject: [PATCH 3/3] Adds explicit include to stdlib.h for abort --- programs/fuzz/fuzz_privkey.c | 1 + programs/fuzz/fuzz_pubkey.c | 1 + 2 files changed, 2 insertions(+) diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c index ce5e7c43a..178d17bbc 100644 --- a/programs/fuzz/fuzz_privkey.c +++ b/programs/fuzz/fuzz_privkey.c @@ -1,4 +1,5 @@ #include +#include #include "mbedtls/pk.h" //4 Kb should be enough for every bug ;-) diff --git a/programs/fuzz/fuzz_pubkey.c b/programs/fuzz/fuzz_pubkey.c index e5149586c..38eacfb61 100644 --- a/programs/fuzz/fuzz_pubkey.c +++ b/programs/fuzz/fuzz_pubkey.c @@ -1,4 +1,5 @@ #include +#include #include "mbedtls/pk.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {