pkcs7: fix slice out-of-bounds panic (#24891)

fairclothjm · web-flow · commit 3fffae945258 · 2024-01-17T10:12:00.000-06:00
* pkcs7: fix slice out-of-bounds panic

* changelog

* fix tests

* add test case to capture panic; found in fuzzing

* add fuzz test
diff --git a/changelog/24891.txt b/changelog/24891.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+helper/pkcs7: Fix slice out-of-bounds panic
+```
diff --git a/helper/pkcs7/ber.go b/helper/pkcs7/ber.go
@@ -149,14 +149,14 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) {
 		for ber[offset] >= 0x80 {
 			tag = tag*128 + ber[offset] - 0x80
 			offset++
-			if offset > berLen {
+			if offset >= berLen {
 				return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached")
 			}
 		}
 		// jvehent 20170227: this doesn't appear to be used anywhere...
 		// tag = tag*128 + ber[offset] - 0x80
 		offset++
-		if offset > berLen {
+		if offset >= berLen {
 			return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached")
 		}
 	}
@@ -172,7 +172,7 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) {
 	var length int
 	l := ber[offset]
 	offset++
-	if offset > berLen {
+	if offset >= berLen {
 		return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached")
 	}
 	indefinite := false
@@ -192,7 +192,7 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) {
 		for i := 0; i < numberOfBytes; i++ {
 			length = length*256 + (int)(ber[offset])
 			offset++
-			if offset > berLen {
+			if offset >= berLen {
 				return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached")
 			}
 		}
diff --git a/helper/pkcs7/ber_test.go b/helper/pkcs7/ber_test.go
@@ -9,6 +9,38 @@ import (
 	"testing"
 )
 
+// FuzzReadObject is a fuzz test that will generate random input data in an
+// attempt to find crash-causing inputs
+// https://go.dev/doc/security/fuzz
+func FuzzReadObject(f *testing.F) {
+	// seed corpus used to guide the fuzzing engine
+	seedCorpus := []struct {
+		input  []byte
+		offset int
+	}{
+		{[]byte{0x30, 0x85}, 0},
+		{[]byte{0x30, 0x84, 0x80, 0x0, 0x0, 0x0}, 0},
+		{[]byte{0x30, 0x82, 0x0, 0x1}, 0},
+		{[]byte{0x30, 0x80, 0x1, 0x2, 0x1, 0x2}, 0},
+		{[]byte{0x30, 0x80, 0x1, 0x2}, 0},
+		{[]byte{0x30, 0x03, 0x01, 0x02}, 0},
+		{[]byte{0x30}, 0},
+		{[]byte("?0"), 0},
+	}
+	for _, tc := range seedCorpus {
+		f.Add(tc.input, tc.offset) // Use f.Add to provide a seed corpus
+	}
+	f.Fuzz(func(t *testing.T, ber []byte, offset int) {
+		if offset < 0 {
+			return
+		}
+		_, _, err := readObject(ber, offset)
+		if err != nil {
+			t.Log(ber, offset)
+		}
+	})
+}
+
 func TestBer2Der(t *testing.T) {
 	// indefinite length fixture
 	ber := []byte{0x30, 0x80, 0x02, 0x01, 0x01, 0x00, 0x00}
@@ -44,13 +76,14 @@ func TestBer2Der_Negatives(t *testing.T) {
 		Input         []byte
 		ErrorContains string
 	}{
-		{[]byte{0x30, 0x85}, "tag length too long"},
+		{[]byte{0x30, 0x85}, "end of ber data reached"},
 		{[]byte{0x30, 0x84, 0x80, 0x0, 0x0, 0x0}, "length is negative"},
 		{[]byte{0x30, 0x82, 0x0, 0x1}, "length has leading zero"},
 		{[]byte{0x30, 0x80, 0x1, 0x2, 0x1, 0x2}, "Invalid BER format"},
-		{[]byte{0x30, 0x80, 0x1, 0x2}, "BER tag length is more than available data"},
+		{[]byte{0x30, 0x80, 0x1, 0x2}, "end of ber data reached"},
 		{[]byte{0x30, 0x03, 0x01, 0x02}, "length is more than available data"},
 		{[]byte{0x30}, "end of ber data reached"},
+		{[]byte("?0"), "end of ber data reached"},
 	}
 
 	for _, fixture := range fixtures {

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	`+helper/pkcs7: Fix slice out-of-bounds panic`
	`3`	+```
Original file line number	Diff line number	Diff line change
`@@ -149,14 +149,14 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) {`
`149`	`149`	`for ber[offset] >= 0x80 {`
`150`	`150`	`tag = tag*128 + ber[offset] - 0x80`
`151`	`151`	`offset++`
`152`		`- if offset > berLen {`
	`152`	`+ if offset >= berLen {`
`153`	`153`	`return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached")`
`154`	`154`	`}`
`155`	`155`	`}`
`156`	`156`	`// jvehent 20170227: this doesn't appear to be used anywhere...`
`157`	`157`	`// tag = tag*128 + ber[offset] - 0x80`
`158`	`158`	`offset++`
`159`		`- if offset > berLen {`
	`159`	`+ if offset >= berLen {`
`160`	`160`	`return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached")`
`161`	`161`	`}`
`162`	`162`	`}`
`@@ -172,7 +172,7 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) {`
`172`	`172`	`var length int`
`173`	`173`	`l := ber[offset]`
`174`	`174`	`offset++`
`175`		`- if offset > berLen {`
	`175`	`+ if offset >= berLen {`
`176`	`176`	`return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached")`
`177`	`177`	`}`
`178`	`178`	`indefinite := false`
`@@ -192,7 +192,7 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) {`
`192`	`192`	`for i := 0; i < numberOfBytes; i++ {`
`193`	`193`	`length = length*256 + (int)(ber[offset])`
`194`	`194`	`offset++`
`195`		`- if offset > berLen {`
	`195`	`+ if offset >= berLen {`
`196`	`196`	`return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached")`
`197`	`197`	`}`
`198`	`198`	`}`