Null Dereference in GPG decrypt_data
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Javantea
	Nov 17 2014, 12:32 AM

Description

A crash occurs in decrypt_data which occurs because dek is null. A specially
crafted file causes this and requires the user to interact. It does not require
the user to have any special data in their homedir, in fact no homedir is
needed. It is not exploitable for code execution or anything, so it is a low
severity bug. Stacktrace and repro files are below.

python3 gpgfuzz1repro.py >gpgfuzz1repro5.txt 2>&1
ls -lh wewin.core
-rw-r--r-- 1 jvoss jvoss 5.6M Nov 16 13:29 wewin.core
gdb gpg wewin.core
[New LWP 2489]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
Core was generated by `/usr/bin/gpg --homedir=.gpgfuzz/'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000000000438853 in decrypt_data ()
(gdb) bt
#0 0x0000000000438853 in decrypt_data ()
#1 0x000000000041a506 in proc_encrypted ()
#2 0x000000000041d4eb in do_proc_packets ()
#3 0x000000000041d73a in proc_packets ()
#4 0x000000000040af34 in main ()
(gdb) x/10i $rip

> 0x438853 <decrypt_data+83>: mov 0x0(%rbp),%r8d

0x438857 <decrypt_data+87>:  lea    0x20(%rsp),%rdi
0x43885c <decrypt_data+92>:  mov    $0x489efc,%edx
0x438861 <decrypt_data+97>:  mov    $0x14,%esi
0x438866 <decrypt_data+102>: xor    %eax,%eax
0x438868 <decrypt_data+104>: callq  0x405240 <snprintf@plt>
0x43886d <decrypt_data+109>: lea    0x20(%rsp),%rsi
0x438872 <decrypt_data+114>: mov    $0x16,%edi
0x438877 <decrypt_data+119>: callq  0x42bf70 <write_status_text>
0x43887c <decrypt_data+124>: mov    0x2792ce(%rip),%eax        # 0x6b1b50

<opt+592>
(gdb) i r rbp
rbp 0x0 0x0

This coincides with DEK *dek being zero. Therfore it is a null dereference.

dek is null because c->dek is not checked in proc_encrypted.

if( !result )

result = decrypt_data( c, pkt->pkt.encrypted, c->dek );

c->dek is set to null because it is set to passphrase_to_dek(...)

As you can see, if the user cancels, it returns NULL.

      pw = passphrase_get (keyid, mode == 2, s2k_cacheid,
                           (mode == 2 || mode == 4)? opt.passphrase_repeat : 0,
                           tryagain_text, custdesc, custprompt, canceled);
      if (*canceled)
        {
          xfree (pw);
	  write_status( STATUS_MISSING_PASSPHRASE );
          return NULL;
        }

From the diff, you can see which two bits were flipped, 5 and 6285.

Repro 1:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.20 (GNU/Linux)

pQMOAwi1eZQfEBnmEAv/VFNYCKFcFJb+QqxP7MoVpjhLbKbHlijNX9WypH6ja8IBvydI9cI6x3YH07swqIDlPatQPcapTzUUsf1CsepQFRU3g1or0dvgQwCyFH+z/x75WYxi8Rh0x3oh0CHULaMhrMNibsDPNRGBo7hD/k1+PvIXW0SKbTc0rj7VTD0oCnmHlKTMBDFEp6jQ1AUyZWc55mdeqFOKSamk5/L7Wbt4NdBUoqnxyKHtQQX9GWHLmubO71MKHSuMyH6QMcDMbp7YJyDK86KtPKSEBkwR/tSFZi4Zt1tnmBgfzyksmPrvWLZ88BOunAUiO5AeOveZbT2HD80eYQsuqPZWlBelNP/QiIfTC7izsE2tWt9eGk1StdwK6b7blJT+VxIJpddaJLZFDaDK5eofrRuhSnBeHaZ/DRKcalnjHllYk9Bn0U/2+l3YEz3jEdzJpxy3IyuQpN2H8zf3cESVh8mxc/Ia7F8Ni6EfXXS0DOzFUnfC7AH737i6M3Y4njX+4W1FsOW2oQ3pDACoXyc7xRz8cr4/C3QNJPcLWrm5HaKQb2DgVOb+k3V7F08Kyab94wFRBzBd0f6xOPHvW1ODx7pw6165W35lQ4Yx66gOB21kWsh/GAV7xyhLNQP58vEQbxImB7uLwB3fmuWsP844XTgq+oPv5FI63msLVXJgys6DqnyOA4wFPOn+6GEeZWRIprIcFRYpO8XiSwoOsjzNZ1aJjQQr4VRw1V10FrV7/GE15MWslBf40RLPzDTbh14j6NiRSrgEDBiQ/5ywM+qhEgEGL8QJmY8VG2VtsM9R8KcZYjrgZEOvmB+c7oVV5vrqCdgZEWIbCvb64EYR1RTQz+I6XSCKaKV85JhLU+un+h57Xbp9qF6LFt5sSidLVxt06nNR8OLjB5S0/KmM1gUGB3mDYOLTZalxR4pYO2nFjt7NJ6lFM+k/RmawVEoLUX0tZ3vaaNHL3G+RnndCwkp2gjQQUUfU07oMl8crYwW0MOYDfGiLkvnGuYjB+5ga5Q62GJ75yh7zKTCPJXmFAQ4DOFeTjdcoRyEQBADfJLIiJNNwJb11xmyjiRt3WDyFBSU/S22Vghdz/6iyYF4bYxXULBWyLRYonTBdFrtJJxmiM4DBJBAo01KU/dH5MjReJcRQiJgCp5tt8O0fDe6PloJDqwDBxmumGde5VA/vTPtRKNQnsNjjzmvZFYVIxff01o9+eOOt38DODvmHVAP/XFfx7bpBGcHhvDFcw/nG+hRPSf/DJB7mQPBB5ZM5iIRJjb/+rf6LhntQHVLwtUkmjstZ0+IztTopQqS/DazEYZhfzvHQkP/KnciJmSkRw+kkXZJJ5HpGK8sHIBl+/Wg2hP0R2Rqc/K4PC5H9hp2FWozUsW3igO1slsy8UykLLkPS6QHYVMDdnQKdEULcBF3y5AlcTT2oyOAN0Fkl9ea08P23Pf9ySoDZJrQOfJIkHbJSQCm5PUDKBL4sFKgPNxNnhyx4uUPgBauvBtE0pIiFFh+x+bplwc0Ti69Hzv2HixA90aKX/xjIgaHJllLX2KMEL3x7PvDvMNESewzhC/hR6eCJc9k3qDUYr3HD5a/3UR96RDYQ26crUB8l4JZAeos7xxCPogUPTTut3JlXgsMhx8JH5n8YjlEoR3B79gN5rRnk33DbI9t2eO8VAaSlNNSI5erVzExWUA/kwqg9D7XHNa3SU646g0Po9/GRwQRxc4jwn22YHO2q+v/g8nSnozG1ggeV78mWtPfRg/aMT60q+1pvGhehu54SKzLq4e1UL9OXv0cJwCRzftQy+RYzpX3xHMGFdSgkYbi8pLwcu7pMIJ/IOtcERYbbHAGdgeVhpcd9sSUApoDMC9KFwaHFlu+uSxu4jTaP01REzwQkmUDaoYxjmgudngOrF7r30EQRmX8EvKnok6GzmWkBebBI4OI9ChPj/6DXxRCAB3SWnxjSApa5Py6P32wpZpDmj6NejlCyHlYyyv9URDSDqbhn+3GvslLYfTQmbJdWpCrRiGdB05xOKZ0erI6W7xOGxVx4pAZYj4yqb/Ggt370Cvf+2HclxrPIN70zeaD/WsaRg6WfNDdxH0Yr5YGYfHaJPrlmSsWrVtxk3MUS63fu7gF0nJCg3o0=

ja4k

-----END PGP MESSAGE-----

Repro 2:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.20 (GNU/Linux)

hQMOAwi1eZQfEBnmEAv/VFNYCKFcFJb+QqxP7MoVpjhLbKbHlijNX9WypH6ja8IBvydI9cI6x3YH07swqIDlPatQPcapTzUUsf1CsepQFRU3g1or0dvgQwCyFH+z/x75WYxi8Rh0x3oh0CHULaMhrMNibsDPNRGBo7hD/k1+PvIXW0SKbTc0rj7VTD0oCnmHlKTMBDFEp6jQ1AUyZWc55mdeqFOKSamk5/L7Wbt4NdBUoqnxyKHtQQX9GWHLmubO71MKHSuMyH6QMcDMbp7YJyDK86KtPKSEBkwR/tSFZi4Zt1tnmBgfzyksmPrvWLZ88BOunAUiO5AeOveZbT2HD80eYQsuqPZWlBelNP/QiIfTC7izsE2tWt9eGk1StdwK6b7blJT+VxIJpddaJLZFDaDK5eofrRuhSnBeHaZ/DRKcalnjHllYk9Bn0U/2+l3YEz3jEdzJpxy3IyuQpN2H8zf3cESVh8mxc/Ia7F8Ni6EfXXS0DOzFUnfC7AH737i6M3Y4njX+4W1FsOW2oQ3pDACoXyc7xRz8cr4/C3QNJPcLWrm5HaKQb2DgVOb+k3V7F08Kyab94wFRBzBd0f6xOPHvW1ODx7pw6165W35lQ4Yx66gOB21kWsh/GAV7xyhLNQP58vEQbxImB7uLwB3fmuWsP844XTgq+oPv5FI63msLVXJgys6DqnyOA4wFPOn+6GEeZWRIprIcFRYpO8XiSwoOsjzNZ1aJjQQr4VRw1V10FrV7/GE15MWslBf40RLPzDTbh14j6NiRSrgEDBiQ/5ywM+qhEgEGL8QJmY8VG2VtsM9R8KcZYjrgZEOvmB+c7oVV5vrqCdgZEWIbCvb64EYR1RTQz+I6XSCKaKV85JhLU+un+h57Xbp9qF6LFt5sSidLVxt06nNR8OLjB5S0/KmM1gUGB3mDYOLTZalxR4pYO2nFjt7NJ6lFM+k/RmawVEoLUX0tZ3vaaNHL3G+RnndCwkp2gjQQUUfU07oMl8crYwW0MOYDfGiLkvnGuYjB+5ga5Q62GJ75yh7zKTCPJXmlAQ4DOFeTjdcoRyEQBADfJLIiJNNwJb11xmyjiRt3WDyFBSU/S22Vghdz/6iyYF4bYxXULBWyLRYonTBdFrtJJxmiM4DBJBAo01KU/dH5MjReJcRQiJgCp5tt8O0fDe6PloJDqwDBxmumGde5VA/vTPtRKNQnsNjjzmvZFYVIxff01o9+eOOt38DODvmHVAP/XFfx7bpBGcHhvDFcw/nG+hRPSf/DJB7mQPBB5ZM5iIRJjb/+rf6LhntQHVLwtUkmjstZ0+IztTopQqS/DazEYZhfzvHQkP/KnciJmSkRw+kkXZJJ5HpGK8sHIBl+/Wg2hP0R2Rqc/K4PC5H9hp2FWozUsW3igO1slsy8UykLLkPS6QHYVMDdnQKdEULcBF3y5AlcTT2oyOAN0Fkl9ea08P23Pf9ySoDZJrQOfJIkHbJSQCm5PUDKBL4sFKgPNxNnhyx4uUPgBauvBtE0pIiFFh+x+bplwc0Ti69Hzv2HixA90aKX/xjIgaHJllLX2KMEL3x7PvDvMNESewzhC/hR6eCJc9k3qDUYr3HD5a/3UR96RDYQ26crUB8l4JZAeos7xxCPogUPTTut3JlXgsMhx8JH5n8YjlEoR3B79gN5rRnk33DbI9t2eO8VAaSlNNSI5erVzExWUA/kwqg9D7XHNa3SU646g0Po9/GRwQRxc4jwn22YHO2q+v/g8nSnozG1ggeV78mWtPfRg/aMT60q+1pvGhehu54SKzLq4e1UL9OXv0cJwCRzftQy+RYzpX3xHMGFdSgkYbi8pLwcu7pMIJ/IOtcERYbbHAGdgeVhpcd9sSUApoDMC9KFwaHFlu+uSxu4jTaP01REzwQkmUDaoYxjmgudngOrF7r30EQRmX8EvKnok6GzmWkBebBI4OI9ChPj/6DXxRCAB3SWnxjSApa5Py6P32wpZpDmj6NejlCyHlYyyv9URDSDqbhn+3GvslLYfTQmbJdWpCrRiGdB05xOKZ0erI6W7xOGxVx4pAZYj4yqb/Ggt370Cvf+2HclxrPIN70zeaD/WsaRg6WfNDdxH0Yr5YGYfHaJPrlmSsWrVtxk3MUS63fu7gF0nJCg3o0=

P+0C

-----END PGP MESSAGE-----

Details

Version: 2.0.26

Event Timeline

Javantea added projects: gnupg, Bug Report.Nov 17 2014, 12:32 AM

Javantea set Version to 2.0.26.

Javantea added a subscriber: Javantea.

Fixed in master will be backported to 2.0.
That is a very well written bug report. Thanks.

backported to 2.0 and 1.4.

• werner closed this task as Resolved.Nov 24 2014, 7:42 PM

• werner claimed this task.

• werner removed a project: In Progress.

• werner removed a project: backport.