Page MenuHome GnuPG
Create Task
Maniphest T1834

Excessive CPU use on --import of fuzzed file - 0069f7d7
Closed, ResolvedPublic
Actions

Description

While fuzzing I found that the following 40-byte file would use an abusive amount
of CPU during import.

$ ./g10/gpg2 --import ~/Dropbox/gnupg/0069f7d7

I am testing with 2.0.22

System Details:
AMD64
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty

Found with the fuzzer American Fuzzy Lop by lcamtuf.

GDB Log:
run
Starting program: /home/jodicun/opt/gnupg2-2.0.22/g10/gpg2 --import
../cores/0069f7d7
^C
Program received signal SIGINT, Interrupt.

eax:FFFF467F ebx:00909CD0  ecx:00007660  edx:00000000     eflags:00000246
esi:0000001E edi:00909CD0  esp:FFFFD7B8  ebp:9ECBCAE9     eip:Error while

running hook_stop:
Value can't be converted to integer.
0x00000000004ca8fa in parse_attribute (inp=0x909cd0, pktlen=<optimized out>,
packet=<optimized out>, pkttype=<optimized out>) at parse-packet.c:2214
2214 *p = iobuf_get_noeof(inp);
gdb> bt
#0 0x00000000004ca8fa in parse_attribute (inp=0x909cd0, pktlen=<optimized out>,
packet=<optimized out>, pkttype=<optimized out>) at parse-packet.c:2214
#1 0x00000000ffffffff in ?? ()
#2 0x000000000063add0 in underflow (a=0x0) at iobuf.c:1874
#3 0x0000000000642198 in iobuf_readbyte (a=0x909cd0) at iobuf.c:1959
#4 0x00000000004ca928 in parse_attribute (inp=inp@entry=0x909cd0, pktlen=
<optimized out>, packet=<optimized out>, pkttype=0xd) at parse-packet.c:2214
#5 0x00000000004d4756 in parse (onlykeypkts=0x0, retpos=0x0, dbg_l=<optimized
out>, dbg_f=<optimized out>, dbg_w=0x6dd1af "parse", do_skip=0x0, out=0x0, skip=
<synthetic pointer>, pkt=<optimized out>, inp=<optimized out>) at parse-
packet.c:575
#6 dbg_parse_packet (inp=0x909cd0, pkt=<optimized out>, dbg_f=<optimized out>,
dbg_l=<optimized out>) at parse-packet.c:221
#7 0x0000000000579596 in read_block (ret_root=<synthetic pointer>, pending_pkt=
<synthetic pointer>, a=<optimized out>) at import.c:394
#8 import (inp=inp@entry=0x909cd0, fname=fname@entry=0x7fffffffe338
"../cores/0069f7d7", stats=stats@entry=0x909c40, fpr=fpr@entry=0x0,
fpr_len=fpr_len@entry=0x0, options=options@entry=0x8) at import.c:257
#9 0x000000000057c957 in import_keys_internal (inp=inp@entry=0x0,
fnames=0x7fffffffe0c8, nnames=0x1, stats_handle=0x0, fpr=fpr@entry=0x0,
fpr_len=fpr_len@entry=0x0, options=0x8) at import.c:195
#10 0x000000000057d6d4 in import_keys (fnames=<optimized out>, nnames=<optimized
out>, stats_handle=<optimized out>, options=<optimized out>) at import.c:226
#11 0x000000000041bfb9 in main (argc=0x1, argv=0x7fffffffe0c8) at gpg.c:3706
#12 0x00007ffff6b16ec5 in __libc_start_main (main=0x408cb0 <main>, argc=0x3,
argv=0x7fffffffe0b8, init=<optimized out>, fini=<optimized out>, rtld_fini=
<optimized out>, stack_end=0x7fffffffe0a8) at libc-start.c:287
#13 0x000000000041f756 in _start ()

Valgrind:
ulimit -St 120;valgrind --leak-check=full ../../g10/gpg2 --import
../cores/0069f7d7;ulimit -St unlimited

29610== Memcheck, a memory error detector

29610== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.

29610== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info

29610== Command: ../../g10/gpg2 --import ../cores/0069f7d7

29610

29610== Warning: set address range perms: large range [0x3a00e040, 0x975e548d)

(undefined)

29610

29610== Process terminating with default action of signal 24 (SIGXCPU)

29610== at 0x4CA8C2: parse_attribute.isra.13 (parse-packet.c:2214)

29610== by 0xFFFFFFFE: ???

29610== by 0x63ADCF: underflow (iobuf.c:1874)

29610== by 0x642197: iobuf_readbyte (iobuf.c:1959)

29610== by 0x4CA927: parse_attribute.isra.13 (parse-packet.c:2214)

29610== by 0x4D4755: dbg_parse_packet (parse-packet.c:575)

29610== by 0x579595: import (import.c:394)

29610== by 0x57C956: import_keys_internal (import.c:195)

29610== by 0x57D6D3: import_keys (import.c:226)

29610== by 0x41BFB8: main (gpg.c:3706)

29610

29610== LEAK SUMMARY:

29610== definitely lost: 114 bytes in 5 blocks

29610== indirectly lost: 0 bytes in 0 blocks

29610== possibly lost: 0 bytes in 0 blocks

29610== still reachable: 1,566,433,114 bytes in 59 blocks

29610== suppressed: 0 bytes in 0 blocks

29610== Reachable blocks (those to which a pointer was found) are not shown.

29610== To see them, rerun with: --leak-check=full --show-leak-kinds=all

29610

29610== For counts of detected and suppressed errors, rerun with: -v

29610== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)

Details

Version
2.0.22

Event Timeline

JodieC added a subscriber: JodieC.Feb 7 2015, 10:47 PM

548_0069f7d730 BDownload

JodieC added projects: gnupg, Bug Report.Feb 7 2015, 10:47 PM
JodieC set Version to 2.0.22.
werner added a subscriber: werner.Feb 11 2015, 11:43 AM

Thanks for the new test vector. This has already been fixed in master and those
fixes will be ported back to 2.0 and 1.4.

In general I would suggest to use at least the latest released version or even
better the respective GIT HEAD for fuzzing work.

werner added a project: In Progress.Feb 11 2015, 11:43 AM
werner closed this task as Resolved.Feb 23 2015, 5:12 PM
werner claimed this task.

Fixed in all branches.

werner removed a project: In Progress.Feb 23 2015, 5:12 PM