Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UB sanitizer reports NULL pointer access via SymCryptEcurveAllocate #10

Closed
guidovranken opened this issue Nov 11, 2020 · 3 comments
Closed

UB sanitizer reports NULL pointer access via SymCryptEcurveAllocate #10

guidovranken opened this issue Nov 11, 2020 · 3 comments

Comments

@guidovranken
Copy link 

#include <symcrypt.h>
#include <stdlib.h>

void SymCryptFatal(UINT32 fatalCode) {
    (void)fatalCode;

    abort();
}
void SymCryptInjectError( PBYTE pbData, SIZE_T cbData ) {
    (void)pbData;
    (void)cbData;
}

PVOID SymCryptCallbackAlloc( SIZE_T nBytes ) {
    return malloc(nBytes);
}

VOID SymCryptCallbackFree( VOID * pMem ) {
    free(pMem);
}

SYMCRYPT_ERROR SymCryptCallbackRandom(PBYTE   pbBuffer, SIZE_T  cbBuffer ) {
    abort();
}

SYMCRYPT_CPU_FEATURES
SymCryptCpuFeaturesNeverPresent(void) {
    return 0;
}

int main(void)
{
    SYMCRYPT_ECURVE* curve = SymCryptEcurveAllocate(SymCryptEcurveParamsNumsP512t1, 0);
    return 0;
}

If compiled with UndefinedBehaviorSanitizer (clang with -fsanitize=undefined, on Linux 64 bit), execution of this program will print:

/mnt/2tb/sym-crash/SymCrypt/lib/fdef_mod.c:53:12: runtime error: member access within null pointer of type 'SYMCRYPT_MODULUS' (aka 'struct _SYMCRYPT_MODULUS')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mnt/2tb/sym-crash/SymCrypt/lib/fdef_mod.c:53:12 in 
/mnt/2tb/sym-crash/SymCrypt/lib/fdef_general.c:819:12: runtime error: member access within null pointer of type 'SYMCRYPT_DIVISOR' (aka 'struct _SYMCRYPT_DIVISOR')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mnt/2tb/sym-crash/SymCrypt/lib/fdef_general.c:819:12 in 
/mnt/2tb/sym-crash/SymCrypt/lib/fdef_general.c:195:12: runtime error: member access within null pointer of type 'SYMCRYPT_INT' (aka 'struct _SYMCRYPT_INT')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mnt/2tb/sym-crash/SymCrypt/lib/fdef_general.c:195:12 in 
/mnt/2tb/sym-crash/SymCrypt/lib/fdef_mod.c:66:27: runtime error: member access within null pointer of type 'SYMCRYPT_MODULUS' (aka 'struct _SYMCRYPT_MODULUS')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mnt/2tb/sym-crash/SymCrypt/lib/fdef_mod.c:66:27 in 
/mnt/2tb/sym-crash/SymCrypt/lib/fdef_general.c:850:55: runtime error: member access within null pointer of type 'SYMCRYPT_DIVISOR' (aka 'struct _SYMCRYPT_DIVISOR')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mnt/2tb/sym-crash/SymCrypt/lib/fdef_general.c:850:55 in
@NielsFerguson
Copy link
Contributor

This is due to this macro:
#define SYMCRYPT_FIELD_OFFSET(type, field) ((ULONG)(ULONG_PTR)&(((type *)0)->field))
Which is inelegant, but the most portable way to get the field offset that I know of.

@nibanks
Copy link
Member

nibanks commented Nov 13, 2020

@NielsFerguson FYI, for MsQuic, we have the following abstraction (Linux implementation): https:/microsoft/msquic/blob/4c1527906233a8047068800d8b273852bb41a504/src/inc/msquic_linux.h#L166

#define FIELD_OFFSET(type, field)       offsetof(type, field)

@samuel-lee-msft
Copy link
Contributor

We use offsetof in SymCrypt now too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@guidovranken @nibanks @NielsFerguson @samuel-lee-msft