Bug #19974: OpenSSL::PKCS7 generates SegFault when parsing invalid data - Ruby master - Ruby Issue Tracking System

Actions

Copy link

Bug #19974

closed

OpenSSL::PKCS7 generates SegFault when parsing invalid data

Added by dprater (David Prater) about 1 year ago. Updated 3 months ago.

Status:

Closed

Assignee:

Target version:

ruby -v:

ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-musl], ruby 3.1.3p185 (2022-11-24 revision 1a6b16756e) [arm64-darwin21]

Backport:

3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN

[ruby-core:115179]

Description

We ran into an instance of attempting to parse invalid PKCS7 certs that consistently causes a segfault in multiple versions of Ruby 3, on multiple platforms (Linux, Mac).

To reproduce:

------- (within pry or irb or whatever ruby shell you prefer) ----------
data = "-----BEGIN PKCS7-----\nMAsGCSqGSIb3DQEHAg==\n-----END PKCS7-----\n"
OpenSSL::PKCS7.new(data).certificates
-----------------

This causes a segfault 100% of the time for me on both an M1 Mac as well as in docker containers running on both Mac as well as Linux hosts.

The issue appears to be attempting to parse empty signedData. https://lapo.it/asn1js/#MAsGCSqGSIb3DQEHAg shows that this data contains the necessary ASN1 sequence to look like a valid PKCS7 certificate. However, the signedData is empty. I assume this is the cause of the issue, but I surely don't know.

I've attached the info from the core dump inside a linux container running on an M1 Mac.

Files

core_dump (145 KB) core_dump

dprater (David Prater), 10/26/2023 02:15 PM

Actions

Copy link

#1 [ruby-core:115180]

Updated by dprater (David Prater) about 1 year ago

By the way, looks like this (or at least a very similar) issue was opened in 2012 for Ruby 1.9.3 - https://bugs.ruby-lang.org/issues/6134. The bug was fixed, according to the tracker, but it seems like the issue was either reintroduced at some point, or wasn't completely fixed.

Actions

Copy link

#2 [ruby-core:115182]