Project

General

Profile

Actions
Copy link

Bug #19974

closed

OpenSSL::PKCS7 generates SegFault when parsing invalid data

Added by dprater (David Prater) 7 months ago. Updated 7 days ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-musl], ruby 3.1.3p185 (2022-11-24 revision 1a6b16756e) [arm64-darwin21]
Backport:
3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN
[ruby-core:115179]

Description

We ran into an instance of attempting to parse invalid PKCS7 certs that consistently causes a segfault in multiple versions of Ruby 3, on multiple platforms (Linux, Mac).

To reproduce:
------- (within pry or irb or whatever ruby shell you prefer) ----------
data = "-----BEGIN PKCS7-----\nMAsGCSqGSIb3DQEHAg==\n-----END PKCS7-----\n"
OpenSSL::PKCS7.new(data).certificates

This causes a segfault 100% of the time for me on both an M1 Mac as well as in docker containers running on both Mac as well as Linux hosts.

The issue appears to be attempting to parse empty signedData. https://lapo.it/asn1js/#MAsGCSqGSIb3DQEHAg shows that this data contains the necessary ASN1 sequence to look like a valid PKCS7 certificate. However, the signedData is empty. I assume this is the cause of the issue, but I surely don't know.

I've attached the info from the core dump inside a linux container running on an M1 Mac.

Files

core_dump (145 KB) core_dump dprater (David Prater), 10/26/2023 02:15 PM
Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0