UB sanitizer reports NULL pointer access via SymCryptEcurveAllocate

Question

UB sanitizer reports NULL pointer access via SymCryptEcurveAllocate

guidovranken opened this issue 4 years ago · 3 comments

#include <symcrypt.h>
#include <stdlib.h>

void SymCryptFatal(UINT32 fatalCode) {
    (void)fatalCode;

    abort();
}
void SymCryptInjectError( PBYTE pbData, SIZE_T cbData ) {
    (void)pbData;
    (void)cbData;
}

PVOID SymCryptCallbackAlloc( SIZE_T nBytes ) {
    return malloc(nBytes);
}

VOID SymCryptCallbackFree( VOID * pMem ) {
    free(pMem);
}

SYMCRYPT_ERROR SymCryptCallbackRandom(PBYTE   pbBuffer, SIZE_T  cbBuffer ) {
    abort();
}

SYMCRYPT_CPU_FEATURES
SymCryptCpuFeaturesNeverPresent(void) {
    return 0;
}

int main(void)
{
    SYMCRYPT_ECURVE* curve = SymCryptEcurveAllocate(SymCryptEcurveParamsNumsP512t1, 0);
    return 0;
}

If compiled with UndefinedBehaviorSanitizer (clang with -fsanitize=undefined, on Linux 64 bit), execution of this program will print:

/mnt/2tb/sym-crash/SymCrypt/lib/fdef_mod.c:53:12: runtime error: member access within null pointer of type 'SYMCRYPT_MODULUS' (aka 'struct _SYMCRYPT_MODULUS')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mnt/2tb/sym-crash/SymCrypt/lib/fdef_mod.c:53:12 in 
/mnt/2tb/sym-crash/SymCrypt/lib/fdef_general.c:819:12: runtime error: member access within null pointer of type 'SYMCRYPT_DIVISOR' (aka 'struct _SYMCRYPT_DIVISOR')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mnt/2tb/sym-crash/SymCrypt/lib/fdef_general.c:819:12 in 
/mnt/2tb/sym-crash/SymCrypt/lib/fdef_general.c:195:12: runtime error: member access within null pointer of type 'SYMCRYPT_INT' (aka 'struct _SYMCRYPT_INT')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mnt/2tb/sym-crash/SymCrypt/lib/fdef_general.c:195:12 in 
/mnt/2tb/sym-crash/SymCrypt/lib/fdef_mod.c:66:27: runtime error: member access within null pointer of type 'SYMCRYPT_MODULUS' (aka 'struct _SYMCRYPT_MODULUS')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mnt/2tb/sym-crash/SymCrypt/lib/fdef_mod.c:66:27 in 
/mnt/2tb/sym-crash/SymCrypt/lib/fdef_general.c:850:55: runtime error: member access within null pointer of type 'SYMCRYPT_DIVISOR' (aka 'struct _SYMCRYPT_DIVISOR')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mnt/2tb/sym-crash/SymCrypt/lib/fdef_general.c:850:55 in

Answer 1 · 2020-11-13T02:40:32.000Z

This is due to this macro:
#define SYMCRYPT_FIELD_OFFSET(type, field) ((ULONG)(ULONG_PTR)&(((type *)0)->field))
Which is inelegant, but the most portable way to get the field offset that I know of.

Answer 2 · 2020-11-13T16:43:36.000Z

@NielsFerguson FYI, for MsQuic, we have the following abstraction (Linux implementation): https://github.com/microsoft/msquic/blob/4c1527906233a8047068800d8b273852bb41a504/src/inc/msquic_linux.h#L166

#define FIELD_OFFSET(type, field)       offsetof(type, field)

Answer 3 · 2021-03-03T15:21:24.000Z

We use offsetof in SymCrypt now too