Invalid Memory Access in SignatureValidator (#453)

* Invalid Memory Access in SignatureValidator

Problem:
* SignatureValidator::IsStoreOrigin() tries to read X.509 extensions
to determine if the origin of the signature matches the Windows Store OID.
* Extension data is converted from a raw buffer to an std::string for
comparision.
* The raw buffer is not null-terminated, and therefore, running
std::strlen() on it causes invalid memory access.
* This invalid access is caught by ASAN on macOS.

Solution:
* Null-terminate the raw buffer before trying to build an std::string
from it.

Tests:
* Ran app test suite that uses libmsix.dylib with ASAN on. No crashes
were reported.

* Invalid Memory Access in SignatureValidator

Problem:
* As @JohnMcPMS pointed out, writing "" with 1 byte size is null termination.
* A better solution would be to use bptr->length and avoid writing the null
byte altogether.

Tests:
* Ran app test suite that uses libmsix.dylib with ASAN on. No crashes
were reported.

Co-authored-by: Sayan Chaliha <sachalih@microsoft.com>
This commit is contained in:
Sayan Chaliha 2021-06-08 23:23:39 +05:30 коммит произвёл GitHub
Родитель 5883559c90
Коммит 0c8a78f9b1
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 2 добавлений и 3 удалений

Просмотреть файл

@ -130,13 +130,12 @@ namespace MSIX
{ {
M_ASN1_OCTET_STRING_print(extbio.get(), ext->value); M_ASN1_OCTET_STRING_print(extbio.get(), ext->value);
} }
// null terminate the string.
BIO_write(extbio.get(), "", 1);
BUF_MEM *bptr = nullptr; BUF_MEM *bptr = nullptr;
BIO_get_mem_ptr(extbio.get(), &bptr); BIO_get_mem_ptr(extbio.get(), &bptr);
if (bptr && bptr->data && if (bptr && bptr->data &&
std::string((char*)bptr->data).find(OID::WindowsStore()) != std::string::npos) std::string((char*)bptr->data, bptr->length).find(OID::WindowsStore()) != std::string::npos)
{ {
return true; return true;
} }