Internet Bug Bounty: CVE-2021-3711: SM2 decrypt buffer overflow

CVE-2021-3711
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the “out” parameter can be NULL and, on exit, the “outlen” parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the “out” parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small.

Reproduce step:

Examples of data that triggered the vulnerability

1. SM2 ciphertext data
   Examples of ciphertext data are as follows:

3072022070DAD60CDA7C30D64CF4F278A849003581223F5324BFEC9BB329229BFFAD21A6021F18AFAB2B35459D2643243B242BE4EA80C6FA5071D2D847340CC57EB9309E5D04200B772E4DB664B2601E3B85E39E4DB664B2601E3B85E39C4AA308BE13588C301308E3588C01308E3588E3308E4

2. Parse SM2 ciphertext
   The length of this ciphertext is 116 bytes. Parse this group of ciphertexts according to the ASN.1 format:

3072 //30 indicates the SEQUENCE type, 72 indicates that the total length of the subsequent data is 114 bytes

0220 //02 means INTEGER type, 20 means the length of the integer is 32 bytes

70DAD60CDA7C30D64CF4F278A849003581223F5324BFEC9BB329229BFFAD21A6 //32-byte XCoordinate

021F //02 means INTEGER type, 1F means the length of the integer is 31 bytes

18AFAB2B35459D2643243B242BE4EA80C6FA5071D2D847340CC57EB9309E5D //31-byte YCoordinate

0420 //04 means OCTETSTRING type, 20 means the length of the string is 32 bytes

0B772E4DB664B2601E3B85E39C4AA8C2C1910308BE13B331E009C5A9258C29FD //32-byte HASH

040B //04 means OCTETSTRING type, 0B means the length of the string is 11 bytes

6D588BE9260A94DA18E0E6 //11-byte ciphertext

After verification, the above-mentioned XCoordinate and YCoordinate satisfy the SM2 elliptic curve equation.

3. Trigger heap overflow
   When pkey_sm2_decrypt is called for the first time, the pointer out is NULL and msg_len is equal to 116. The sm2_plaintext_size function returns 10 (msg_len-overhead = 116-106).

10 bytes of memory are allocated through OPENSSL_malloc, and out points to this memory.

The second call to pkey_sm2_decrypt, since the ciphertext has 11 bytes, the decryption result is also 11 bytes.

The memory pointed to by out is 10 bytes, and the decrypted result is 11 bytes, resulting in 1 byte being written out of bounds.

Impact

A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated.

OpenSSL versions 1.1.1k and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1l.

OpenSSL 1.0.2 is not impacted by this issue.

OpenSSL 3.0 alpha/beta releases are also affected but this issue will be addressed before the final release.