Address Sanitizer: SecKeyGeneratePair throwing a Heap Buffer Overflow

App & System Services Core OS
kdbdallas OP
Created Sep ’15
Replies 2
Boosts 0
Views 915
Participants 2

I am running the 9.1 beta with Xcode 7.1 beta and I am trying to generate a KeyPair for use with the Secure Enclave but when I run it under the Address Sanitizer it is telling me that there is a Heap Buffer Overflow.


dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
     CFErrorRef error = NULL;

     sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault, (__bridge id _Nonnull)kSecAttrAccessibleWhenUnlocked, kSecAccessControlTouchIDAny | kSecAccessControlPrivateKeyUsage, &error);

     NSDictionary *parameters = @{
       (__bridge id)kSecAttrTokenID: (__bridge id)kSecAttrTokenIDSecureEnclave,
       (__bridge id)kSecAttrKeyType: (__bridge id)kSecAttrKeyTypeEC,
       (__bridge id)kSecAttrKeySizeInBits: @256,
       (__bridge id)kSecPrivateKeyAttrs: @{
            (__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject,
            (__bridge id)kSecAttrIsPermanent: @YES,
            (__bridge id)kSecAttrLabel: @"my-key-ref"
            },
       };

     SecKeyRef publicKey = NULL;
     SecKeyRef privateKey = NULL;

     OSStatus status = SecKeyGeneratePair((__bridge CFDictionaryRef)parameters, &publicKey, &privateKey);

     .....
});


Line 20 is where it says the Heap Buffer Overflow is happening.

Its not really giving me any more information then that. (That I can make heads or tails of that is)


Can anyone see anything wrong here?

Is this a bug in iOS 9/9.1?


Any help would be MUCH appreciated!

Replies  2
Boosts  0
Views  915
Participants  2
kdbdallas OP
Sep ’15

Thought this might be of some help.


AddressSanitizer debugger support is active. Memory error breakpoint has been installed and you can now use the 'memory history' command.

=================================================================

==4269==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x000103714e31 at pc 0x0001003472ec bp 0x00016e1b9b60 sp 0x00016e1b92f0

READ of size 2 at 0x000103714e31 thread T4

#0 0x1003472eb in wrap_strdup (/var/mobile/Containers/Bundle/Application/152252E0-3682-42C1-A10F-E5E2FE1BAFAF/Likey.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib+0x372eb)

#1 0x1993d197f in xpc_string_create (/usr/lib/system/libxpc.dylib+0x197f)

#2 0x1993d1947 in xpc_dictionary_set_string (/usr/lib/system/libxpc.dylib+0x1947)

#3 0x188ed65eb in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x5e5eb)

#4 0x188ed5ebb in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x5debb)

#5 0x188ed63e7 in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x5e3e7)

#6 0x188eab58f in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x3358f)

#7 0x188eac1af in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x341af)

#8 0x188eabfeb in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x33feb)

#9 0x188eaaf0f in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x32f0f)

#10 0x188eabb73 in SecItemAdd (/System/Library/Frameworks/Security.framework/Security+0x33b73)

#11 0x188ea85c7 in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x305c7)

#12 0x188eafa5f in SecKeyGeneratePair (/System/Library/Frameworks/Security.framework/Security+0x37a5f)

#13 0x1000a103f in __85-[LYKKeychain generateKeyPairWithProtectionClass:keySizeInBits:keyLabel:returnBlock:]_block_invoke (/var/mobile/Containers/Bundle/Application/152252E0-3682-42C1-A10F-E5E2FE1BAFAF/Likey.app/Likey+0x10000903f)

#14 0x10034b79f in __wrap_dispatch_async_block_invoke (/var/mobile/Containers/Bundle/Application/152252E0-3682-42C1-A10F-E5E2FE1BAFAF/Likey.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib+0x3b79f)

#15 0x10102dca7 in _dispatch_call_block_and_release (/usr/lib/system/introspection/libdispatch.dylib+0x1ca7)

#16 0x10102dc67 in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib+0x1c67)

#17 0x10103cec7 in _dispatch_root_queue_drain (/usr/lib/system/introspection/libdispatch.dylib+0x10ec7)

#18 0x10103c58f in _dispatch_worker_thread3 (/usr/lib/system/introspection/libdispatch.dylib+0x1058f)

#19 0x1993a144f in _pthread_wqthread (/usr/lib/system/libsystem_pthread.dylib+0x144f)

#20 0x1993a0fff in start_wqthread (/usr/lib/system/libsystem_pthread.dylib+0xfff)

0x000103714e31 is located 0 bytes to the right of 1-byte region [0x000103714e30,0x000103714e31)

allocated by thread T4 here:

#0 0x10034c34b in wrap_malloc (/var/mobile/Containers/Bundle/Application/152252E0-3682-42C1-A10F-E5E2FE1BAFAF/Likey.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib+0x3c34b)

#1 0x188ed5f93 in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x5df93)

#2 0x188ed65d3 in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x5e5d3)

#3 0x188ed5ebb in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x5debb)

#4 0x188ed63e7 in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x5e3e7)

#5 0x188eab58f in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x3358f)

#6 0x188eac1af in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x341af)

#7 0x188eabfeb in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x33feb)

#8 0x188eaaf0f in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x32f0f)

#9 0x188eabb73 in SecItemAdd (/System/Library/Frameworks/Security.framework/Security+0x33b73)

#10 0x188ea85c7 in <redacted> (/System/Library/Frameworks/Security.framework/Security+0x305c7)

#11 0x188eafa5f in SecKeyGeneratePair (/System/Library/Frameworks/Security.framework/Security+0x37a5f)

#12 0x1000a103f in __85-[LYKKeychain generateKeyPairWithProtectionClass:keySizeInBits:keyLabel:returnBlock:]_block_invoke (/var/mobile/Containers/Bundle/Application/152252E0-3682-42C1-A10F-E5E2FE1BAFAF/Likey.app/Likey+0x10000903f)

#13 0x10034b79f in __wrap_dispatch_async_block_invoke (/var/mobile/Containers/Bundle/Application/152252E0-3682-42C1-A10F-E5E2FE1BAFAF/Likey.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib+0x3b79f)

#14 0x10102dca7 in _dispatch_call_block_and_release (/usr/lib/system/introspection/libdispatch.dylib+0x1ca7)

#15 0x10102dc67 in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib+0x1c67)

#16 0x10103cec7 in _dispatch_root_queue_drain (/usr/lib/system/introspection/libdispatch.dylib+0x10ec7)

#17 0x10103c58f in _dispatch_worker_thread3 (/usr/lib/system/introspection/libdispatch.dylib+0x1058f)

#18 0x1993a144f in _pthread_wqthread (/usr/lib/system/libsystem_pthread.dylib+0x144f)

#19 0x1993a0fff in start_wqthread (/usr/lib/system/libsystem_pthread.dylib+0xfff)

Thread T4 created by T0 here:

<empty stack>

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 wrap_strdup

Shadow bytes around the buggy address:

0x0001408e2970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0001408e2980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0001408e2990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0001408e29a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0001408e29b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

=>0x0001408e29c0: fa fa fa fa fa fa[01]fa fa fa fd fd fa fa fd fa

0x0001408e29d0: fa fa fd fa fa fa 00 00 fa fa fd fd fa fa fd fd

0x0001408e29e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd

0x0001408e29f0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd

0x0001408e2a00: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd

0x0001408e2a10: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00

Partially addressable: 01 02 03 04 05 06 07

Heap left redzone: fa

Heap right redzone: fb

Freed heap region: fd

Stack left redzone: f1

Stack mid redzone: f2

Stack right redzone: f3

Stack partial redzone: f4

Stack after return: f5

Stack use after scope: f8

Global redzone: f9

Global init order: f6

Poisoned by user: f7

Container overflow: fc

Array cookie: ac

Intra object redzone: bb

ASan internal: fe

Left alloca redzone: ca

Right alloca redzone: cb

==4269==ABORTING

0
Apple Designer OP
Apple
Sep ’15

Until the bug is fixed, you can work around this issue by suppressing errors coming from external libraries:

http://clang.llvm.org/docs/AddressSanitizer.html#suppressing-reports-in-external-libraries

0
Address Sanitizer: SecKeyGeneratePair throwing a Heap Buffer Overflow
First post date Last post date
 
 
Q