Entry 1

a few thoughts about project zero’s last blog postThis shouldn’t have happened: A vulnerability postmortem

well, imho this is most understandable project zero writeup so far :) and it is really well explained by @taviso. actually writeup, in line with the results of the vulnerability, it scrutinize on fuzzer which couldn’t find this 7 years old memcpy bug.

without further ado, mentioned bug it’s called “BigSig” that found in NSSNetwork Security Services is Mozilla’s widely used, cross-platform cryptography library. . Simply it caused from the maximum size signature, so untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data. The signature size must match the size of the key, but there are no other limitations. The result is turns out memory corruption.

keypoints

• Raise the maximum size of ASN.1Abstract Syntax Notation One objects produced by libFuzzer from 10,000 to 224-1 = 16,777,215 bytes. This is important point sometimes fuzzer’s arbitrary limit is not setted enough for fuzzed input.
• The QuickDER fuzzer should call some relevant APIs with any objects successfully created before destroying them.
• The oss-fuzz code coverage metrics should be divided by fuzzer, not by project.

honestly, I’m not very interested in fuzzing, but this detailed writeup help me learn some new cool things.