Bug 2259883 - Heap-buffer-overflow at src/output.c:319
Summary: Heap-buffer-overflow at src/output.c:319
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: indent
Version: rawhide
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Petr Pisar
QA Contact: Fedora Extras Quality Assurance
URL: https://lists.gnu.org/archive/html/bu...
Whiteboard:
: 2260401 (view as bug list)
Depends On:
Blocks: CVE-2024-0911
TreeView+ depends on / blocked
 
Reported: 2024-01-23 16:26 UTC by nu1lptr
Modified: 2024-02-02 02:22 UTC (History)
2 users (show)

Fixed In Version: indent-2.2.13-7.fc40 indent-2.2.13-6.fc39 indent-2.2.13-5.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-02-02 01:13:51 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
A proposed fix (4.66 KB, patch)
2024-01-24 14:53 UTC, Petr Pisar 		no flags Details | Diff
View All

Description nu1lptr 2024-01-23 16:26:23 UTC 
### Description 
heap-buffer-overflow indent/src/output.c:319 in set_buf_break. 
CVE-2023-40305 has heap-buffer-overflow in search_brace, but this bug is in set_buf_break in indent/src/output.c 
POC file is attached

### GNU indent Version
```
GNU indent 2.2.13
```
### Steps to recreate
```
cd indent
autoreconf -i
./configure --disable-nls
make
indent ./poc -o poc.c
```
### POC
[poc](https://paste.debian.net/download/1304713)
### Crash Info
```
-> indent/src/indent id:000012,sig:06,src:000003,time:58344633,execs:1235790,op:arith8,pos:7267,val:+30 
 -o 1.c
=================================================================
==1429449==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000003ec at pc 0x55d7c332e0d1 bp 0x7ffc002e4940 sp 0x7ffc002e4938
READ of size 2 at 0x6020000003ec thread T0
    #0 0x55d7c332e0d0 in set_buf_break /home/nu1lptr/afl/indent/src/output.c:319:13
    #1 0x55d7c33047c7 in indent_main_loop /home/nu1lptr/afl/indent/src/indent.c:640:17
    #2 0x55d7c33047c7 in indent /home/nu1lptr/afl/indent/src/indent.c:759:12
    #3 0x55d7c32ff361 in indent_multiple_files /home/nu1lptr/afl/indent/src/indent.c:938:18
    #4 0x55d7c32ff361 in indent_all /home/nu1lptr/afl/indent/src/indent.c:1036:23
    #5 0x55d7c32ff361 in main /home/nu1lptr/afl/indent/src/indent.c:1123:23
    #6 0x7fb444e29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7fb444e29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x55d7c3225324 in _start (/home/nu1lptr/afl/indent/src/indent+0x6a324) (BuildId: bf919c9b1b6dfa4b)

0x6020000003ec is located 4 bytes before 16-byte region [0x6020000003f0,0x602000000400)
allocated by thread T0 here:
    #0 0x55d7c32bf338 in calloc (/home/nu1lptr/afl/indent/src/indent+0x104338) (BuildId: bf919c9b1b6dfa4b)
    #1 0x55d7c332912c in xmalloc /home/nu1lptr/afl/indent/src/globs.c:42:17
    #2 0x55d7c3304904 in indent_main_loop /home/nu1lptr/afl/indent/src/indent.c:672:9
    #3 0x55d7c3304904 in indent /home/nu1lptr/afl/indent/src/indent.c:759:12
    #4 0x55d7c32ff361 in indent_multiple_files /home/nu1lptr/afl/indent/src/indent.c:938:18
    #5 0x55d7c32ff361 in indent_all /home/nu1lptr/afl/indent/src/indent.c:1036:23
    #6 0x55d7c32ff361 in main /home/nu1lptr/afl/indent/src/indent.c:1123:23
    #7 0x7fb444e29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/nu1lptr/afl/indent/src/output.c:319:13 in set_buf_break
Shadow bytes around the buggy address:
  0x602000000100: fa fa 06 fa fa fa 06 fa fa fa 06 fa fa fa 06 fa
  0x602000000180: fa fa 06 fa fa fa 06 fa fa fa 07 fa fa fa 07 fa
  0x602000000200: fa fa 00 fa fa fa 00 02 fa fa fd fa fa fa fd fa
  0x602000000280: fa fa fd fa fa fa fd fd fa fa 00 fa fa fa fd fa
  0x602000000300: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
=>0x602000000380: fa fa fd fd fa fa fd fd fa fa fd fd fa[fa]00 00
  0x602000000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000000480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000000500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000000580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000000600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1429449==ABORTING
```

### System Info
Linux ip-10-0-1-50 6.2.0-1013-aws #13~22.04.1-Ubuntu SMP Fri Sep  8 17:29:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux 
gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0

### CREDIT
[INFOSECIITR](https://infoseciitr.in)

Reproducible: Always
Comment 1 Petr Pisar 2024-01-24 11:22:29 UTC 
Thanks for the report.
Comment 2 Petr Pisar 2024-01-24 11:51:20 UTC 
It seems the trigger is a strayed left parentheses after a comment with a text:

$ printf '/*a*/(' | valgrind -- ./src/indent - -o /dev/null
==10671== Memcheck, a memory error detector
==10671== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==10671== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==10671== Command: ./src/indent - -o /dev/null
==10671== 
==10671== Invalid read of size 2
==10671==    at 0x40812A: set_buf_break (output.c:319)
==10671==    by 0x4026B7: indent_main_loop (indent.c:640)
==10671==    by 0x4026B7: indent.isra.0 (indent.c:759)
==10671==    by 0x401808: indent_single_file (indent.c:1004)
==10671==    by 0x401808: indent_all (indent.c:1042)
==10671==    by 0x401808: main (indent.c:1123)
==10671==  Address 0x4a5facc is 4 bytes before a block of size 16 alloc'd
==10671==    at 0x4849E60: calloc (vg_replace_malloc.c:1595)
==10671==    by 0x4070AF: xmalloc (globs.c:42)
==10671==    by 0x40655E: init_parser (parse.c:73)
==10671==    by 0x40142F: main (indent.c:1101)

Though I'm not sure it's exactly the same case as the allocation happens elsewhere.
Comment 3 Petr Pisar 2024-01-24 12:28:05 UTC 
This is not about unbalanced parentheses. '/*a*/()' also triggers it.
Comment 4 Petr Pisar 2024-01-24 14:53:52 UTC 
Created attachment 2010207 [details]
A proposed fix

I think I fixed this issue in the attached patch. I also sent it to indent mailing list.
Comment 5 nu1lptr 2024-01-24 15:09:48 UTC 
@ppisar Can you please assign me a CVE?
Comment 6 Petr Pisar 2024-01-24 15:36:44 UTC 
I sent a request by e-mail to secalert and added you to CC.
Comment 7 Fedora Update System 2024-01-24 15:40:44 UTC 
FEDORA-2024-bfd13103eb has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-bfd13103eb
Comment 8 Fedora Update System 2024-01-24 15:41:17 UTC 
FEDORA-2024-74667e499e has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2024-74667e499e
Comment 9 Fedora Update System 2024-01-24 15:42:01 UTC 
FEDORA-EPEL-2024-8e93f1b716 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-8e93f1b716
Comment 10 Fedora Update System 2024-01-24 15:51:50 UTC 
FEDORA-EPEL-2024-76443fce3f has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-76443fce3f
Comment 11 Fedora Update System 2024-01-25 01:06:39 UTC 
FEDORA-EPEL-2024-8e93f1b716 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-8e93f1b716

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 12 Fedora Update System 2024-01-25 01:12:05 UTC 
FEDORA-2024-74667e499e has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-74667e499e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-74667e499e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 13 Fedora Update System 2024-01-25 01:12:33 UTC 
FEDORA-2024-bfd13103eb has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-bfd13103eb`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-bfd13103eb

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 14 Fedora Update System 2024-01-25 01:16:24 UTC 
FEDORA-EPEL-2024-76443fce3f has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-76443fce3f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 15 Petr Pisar 2024-01-26 08:22:14 UTC 
*** Bug 2260401 has been marked as a duplicate of this bug. ***
Comment 16 Fedora Update System 2024-02-02 01:13:51 UTC 
FEDORA-2024-bfd13103eb has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 17 Fedora Update System 2024-02-02 02:22:24 UTC 
FEDORA-2024-74667e499e has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.