Bug 1489356
| Summary: | There is a heap-buffer-overflow in bson_utf8_validate() function of libbson. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | owl337 <v.owl337> | ||||
| Component: | libbson | Assignee: | Petr Pisar <ppisar> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | fedora, jesse, ppisar | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-09-11 08:01:07 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1323015 [details]
POC
This is the same logic bug as #1489355 *** This bug has been marked as a duplicate of bug 1489355 *** |
Description of problem: There is a heap-buffer-overflow in bson_utf8_validate() function of libbson. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./bson-metrics POC1 Steps to Reproduce: The debugging information is as follows: $ ./bson-metrics POC1 Segmentation fault ASAN debugging information: $ ./bson-metrics POC1 ================================================================= ==61994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7f1da16706b7 bp 0x7ffe5cc1a480 sp 0x7ffe5cc1a478 READ of size 1 at 0x61900000b880 thread T0 #0 0x7f1da16706b6 (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96b6) #1 0x7f1da16394cb (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724cb) #2 0x4dbe3c (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4dbe3c) #3 0x7f1da06d4abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #4 0x435648 (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x435648) 0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880) allocated by thread T0 here: #0 0x4bc78b (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4bc78b) #1 0x7f1da1662aff (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9baff) Shadow bytes around the buggy address: 0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==61994==ABORTING GDB debugging information: (gdb) set args POC1 (gdb) r ... Breakpoint 7, bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:143 143 if ((utf8_len - i) < seq_length) { (gdb) c 1007 Will ignore next 1006 crossings of breakpoint 7. Continuing. Breakpoint 7, bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:143 143 if ((utf8_len - i) < seq_length) { (gdb) i b Num Type Disp Enb Address What 7 breakpoint keep y 0x00007ffff7b7e310 in bson_utf8_validate at src/bson/bson-utf8.c:143 breakpoint already hit 1008 times (gdb) n 151 c = utf8[i] & first_mask; (gdb) 156 for (j = i + 1; j < (i + seq_length); j++) { (gdb) 182 if (c > 0x0010FFFF) { (gdb) 197 switch (seq_length) { (gdb) 199 if (c <= 0x007F) { (gdb) 130 for (i = 0; i < utf8_len; i += seq_length) { (gdb) n ================================================================= ==100494==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7ffff7b7e6b7 bp 0x7fffffffd800 sp 0x7fffffffd7f8 READ of size 1 at 0x61900000b880 thread T0 #0 0x7ffff7b7e6b6 (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96b6) #1 0x7ffff7b474cb (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724cb) #2 0x4dbe3c (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4dbe3c) #3 0x7ffff6be2abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #4 0x435648 (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x435648) 0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880) allocated by thread T0 here: #0 0x4bc78b (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4bc78b) #1 0x7ffff7b70aff (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9baff) Shadow bytes around the buggy address: 0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==100494==ABORTING [Inferior 1 (process 100494) exited with code 01] (gdb) bt #0 bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:143 #1 0x00007ffff7b474cc in bson_iter_visit_all (iter=<optimized out>, visitor=<optimized out>, data=<optimized out>) at src/bson/bson-iter.c:2069 #2 0x00000000004dbe3d in bson_metrics (data=<optimized out>, bson=<optimized out>, length=<optimized out>) at bson-metrics.c:208 #3 main (argc=<optimized out>, argv=<optimized out>) at bson-metrics.c:257 This vulnerability was triggered in function bson_utf8_validate() at line src/bson/bson-utf8.c:130: 130 for (i = 0; i < utf8_len; i += seq_length) { 131 _bson_utf8_get_sequence (&utf8[i], &seq_length, &first_mask); 132 133 /* 134 * Ensure we have a valid multi-byte sequence length. 135 */ 136 if (!seq_length) { 137 return false; 138 } 139 140 /* 141 * Ensure we have enough bytes left. 142 */ 143 if ((utf8_len - i) < seq_length) { 144 return false; 145 } 146 ... Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.