Bug 1489362
Summary: | There is a heap-based buffer overflow in bson-to-json.c. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | owl337 <v.owl337> | ||||
Component: | libbson | Assignee: | Petr Pisar <ppisar> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | fedora, jesse, ppisar | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
URL: | https://jira.mongodb.org/projects/SECURITY/issues/SECURITY-476 | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-09-15 07:34:23 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
This is very probably duplicate of bug #1489355 Yes it is a duplicate of bug #1489355 *** This bug has been marked as a duplicate of bug 1489355 *** |
Created attachment 1323017 [details] ./bson-to-json POC2 Description of problem: There is a heap-based buffer overflow in bson-to-json.c. Version-Release number of selected component (if applicable): <= latest How reproducible: ./bson-to-json POC2 Steps to Reproduce: The debugging information is as follows: $ ./bson-to-json POC2 (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) Segmentation fault ASAN debugging information: $ ./bson-to-json POC2 (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) ================================================================= ==7328==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7fa38d86f6e7 bp 0x7ffe730e9400 sp 0x7ffe730e93f8 READ of size 1 at 0x61900000b880 thread T0 #0 0x7fa38d86f6e6 (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96e6) #1 0x7fa38d8384bb (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724bb) #2 0x7fa38d81dbe4 (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x57be4) #3 0x4dbb76 (/home/icy/secreal/libbson-asan/examples/bson-to-json+0x4dbb76) #4 0x7fa38c8d3abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #5 0x435458 (/home/icy/secreal/libbson-asan/examples/bson-to-json+0x435458) 0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880) allocated by thread T0 here: #0 0x4bc59b (/home/icy/secreal/libbson-asan/examples/bson-to-json+0x4bc59b) #1 0x7fa38d861b2f (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9bb2f) Shadow bytes around the buggy address: 0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==7328==ABORTING GDB debugging information: (gdb) set args POC2 (gdb) r ... (gdb) set args fuzz/bson2json_out/crashes/id\:000002\,sig\:11\,src\:000767\,op\:arith8\,pos\:178\,val\:+3 (gdb) r ... (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) (null) Program received signal SIGSEGV, Segmentation fault. bson_utf8_validate (utf8=0x61233c "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:131 131 _bson_utf8_get_sequence (&utf8[i], &seq_length, &first_mask); (gdb) bt #0 bson_utf8_validate (utf8=0x61233c "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:131 #1 0x00007ffff7b99646 in bson_iter_visit_all (iter=0x7fffffffdf80, visitor=0x7ffff7dd0020 <bson_as_extended_json_visitors>, data=0x7fffffffe028) at src/bson/bson-iter.c:2069 #2 0x00007ffff7b8b148 in _bson_as_json_visit_all (bson=<optimized out>, length=0x0, visitors=0x7ffff7dd0020 <bson_as_extended_json_visitors>) at src/bson/bson.c:3245 #3 0x0000000000401167 in main (argc=<optimized out>, argv=0x7fffffffe438) at bson-to-json.c:69 Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.