Bug 1765272 (CVE-2019-18218)
Summary: | CVE-2019-18218 file: heap-based buffer overflow in cdf_read_property_info in cdf.c | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | hhorak, jkaluza, jorton, kdudka, kvolny, odubaj, rcollet, scorneli, svashisht |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | Flags: | kdudka:
needinfo-
|
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-25 22:13:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1765273, 1773624 | ||
Bug Blocks: | 1765274 |
Description
Guilherme de Almeida Suckevicz
2019-10-24 17:36:03 UTC
Created file tracking bugs for this issue: Affects: fedora-all [bug 1765273] A git bisect shows that this was introduced by https://github.com/file/file/commit/393555f2f3a6ba16cdedf6d65ac373700afdd769 The root issue is an integer overflow in the cdf_grow_info() function: "size_t newcount = *maxcount + incr;" can wrap around, causing newcount to be lower than it should be. Thus, the "if (newcount > CDF_PROP_LIMIT)" check can be bypassed. I believe this limits this issue to 32bit architectures, on 64bit systems the size of newcount should be large enough to handle all results (input read from the file is limited to 32bit). cdf_grow_info(cdf_property_info_t **info, size_t *maxcount, size_t incr) { cdf_property_info_t *inp; size_t newcount = *maxcount + incr; if (newcount > CDF_PROP_LIMIT) { DPRINTF(("exceeded property limit %zu > %zu\n", newcount, CDF_PROP_LIMIT)); goto out; } Statement: This issue affects file as shipped with Red Hat Enterprise Linux 8. However, this flaw is only exploitable if the 32bit version is used, for example when an application uses the 32bit version of libmagic.so. please, is there any simpler reproducer that doesn't involve oss-fuzz? One can simply download the sample file and run the `file` utility locally on it: $ curl -JLO 'https://oss-fuzz.com/download?testcase_id=5743444592427008' The main obstacle is that the bug reproduces on 32bit arches only (see comment #3). The following works reliably for me on an x86_64 VM: $ sudo yum install file-libs.i686 valgrind.i686 $ rpm2cpio http://download.eng.bos.redhat.com/brewroot/vol/rhel-8/packages/file/5.33/16.el8/i686/file-5.33-16.el8.i686.rpm | cpio -div $ valgrind ./usr/bin/file clusterfuzz-testcase-minimized-magic_fuzzer-5743444592427008 valgrind output is clean with file-libs-5.33-18.el8.i686 while there are invalid writes with file-libs-5.33-16.el8.i686. The old version crashes without valgrind, too, in my testing environment. (In reply to Kamil Dudka from comment #7) > One can simply download the sample file and run the `file` utility locally on it: I have tried, but ... > The main obstacle is that the bug reproduces on 32bit arches only (see > comment #3). looks like forcing 32bit is the important part I have missed, thanks This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4374 https://access.redhat.com/errata/RHSA-2021:4374 |