Bug 1765272 (CVE-2019-18218)

Summary: CVE-2019-18218 file: heap-based buffer overflow in cdf_read_property_info in cdf.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jkaluza, jorton, kdudka, odubaj, rcollet, scorneli, svashisht, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1765273, 1773624    
Bug Blocks: 1765274    

Description Guilherme de Almeida Suckevicz 2019-10-24 17:36:03 UTC
cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).

Reference:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780

Upstream patch:
https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84

Comment 1 Guilherme de Almeida Suckevicz 2019-10-24 17:36:16 UTC
Created file tracking bugs for this issue:

Affects: fedora-all [bug 1765273]

Comment 2 Stefan Cornelius 2019-11-18 13:21:21 UTC
A git bisect shows that this was introduced by https://github.com/file/file/commit/393555f2f3a6ba16cdedf6d65ac373700afdd769

Comment 3 Stefan Cornelius 2019-11-18 14:36:05 UTC
The root issue is an integer overflow in the cdf_grow_info() function:
"size_t newcount = *maxcount + incr;" can wrap around, causing newcount to be lower than it should be. Thus, the "if (newcount > CDF_PROP_LIMIT)" check can be bypassed. I believe this limits this issue to 32bit architectures, on 64bit systems the size of newcount should be large enough to handle all results (input read from the file is limited to 32bit).

 cdf_grow_info(cdf_property_info_t **info, size_t *maxcount, size_t incr)
 {
 	cdf_property_info_t *inp;
 	size_t newcount = *maxcount + incr;
 
 	if (newcount > CDF_PROP_LIMIT) {
 		DPRINTF(("exceeded property limit %zu > %zu\n",
 		    newcount, CDF_PROP_LIMIT));
 		goto out;
 	}

Comment 4 Stefan Cornelius 2019-11-18 15:07:02 UTC
Statement:

This issue affects file as shipped with Red Hat Enterprise Linux 8. However, this flaw is only exploitable if the 32bit version is used, for example when an application uses the 32bit version of libmagic.so.