Bug 2044864 (CVE-2021-45927)

Summary: CVE-2021-45927 mdbtools: a stack-based buffer overflow in mdb_numeric_to_string
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hdegoede, lkundrak, moez.roy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-25 11:30:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2044865, 2044866, 2044868    
Bug Blocks:    

Description Marian Rehak 2022-01-25 10:31:56 UTC 
MDB Tools (aka mdbtools) 0.9.2 has a stack-based buffer overflow (at 0x7ffd6e029ee0) in mdb_numeric_to_string (called from mdb_xfer_bound_data and _mdb_attempt_bind).

Reference:

https://github.com/mdbtools/mdbtools/commit/373b7ff4c4daf887269c078407cb1338942c4ea6
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mdbtools/OSV-2021-1003.yaml
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36187
Comment 1 Marian Rehak 2022-01-25 10:32:31 UTC 
Created mdbtools tracking bugs for this issue:

Affects: epel-7 [bug 2044868]
Affects: fedora-34 [bug 2044865]
Affects: fedora-35 [bug 2044866]
Comment 2 Product Security DevOps Team 2022-01-25 11:30:47 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 3 Hans de Goede 2022-01-25 13:46:28 UTC 
This is somewhat weird the original oss-fuzz report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36187

Links to 2 configs, one where it hit the bug and one where it was fixed:

https://oss-fuzz.com/revisions?job=afl_asan_mdbtools&range=202107120613:202107140601
https://oss-fuzz.com/revisions?job=afl_asan_mdbtools&range=202107140601:202107150603

What is weird here is both point to the same mdbtools commit (the 0.9.3 release) and to the same mdbtools-data commit, the only difference between the issue being detected and it being reported fixed is the Aflplusplus commit.

Also upstream is using oss-fuzz in mdbtools CI and there are no issues being reported there.

Still I tried to reproduce downloading the clusterfuzz-testcase-minimized-fuzz_mdb-4756071066501120 file from the oss-fuzz report, replacing test/data/nwind.mdb with it and then running ./test_script.sh . This does hit a crash with a NULL pointer deref with both 0.9.3 and 1.0.0 build with CFLAGS="-g -O1 -fsanitize=address", but the original report of a "Dynamic-stack-buffer-overflow WRITE 16" issue does not reproduce.

So all in all this feels like some weird false-positive from oss-fuzz and I think this bug-report can be closed. Please advice how to continue.

I've created a fix for the NULL pointer deref (with the clusterfuzz-testcase-minimized-... file) and I will submit a pull-req for the fix for that upstream.
Comment 4 Hans de Goede 2022-01-25 14:09:10 UTC 
I just noticed that there is a second report for what seems to be more or less the same mysterious issue:

    https://bugzilla.redhat.com/show_bug.cgi?id=2044905
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35972
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45926

The clusterfuzz-testcase-minimized-fuzz_mdb-6321096314978304 attached there gives a whole bunch of mdbtools errors when running ./test_script.sh, but no crashes / sanitizer reports.