Bug 2255399 (CVE-2023-4234, ZDI-CAN-21015)

Summary: CVE-2023-4234 ofono: SMS Decoder Stack-based Buffer Overflow Remote Code Execution Vulnerability within the decode_submit_report() function
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ofono 2.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_submit_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_submit_report().
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2255400    
Bug Blocks: 2208145    

Description Sandipan Roy 2023-12-20 14:31:01 UTC 
ofono is a Open Source Telephony on Linux
stack overflow bug is triggered within the decode_submit_report() function during SMS decoding
here assumed that the attack scenario is accessible from a compromised modem or possibily accessible from a malicious base station or just SMS

there is a bound check for this memcpy length in decode_submit(), but they forgot it in decode_submit_report()
this is a variant from ZDI-CAN-20971
partial code path is here
    - at_cmt_notify()
    - ofono_sms_deliver_notify()
    - sms_decode()
    - decode_submit_report()
```

~~~C++

static gboolean decode_submit_report(const unsigned char *pdu, int len,
                                        struct sms *out)
{
...
        if (pi & 0x04) {
                int expected;

                if (!next_octet(pdu, len, &offset, &udl))
                        return FALSE;

                expected = sms_udl_in_bytes(udl, dcs);

                if ((len - offset) < expected)
                        return FALSE;

                if (out->type == SMS_TYPE_SUBMIT_REPORT_ERROR) {
                        out->submit_err_report.udl = udl;
                        memcpy(out->submit_err_report.ud,
                                        pdu + offset, expected); // overflow here, expected is from SMS PDU
                } else {
                        out->submit_ack_report.udl = udl;
                        memcpy(out->submit_ack_report.ud,
                                        pdu + offset, expected);
                }
        }

        return TRUE;
}
~~~

ASAN report
```
=================================================================
==118728==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd6df4c7bc at pc 0x7ff353a49846 bp 0x7ffd6df4c470 sp 0x7ffd6df4bc18
WRITE of size 240 at 0x7ffd6df4c7bc thread T0
    #0 0x7ff353a49845 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x5612928c6d77 in decode_submit_report src/smsutil.c:946
    #2 0x5612928cb479 in sms_decode src/smsutil.c:1569
    #3 0x56129286708d in main src/main.c:225
    #4 0x7ff35362350f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #5 0x7ff3536235c8 in __libc_start_main_impl ../csu/libc-start.c:381
    #6 0x561292606274 in _start (/root/ofono/src/ofonod+0x12b274)

Address 0x7ffd6df4c7bc is located in stack of thread T0 at offset 316 in frame
    #0 0x561292866edd in main src/main.c:205

  This frame has 1 object(s):
    [48, 316) 'sms1' (line 212) <== Memory access at offset 316 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x10002dbe18a0: 01 f2 01 f2 04 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10002dbe18b0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3
  0x10002dbe18c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002dbe18d0: f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00
  0x10002dbe18e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10002dbe18f0: 00 00 00 00 00 00 00[04]f3 f3 f3 f3 f3 f3 f3 f3
  0x10002dbe1900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002dbe1910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002dbe1920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002dbe1930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002dbe1940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==118728==ABORTING
```
Comment 1 Sandipan Roy 2023-12-20 14:31:18 UTC 
Created ofono tracking bugs for this issue:

Affects: fedora-all [bug 2255400]