Bug 1489355 - There is a heap-buffer-overflow in bson_utf8_validate() function of libbson.
Summary: There is a heap-buffer-overflow in bson_utf8_validate() function of libbson.
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libbson
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Pisar
QA Contact: Fedora Extras Quality Assurance
URL: https://jira.mongodb.org/projects/SEC...
Whiteboard:
Keywords:
: 1489356 1489362 (view as bug list)
Depends On:
Blocks: CVE-2017-14227
TreeView+ depends on / blocked
 
Reported: 2017-09-07 09:21 UTC by owl337
Modified: 2018-01-04 09:14 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-01-04 09:14:20 UTC


Attachments (Terms of Use)
Triggered by " ./bson-metrics POC1" (95 bytes, application/x-rar)
2017-09-07 09:21 UTC, owl337
no flags Details
POC1 file input for examples/bson-metrics.c program (28 bytes, application/octet-stream)
2017-09-07 12:58 UTC, Petr Pisar
no flags Details

Description owl337 2017-09-07 09:21:17 UTC
Created attachment 1323012 [details]
Triggered by  " ./bson-metrics POC1"

Description of problem:

There is a heap-buffer-overflow in bson_utf8_validate() function of libbson. 

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./bson-metrics POC1

Steps to Reproduce:

The debugging information is as follows:

$ ./bson-metrics POC1

Segmentation fault

ASAN debugging information:

$ ./bson-metrics POC1
=================================================================
==61994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7f1da16706b7 bp 0x7ffe5cc1a480 sp 0x7ffe5cc1a478
READ of size 1 at 0x61900000b880 thread T0
    #0 0x7f1da16706b6  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96b6)
    #1 0x7f1da16394cb  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724cb)
    #2 0x4dbe3c  (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4dbe3c)
    #3 0x7f1da06d4abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #4 0x435648  (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x435648)

0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880)
allocated by thread T0 here:
    #0 0x4bc78b  (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4bc78b)
    #1 0x7f1da1662aff  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9baff)

Shadow bytes around the buggy address:
  0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==61994==ABORTING

GDB debugging information:

(gdb) set args POC1
(gdb) r
...

Breakpoint 7, bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>)
    at src/bson/bson-utf8.c:143
143	      if ((utf8_len - i) < seq_length) {
(gdb) c 1007 
Will ignore next 1006 crossings of breakpoint 7.  Continuing.

Breakpoint 7, bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>)
    at src/bson/bson-utf8.c:143
143	      if ((utf8_len - i) < seq_length) {
(gdb) i b
Num     Type           Disp Enb Address            What
7       breakpoint     keep y   0x00007ffff7b7e310 in bson_utf8_validate at src/bson/bson-utf8.c:143
	breakpoint already hit 1008 times
(gdb) n
151	      c = utf8[i] & first_mask;
(gdb) 
156	      for (j = i + 1; j < (i + seq_length); j++) {
(gdb) 
182	      if (c > 0x0010FFFF) {
(gdb) 
197	      switch (seq_length) {
(gdb) 
199	         if (c <= 0x007F) {
(gdb) 
130	   for (i = 0; i < utf8_len; i += seq_length) {
(gdb) n
=================================================================
==100494==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7ffff7b7e6b7 bp 0x7fffffffd800 sp 0x7fffffffd7f8
READ of size 1 at 0x61900000b880 thread T0
    #0 0x7ffff7b7e6b6  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96b6)
    #1 0x7ffff7b474cb  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724cb)
    #2 0x4dbe3c  (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4dbe3c)
    #3 0x7ffff6be2abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #4 0x435648  (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x435648)

0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880)
allocated by thread T0 here:
    #0 0x4bc78b  (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4bc78b)
    #1 0x7ffff7b70aff  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9baff)

Shadow bytes around the buggy address:
  0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==100494==ABORTING
[Inferior 1 (process 100494) exited with code 01]

(gdb) bt 
#0  bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>)
    at src/bson/bson-utf8.c:143
#1  0x00007ffff7b474cc in bson_iter_visit_all (iter=<optimized out>, visitor=<optimized out>, data=<optimized out>)
    at src/bson/bson-iter.c:2069
#2  0x00000000004dbe3d in bson_metrics (data=<optimized out>, bson=<optimized out>, length=<optimized out>)
    at bson-metrics.c:208
#3  main (argc=<optimized out>, argv=<optimized out>) at bson-metrics.c:257


This vulnerability was triggered in function bson_utf8_validate() at line src/bson/bson-utf8.c:130:

130	   for (i = 0; i < utf8_len; i += seq_length) {
131	      _bson_utf8_get_sequence (&utf8[i], &seq_length, &first_mask);
132	
133	      /*
134	       * Ensure we have a valid multi-byte sequence length.
135	       */
136	      if (!seq_length) {
137	         return false;
138	      }
139	
140	      /*
141	       * Ensure we have enough bytes left.
142	       */
143	      if ((utf8_len - i) < seq_length) {
144	         return false;
145	      }
146	
...


Actual results:

crash

Expected results:

crash

Additional info:


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Petr Pisar 2017-09-07 10:35:03 UTC
Thank you for your report. It looks like this issue is not specific to Fedora build and you should report your security findings directly to libbson authors <https://docs.mongodb.com/manual/tutorial/create-a-vulnerability-report/> because the root problem is there.

Comment 2 Petr Pisar 2017-09-07 12:51:11 UTC
The problem is not in bson_utf8_validate(). The problem is that somebson_iter_codewscope() computes the string length as 4294967295 passes this wrong value to bson_utf8_validate() as the second utf8_len argument.

Comment 3 Petr Pisar 2017-09-07 12:58 UTC
Created attachment 1323092 [details]
POC1 file input for examples/bson-metrics.c program

The reproducer runs examples/bson-metrics.c on this attached POC1 file with this content:

$ hexdump -C POC1 
00000000  15 00 00 00 0f 00 0e 00  00 00 00 00 00 00 06 00  |................|
00000010  00 00 00 00 00 00 03 e8  88 88 00 00              |............|
0000001c

Comment 4 Petr Pisar 2017-09-07 13:09:42 UTC
I can reproduce it with current upstream git code 1.7.0-rc0-24-g3dd28b6.

Comment 5 Petr Pisar 2017-09-07 13:11:41 UTC
And also with developmental 1.8.0-rc0 code.

Comment 6 Petr Pisar 2017-09-07 13:22:48 UTC
I forwarded it to <https://jira.mongodb.org/projects/SECURITY/issues/SECURITY-476>.

Comment 7 A. Jesse Jiryu Davis 2017-09-09 14:21:18 UTC
Bugfix in progress, here's a public description:

https://jira.mongodb.org/browse/CDRIVER-2269

libbson crashes while iterating over a valid (but strange) BSON input. We'll release the fix next week.

Comment 8 Petr Pisar 2017-09-11 08:01:07 UTC
*** Bug 1489356 has been marked as a duplicate of this bug. ***

Comment 9 Petr Pisar 2017-09-15 07:34:23 UTC
*** Bug 1489362 has been marked as a duplicate of this bug. ***

Comment 10 Fedora Update System 2017-09-15 09:14:22 UTC
libbson-1.8.0-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1953158d1f

Comment 11 Petr Pisar 2017-09-15 09:44:30 UTC
All Fedoras are affected. This is not reproducible with the reporter's sample but it's reproducible with the new tests added together with the fix. I will port it back.

Comment 12 Fedora Update System 2017-09-15 11:48:49 UTC
libbson-1.6.3-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a4cf96bcca

Comment 13 Fedora Update System 2017-09-15 12:41:42 UTC
libbson-1.3.5-4.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7edc2ea787

Comment 14 Fedora Update System 2017-09-15 16:53:22 UTC
libbson-1.8.0-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-1953158d1f

Comment 15 Fedora Update System 2017-09-16 04:25:31 UTC
libbson-1.6.3-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a4cf96bcca

Comment 16 Fedora Update System 2017-09-16 05:31:14 UTC
libbson-1.3.5-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7edc2ea787

Comment 17 Fedora Update System 2017-09-26 23:54:38 UTC
libbson-1.6.3-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2017-09-27 05:27:25 UTC
libbson-1.3.5-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2017-09-30 06:31:17 UTC
libbson-1.8.0-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.