Created attachment 1323012 [details] Triggered by " ./bson-metrics POC1" Description of problem: There is a heap-buffer-overflow in bson_utf8_validate() function of libbson. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./bson-metrics POC1 Steps to Reproduce: The debugging information is as follows: $ ./bson-metrics POC1 Segmentation fault ASAN debugging information: $ ./bson-metrics POC1 ================================================================= ==61994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7f1da16706b7 bp 0x7ffe5cc1a480 sp 0x7ffe5cc1a478 READ of size 1 at 0x61900000b880 thread T0 #0 0x7f1da16706b6 (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96b6) #1 0x7f1da16394cb (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724cb) #2 0x4dbe3c (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4dbe3c) #3 0x7f1da06d4abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #4 0x435648 (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x435648) 0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880) allocated by thread T0 here: #0 0x4bc78b (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4bc78b) #1 0x7f1da1662aff (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9baff) Shadow bytes around the buggy address: 0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==61994==ABORTING GDB debugging information: (gdb) set args POC1 (gdb) r ... Breakpoint 7, bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:143 143 if ((utf8_len - i) < seq_length) { (gdb) c 1007 Will ignore next 1006 crossings of breakpoint 7. Continuing. Breakpoint 7, bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:143 143 if ((utf8_len - i) < seq_length) { (gdb) i b Num Type Disp Enb Address What 7 breakpoint keep y 0x00007ffff7b7e310 in bson_utf8_validate at src/bson/bson-utf8.c:143 breakpoint already hit 1008 times (gdb) n 151 c = utf8[i] & first_mask; (gdb) 156 for (j = i + 1; j < (i + seq_length); j++) { (gdb) 182 if (c > 0x0010FFFF) { (gdb) 197 switch (seq_length) { (gdb) 199 if (c <= 0x007F) { (gdb) 130 for (i = 0; i < utf8_len; i += seq_length) { (gdb) n ================================================================= ==100494==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7ffff7b7e6b7 bp 0x7fffffffd800 sp 0x7fffffffd7f8 READ of size 1 at 0x61900000b880 thread T0 #0 0x7ffff7b7e6b6 (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96b6) #1 0x7ffff7b474cb (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724cb) #2 0x4dbe3c (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4dbe3c) #3 0x7ffff6be2abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #4 0x435648 (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x435648) 0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880) allocated by thread T0 here: #0 0x4bc78b (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4bc78b) #1 0x7ffff7b70aff (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9baff) Shadow bytes around the buggy address: 0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==100494==ABORTING [Inferior 1 (process 100494) exited with code 01] (gdb) bt #0 bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:143 #1 0x00007ffff7b474cc in bson_iter_visit_all (iter=<optimized out>, visitor=<optimized out>, data=<optimized out>) at src/bson/bson-iter.c:2069 #2 0x00000000004dbe3d in bson_metrics (data=<optimized out>, bson=<optimized out>, length=<optimized out>) at bson-metrics.c:208 #3 main (argc=<optimized out>, argv=<optimized out>) at bson-metrics.c:257 This vulnerability was triggered in function bson_utf8_validate() at line src/bson/bson-utf8.c:130: 130 for (i = 0; i < utf8_len; i += seq_length) { 131 _bson_utf8_get_sequence (&utf8[i], &seq_length, &first_mask); 132 133 /* 134 * Ensure we have a valid multi-byte sequence length. 135 */ 136 if (!seq_length) { 137 return false; 138 } 139 140 /* 141 * Ensure we have enough bytes left. 142 */ 143 if ((utf8_len - i) < seq_length) { 144 return false; 145 } 146 ... Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Thank you for your report. It looks like this issue is not specific to Fedora build and you should report your security findings directly to libbson authors <https://docs.mongodb.com/manual/tutorial/create-a-vulnerability-report/> because the root problem is there.
The problem is not in bson_utf8_validate(). The problem is that somebson_iter_codewscope() computes the string length as 4294967295 passes this wrong value to bson_utf8_validate() as the second utf8_len argument.
Created attachment 1323092 [details] POC1 file input for examples/bson-metrics.c program The reproducer runs examples/bson-metrics.c on this attached POC1 file with this content: $ hexdump -C POC1 00000000 15 00 00 00 0f 00 0e 00 00 00 00 00 00 00 06 00 |................| 00000010 00 00 00 00 00 00 03 e8 88 88 00 00 |............| 0000001c
I can reproduce it with current upstream git code 1.7.0-rc0-24-g3dd28b6.
And also with developmental 1.8.0-rc0 code.
I forwarded it to <https://jira.mongodb.org/projects/SECURITY/issues/SECURITY-476>.
Bugfix in progress, here's a public description: https://jira.mongodb.org/browse/CDRIVER-2269 libbson crashes while iterating over a valid (but strange) BSON input. We'll release the fix next week.
*** Bug 1489356 has been marked as a duplicate of this bug. ***
*** Bug 1489362 has been marked as a duplicate of this bug. ***
libbson-1.8.0-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1953158d1f
All Fedoras are affected. This is not reproducible with the reporter's sample but it's reproducible with the new tests added together with the fix. I will port it back.
libbson-1.6.3-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a4cf96bcca
libbson-1.3.5-4.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7edc2ea787
libbson-1.8.0-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-1953158d1f
libbson-1.6.3-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a4cf96bcca
libbson-1.3.5-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7edc2ea787
libbson-1.6.3-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
libbson-1.3.5-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
libbson-1.8.0-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.