Bug 1489356 - There is a heap-buffer-overflow in bson_utf8_validate() function of libbson.
Summary: There is a heap-buffer-overflow in bson_utf8_validate() function of libbson.
Status: CLOSED DUPLICATE of bug 1489355
Alias: None
Product: Fedora
Classification: Fedora
Component: libbson
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Petr Pisar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-07 09:21 UTC by owl337
Modified: 2017-09-11 08:01 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-09-11 08:01:07 UTC


Attachments (Terms of Use)
POC (95 bytes, application/x-rar)
2017-09-07 09:22 UTC, owl337
no flags Details

Description owl337 2017-09-07 09:21:57 UTC
Description of problem:

There is a heap-buffer-overflow in bson_utf8_validate() function of libbson. 

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./bson-metrics POC1

Steps to Reproduce:

The debugging information is as follows:

$ ./bson-metrics POC1

Segmentation fault

ASAN debugging information:

$ ./bson-metrics POC1
=================================================================
==61994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7f1da16706b7 bp 0x7ffe5cc1a480 sp 0x7ffe5cc1a478
READ of size 1 at 0x61900000b880 thread T0
    #0 0x7f1da16706b6  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96b6)
    #1 0x7f1da16394cb  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724cb)
    #2 0x4dbe3c  (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4dbe3c)
    #3 0x7f1da06d4abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #4 0x435648  (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x435648)

0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880)
allocated by thread T0 here:
    #0 0x4bc78b  (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4bc78b)
    #1 0x7f1da1662aff  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9baff)

Shadow bytes around the buggy address:
  0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==61994==ABORTING

GDB debugging information:

(gdb) set args POC1
(gdb) r
...

Breakpoint 7, bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>)
    at src/bson/bson-utf8.c:143
143	      if ((utf8_len - i) < seq_length) {
(gdb) c 1007 
Will ignore next 1006 crossings of breakpoint 7.  Continuing.

Breakpoint 7, bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>)
    at src/bson/bson-utf8.c:143
143	      if ((utf8_len - i) < seq_length) {
(gdb) i b
Num     Type           Disp Enb Address            What
7       breakpoint     keep y   0x00007ffff7b7e310 in bson_utf8_validate at src/bson/bson-utf8.c:143
	breakpoint already hit 1008 times
(gdb) n
151	      c = utf8[i] & first_mask;
(gdb) 
156	      for (j = i + 1; j < (i + seq_length); j++) {
(gdb) 
182	      if (c > 0x0010FFFF) {
(gdb) 
197	      switch (seq_length) {
(gdb) 
199	         if (c <= 0x007F) {
(gdb) 
130	   for (i = 0; i < utf8_len; i += seq_length) {
(gdb) n
=================================================================
==100494==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7ffff7b7e6b7 bp 0x7fffffffd800 sp 0x7fffffffd7f8
READ of size 1 at 0x61900000b880 thread T0
    #0 0x7ffff7b7e6b6  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96b6)
    #1 0x7ffff7b474cb  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724cb)
    #2 0x4dbe3c  (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4dbe3c)
    #3 0x7ffff6be2abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #4 0x435648  (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x435648)

0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880)
allocated by thread T0 here:
    #0 0x4bc78b  (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4bc78b)
    #1 0x7ffff7b70aff  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9baff)

Shadow bytes around the buggy address:
  0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==100494==ABORTING
[Inferior 1 (process 100494) exited with code 01]

(gdb) bt 
#0  bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>)
    at src/bson/bson-utf8.c:143
#1  0x00007ffff7b474cc in bson_iter_visit_all (iter=<optimized out>, visitor=<optimized out>, data=<optimized out>)
    at src/bson/bson-iter.c:2069
#2  0x00000000004dbe3d in bson_metrics (data=<optimized out>, bson=<optimized out>, length=<optimized out>)
    at bson-metrics.c:208
#3  main (argc=<optimized out>, argv=<optimized out>) at bson-metrics.c:257


This vulnerability was triggered in function bson_utf8_validate() at line src/bson/bson-utf8.c:130:

130	   for (i = 0; i < utf8_len; i += seq_length) {
131	      _bson_utf8_get_sequence (&utf8[i], &seq_length, &first_mask);
132	
133	      /*
134	       * Ensure we have a valid multi-byte sequence length.
135	       */
136	      if (!seq_length) {
137	         return false;
138	      }
139	
140	      /*
141	       * Ensure we have enough bytes left.
142	       */
143	      if ((utf8_len - i) < seq_length) {
144	         return false;
145	      }
146	
...


Actual results:

crash

Expected results:

crash

Additional info:


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 owl337 2017-09-07 09:22 UTC
Created attachment 1323015 [details]
POC

Comment 2 A. Jesse Jiryu Davis 2017-09-09 14:22:14 UTC
This is the same logic bug as #1489355

Comment 3 Petr Pisar 2017-09-11 08:01:07 UTC

*** This bug has been marked as a duplicate of bug 1489355 ***


Note You need to log in before you can comment on or make changes to this bug.