Description of problem: There is a heap-buffer-overflow in bson_utf8_validate() function of libbson. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./bson-metrics POC1 Steps to Reproduce: The debugging information is as follows: $ ./bson-metrics POC1 Segmentation fault ASAN debugging information: $ ./bson-metrics POC1 ================================================================= ==61994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7f1da16706b7 bp 0x7ffe5cc1a480 sp 0x7ffe5cc1a478 READ of size 1 at 0x61900000b880 thread T0 #0 0x7f1da16706b6 (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96b6) #1 0x7f1da16394cb (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724cb) #2 0x4dbe3c (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4dbe3c) #3 0x7f1da06d4abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #4 0x435648 (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x435648) 0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880) allocated by thread T0 here: #0 0x4bc78b (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4bc78b) #1 0x7f1da1662aff (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9baff) Shadow bytes around the buggy address: 0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==61994==ABORTING GDB debugging information: (gdb) set args POC1 (gdb) r ... Breakpoint 7, bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:143 143 if ((utf8_len - i) < seq_length) { (gdb) c 1007 Will ignore next 1006 crossings of breakpoint 7. Continuing. Breakpoint 7, bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:143 143 if ((utf8_len - i) < seq_length) { (gdb) i b Num Type Disp Enb Address What 7 breakpoint keep y 0x00007ffff7b7e310 in bson_utf8_validate at src/bson/bson-utf8.c:143 breakpoint already hit 1008 times (gdb) n 151 c = utf8[i] & first_mask; (gdb) 156 for (j = i + 1; j < (i + seq_length); j++) { (gdb) 182 if (c > 0x0010FFFF) { (gdb) 197 switch (seq_length) { (gdb) 199 if (c <= 0x007F) { (gdb) 130 for (i = 0; i < utf8_len; i += seq_length) { (gdb) n ================================================================= ==100494==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7ffff7b7e6b7 bp 0x7fffffffd800 sp 0x7fffffffd7f8 READ of size 1 at 0x61900000b880 thread T0 #0 0x7ffff7b7e6b6 (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96b6) #1 0x7ffff7b474cb (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724cb) #2 0x4dbe3c (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4dbe3c) #3 0x7ffff6be2abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #4 0x435648 (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x435648) 0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880) allocated by thread T0 here: #0 0x4bc78b (/home/icy/secreal/libbson-asan/install/test/bson-metrics+0x4bc78b) #1 0x7ffff7b70aff (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9baff) Shadow bytes around the buggy address: 0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==100494==ABORTING [Inferior 1 (process 100494) exited with code 01] (gdb) bt #0 bson_utf8_validate (utf8=0x61900000b48e "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:143 #1 0x00007ffff7b474cc in bson_iter_visit_all (iter=<optimized out>, visitor=<optimized out>, data=<optimized out>) at src/bson/bson-iter.c:2069 #2 0x00000000004dbe3d in bson_metrics (data=<optimized out>, bson=<optimized out>, length=<optimized out>) at bson-metrics.c:208 #3 main (argc=<optimized out>, argv=<optimized out>) at bson-metrics.c:257 This vulnerability was triggered in function bson_utf8_validate() at line src/bson/bson-utf8.c:130: 130 for (i = 0; i < utf8_len; i += seq_length) { 131 _bson_utf8_get_sequence (&utf8[i], &seq_length, &first_mask); 132 133 /* 134 * Ensure we have a valid multi-byte sequence length. 135 */ 136 if (!seq_length) { 137 return false; 138 } 139 140 /* 141 * Ensure we have enough bytes left. 142 */ 143 if ((utf8_len - i) < seq_length) { 144 return false; 145 } 146 ... Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Created attachment 1323015 [details] POC
This is the same logic bug as #1489355
*** This bug has been marked as a duplicate of bug 1489355 ***