Bug 1489362 - There is a heap-based buffer overflow in bson-to-json.c.
Summary: There is a heap-based buffer overflow in bson-to-json.c.
Status: CLOSED DUPLICATE of bug 1489355
Alias: None
Product: Fedora
Classification: Fedora
Component: libbson
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Petr Pisar
QA Contact: Fedora Extras Quality Assurance
URL: https://jira.mongodb.org/projects/SEC...
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-07 09:26 UTC by owl337
Modified: 2017-09-15 07:34 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-09-15 07:34:23 UTC


Attachments (Terms of Use)
./bson-to-json POC2 (165 bytes, application/x-rar)
2017-09-07 09:26 UTC, owl337
no flags Details

Description owl337 2017-09-07 09:26:23 UTC
Created attachment 1323017 [details]
./bson-to-json POC2

Description of problem:

There is a heap-based buffer overflow in bson-to-json.c.

Version-Release number of selected component (if applicable):

<= latest

How reproducible:

./bson-to-json POC2

Steps to Reproduce:


The debugging information is as follows:

$ ./bson-to-json POC2

(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
Segmentation fault

ASAN debugging information:


$ ./bson-to-json POC2
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
=================================================================
==7328==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000b880 at pc 0x7fa38d86f6e7 bp 0x7ffe730e9400 sp 0x7ffe730e93f8
READ of size 1 at 0x61900000b880 thread T0
    #0 0x7fa38d86f6e6  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0xa96e6)
    #1 0x7fa38d8384bb  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x724bb)
    #2 0x7fa38d81dbe4  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x57be4)
    #3 0x4dbb76  (/home/icy/secreal/libbson-asan/examples/bson-to-json+0x4dbb76)
    #4 0x7fa38c8d3abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #5 0x435458  (/home/icy/secreal/libbson-asan/examples/bson-to-json+0x435458)

0x61900000b880 is located 0 bytes to the right of 1024-byte region [0x61900000b480,0x61900000b880)
allocated by thread T0 here:
    #0 0x4bc59b  (/home/icy/secreal/libbson-asan/examples/bson-to-json+0x4bc59b)
    #1 0x7fa38d861b2f  (/home/icy/secreal/libbson-asan/install/lib/libbson-1.0.so.0+0x9bb2f)

Shadow bytes around the buggy address:
  0x0c327fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff9710:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7328==ABORTING


GDB debugging information:

(gdb) set args POC2
(gdb) r
...

(gdb) set args fuzz/bson2json_out/crashes/id\:000002\,sig\:11\,src\:000767\,op\:arith8\,pos\:178\,val\:+3
(gdb) r
...
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)
(null)

Program received signal SIGSEGV, Segmentation fault.
bson_utf8_validate (utf8=0x61233c "\006", utf8_len=4294967295, allow_null=<optimized out>) at src/bson/bson-utf8.c:131
131	      _bson_utf8_get_sequence (&utf8[i], &seq_length, &first_mask);
(gdb) bt
#0  bson_utf8_validate (utf8=0x61233c "\006", utf8_len=4294967295, allow_null=<optimized out>)
    at src/bson/bson-utf8.c:131
#1  0x00007ffff7b99646 in bson_iter_visit_all (iter=0x7fffffffdf80, 
    visitor=0x7ffff7dd0020 <bson_as_extended_json_visitors>, data=0x7fffffffe028) at src/bson/bson-iter.c:2069
#2  0x00007ffff7b8b148 in _bson_as_json_visit_all (bson=<optimized out>, length=0x0, 
    visitors=0x7ffff7dd0020 <bson_as_extended_json_visitors>) at src/bson/bson.c:3245
#3  0x0000000000401167 in main (argc=<optimized out>, argv=0x7fffffffe438) at bson-to-json.c:69


Actual results:

crash

Expected results:

crash

Additional info:


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Petr Pisar 2017-09-07 13:27:39 UTC
This is very probably duplicate of bug #1489355

Comment 2 A. Jesse Jiryu Davis 2017-09-09 14:23:39 UTC
Yes it is a duplicate of bug #1489355

Comment 3 Petr Pisar 2017-09-15 07:34:23 UTC

*** This bug has been marked as a duplicate of bug 1489355 ***


Note You need to log in before you can comment on or make changes to this bug.