cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write). Reference: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780 Upstream patch: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
Created file tracking bugs for this issue: Affects: fedora-all [bug 1765273]
A git bisect shows that this was introduced by https://github.com/file/file/commit/393555f2f3a6ba16cdedf6d65ac373700afdd769
The root issue is an integer overflow in the cdf_grow_info() function: "size_t newcount = *maxcount + incr;" can wrap around, causing newcount to be lower than it should be. Thus, the "if (newcount > CDF_PROP_LIMIT)" check can be bypassed. I believe this limits this issue to 32bit architectures, on 64bit systems the size of newcount should be large enough to handle all results (input read from the file is limited to 32bit). cdf_grow_info(cdf_property_info_t **info, size_t *maxcount, size_t incr) { cdf_property_info_t *inp; size_t newcount = *maxcount + incr; if (newcount > CDF_PROP_LIMIT) { DPRINTF(("exceeded property limit %zu > %zu\n", newcount, CDF_PROP_LIMIT)); goto out; }
Statement: This issue affects file as shipped with Red Hat Enterprise Linux 8. However, this flaw is only exploitable if the 32bit version is used, for example when an application uses the 32bit version of libmagic.so.
please, is there any simpler reproducer that doesn't involve oss-fuzz?
One can simply download the sample file and run the `file` utility locally on it: $ curl -JLO 'https://oss-fuzz.com/download?testcase_id=5743444592427008' The main obstacle is that the bug reproduces on 32bit arches only (see comment #3). The following works reliably for me on an x86_64 VM: $ sudo yum install file-libs.i686 valgrind.i686 $ rpm2cpio http://download.eng.bos.redhat.com/brewroot/vol/rhel-8/packages/file/5.33/16.el8/i686/file-5.33-16.el8.i686.rpm | cpio -div $ valgrind ./usr/bin/file clusterfuzz-testcase-minimized-magic_fuzzer-5743444592427008 valgrind output is clean with file-libs-5.33-18.el8.i686 while there are invalid writes with file-libs-5.33-16.el8.i686. The old version crashes without valgrind, too, in my testing environment.
(In reply to Kamil Dudka from comment #7) > One can simply download the sample file and run the `file` utility locally on it: I have tried, but ... > The main obstacle is that the bug reproduces on 32bit arches only (see > comment #3). looks like forcing 32bit is the important part I have missed, thanks
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4374 https://access.redhat.com/errata/RHSA-2021:4374