Bug 1765272 (CVE-2019-18218) - CVE-2019-18218 file: heap-based buffer overflow in cdf_read_property_info in cdf.c
Summary: CVE-2019-18218 file: heap-based buffer overflow in cdf_read_property_info in ...
Keywords:
Status: NEW
Alias: CVE-2019-18218
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1765273 1773624
Blocks: 1765274
TreeView+ depends on / blocked
 
Reported: 2019-10-24 17:36 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-04-30 21:30 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-10-24 17:36:03 UTC
cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).

Reference:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780

Upstream patch:
https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84

Comment 1 Guilherme de Almeida Suckevicz 2019-10-24 17:36:16 UTC
Created file tracking bugs for this issue:

Affects: fedora-all [bug 1765273]

Comment 2 Stefan Cornelius 2019-11-18 13:21:21 UTC
A git bisect shows that this was introduced by https://github.com/file/file/commit/393555f2f3a6ba16cdedf6d65ac373700afdd769

Comment 3 Stefan Cornelius 2019-11-18 14:36:05 UTC
The root issue is an integer overflow in the cdf_grow_info() function:
"size_t newcount = *maxcount + incr;" can wrap around, causing newcount to be lower than it should be. Thus, the "if (newcount > CDF_PROP_LIMIT)" check can be bypassed. I believe this limits this issue to 32bit architectures, on 64bit systems the size of newcount should be large enough to handle all results (input read from the file is limited to 32bit).

 cdf_grow_info(cdf_property_info_t **info, size_t *maxcount, size_t incr)
 {
 	cdf_property_info_t *inp;
 	size_t newcount = *maxcount + incr;
 
 	if (newcount > CDF_PROP_LIMIT) {
 		DPRINTF(("exceeded property limit %zu > %zu\n",
 		    newcount, CDF_PROP_LIMIT));
 		goto out;
 	}

Comment 4 Stefan Cornelius 2019-11-18 15:07:02 UTC
Statement:

This issue affects file as shipped with Red Hat Enterprise Linux 8. However, this flaw is only exploitable if the 32bit version is used, for example when an application uses the 32bit version of libmagic.so.


Note You need to log in before you can comment on or make changes to this bug.