ofono is a Open Source Telephony on Linux stack overflow bug is triggered within the decode_deliver() function during SMS decoding here assumed that the attack scenario is accessible from a compromised modem or possibily accessible from a malicious base station or just SMS there is a bound check for this memcpy length in decode_submit(), but they forgot it in decode_deliver() partial code path is here - at_cmt_notify() - ofono_sms_deliver_notify() - sms_decode() - decode_deliver() ``` ~~~C++ static gboolean decode_deliver(const unsigned char *pdu, int len, struct sms *out) { int offset = 0; int expected; unsigned char octet; out->type = SMS_TYPE_DELIVER; if (!next_octet(pdu, len, &offset, &octet)) return FALSE; out->deliver.mms = !is_bit_set(octet, 2); out->deliver.sri = is_bit_set(octet, 5); out->deliver.udhi = is_bit_set(octet, 6); out->deliver.rp = is_bit_set(octet, 7); if (!sms_decode_address_field(pdu, len, &offset, FALSE, &out->deliver.oaddr)) return FALSE; if (!next_octet(pdu, len, &offset, &out->deliver.pid)) return FALSE; if (!next_octet(pdu, len, &offset, &out->deliver.dcs)) return FALSE; if (!sms_decode_scts(pdu, len, &offset, &out->deliver.scts)) return FALSE; if (!next_octet(pdu, len, &offset, &out->deliver.udl)) return FALSE; expected = sms_udl_in_bytes(out->deliver.udl, out->deliver.dcs); if ((len - offset) < expected) return FALSE; memcpy(out->deliver.ud, pdu + offset, expected); // overflow here, expected is from SMS PDU return TRUE; } ~~~ ASAN report ``` ================================================================= ==116975==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcf34201bc at pc 0x7f027e049846 bp 0x7ffcf341fea0 sp 0x7ffcf341f648 WRITE of size 203 at 0x7ffcf34201bc thread T0 #0 0x7f027e049845 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 #1 0x556caadab9e3 in decode_deliver src/smsutil.c:782 #2 0x556caadb14bf in sms_decode src/smsutil.c:1574 #3 0x556caad4d08d in main src/main.c:225 #4 0x7f027da2350f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #5 0x7f027da235c8 in __libc_start_main_impl ../csu/libc-start.c:381 #6 0x556caaaec274 in _start (/root/ofono/src/ofonod+0x12b274) Address 0x7ffcf34201bc is located in stack of thread T0 at offset 316 in frame #0 0x556caad4cedd in main src/main.c:205 This frame has 1 object(s): [48, 316) 'sms1' (line 212) <== Memory access at offset 316 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy Shadow bytes around the buggy address: 0x10001e67bfe0: f1 f1 01 f2 04 f3 f3 f3 00 00 00 00 00 00 00 00 0x10001e67bff0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 0x10001e67c000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001e67c010: f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 0x10001e67c020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10001e67c030: 00 00 00 00 00 00 00[04]f3 f3 f3 f3 f3 f3 f3 f3 0x10001e67c040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001e67c050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001e67c060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001e67c070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001e67c080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==116975==ABORTING ```
Created ofono tracking bugs for this issue: Affects: fedora-all [bug 2255388]