2044864 – (CVE-2021-45927) CVE-2021-45927 mdbtools: a stack-based buffer overflow in mdb_numeric_to_string

Bug 2044864 (CVE-2021-45927) - CVE-2021-45927 mdbtools: a stack-based buffer overflow in mdb_numeric_to_string

Summary: CVE-2021-45927 mdbtools: a stack-based buffer overflow in mdb_numeric_to_string

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2021-45927
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2044868 2044865 2044866
Blocks:
TreeView+	depends on / blocked

Reported:	2022-01-25 10:31 UTC by Marian Rehak
Modified:	2022-01-31 12:09 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-01-25 11:30:49 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2022-01-25 10:31:56 UTC

MDB Tools (aka mdbtools) 0.9.2 has a stack-based buffer overflow (at 0x7ffd6e029ee0) in mdb_numeric_to_string (called from mdb_xfer_bound_data and _mdb_attempt_bind).

Reference:

https://github.com/mdbtools/mdbtools/commit/373b7ff4c4daf887269c078407cb1338942c4ea6
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mdbtools/OSV-2021-1003.yaml
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36187

Comment 1 Marian Rehak 2022-01-25 10:32:31 UTC

Created mdbtools tracking bugs for this issue:

Affects: epel-7 [bug 2044868]
Affects: fedora-34 [bug 2044865]
Affects: fedora-35 [bug 2044866]

Comment 2 Product Security DevOps Team 2022-01-25 11:30:47 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 3 Hans de Goede 2022-01-25 13:46:28 UTC

This is somewhat weird the original oss-fuzz report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36187

Links to 2 configs, one where it hit the bug and one where it was fixed:

https://oss-fuzz.com/revisions?job=afl_asan_mdbtools&range=202107120613:202107140601
https://oss-fuzz.com/revisions?job=afl_asan_mdbtools&range=202107140601:202107150603

What is weird here is both point to the same mdbtools commit (the 0.9.3 release) and to the same mdbtools-data commit, the only difference between the issue being detected and it being reported fixed is the Aflplusplus commit.

Also upstream is using oss-fuzz in mdbtools CI and there are no issues being reported there.

Still I tried to reproduce downloading the clusterfuzz-testcase-minimized-fuzz_mdb-4756071066501120 file from the oss-fuzz report, replacing test/data/nwind.mdb with it and then running ./test_script.sh . This does hit a crash with a NULL pointer deref with both 0.9.3 and 1.0.0 build with CFLAGS="-g -O1 -fsanitize=address", but the original report of a "Dynamic-stack-buffer-overflow WRITE 16" issue does not reproduce.

So all in all this feels like some weird false-positive from oss-fuzz and I think this bug-report can be closed. Please advice how to continue.

I've created a fix for the NULL pointer deref (with the clusterfuzz-testcase-minimized-... file) and I will submit a pull-req for the fix for that upstream.

Comment 4 Hans de Goede 2022-01-25 14:09:10 UTC

I just noticed that there is a second report for what seems to be more or less the same mysterious issue:

    https://bugzilla.redhat.com/show_bug.cgi?id=2044905
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35972
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45926

The clusterfuzz-testcase-minimized-fuzz_mdb-6321096314978304 attached there gives a whole bunch of mdbtools errors when running ./test_script.sh, but no crashes / sanitizer reports.

Note You need to log in before you can comment on or make changes to this bug.