ofono is a Open Source Telephony on Linux stack overflow bug is triggered within the sms_decode_address_field() function during SMS PDU decoding here assumed that the attack scenario is accessible from a compromised modem or possibily accessible from a malicious base station or just SMS partial code path is here - at_cmt_notify() - ofono_sms_deliver_notify() - sms_decode() - decode_deliver() - sms_decode_address_field() ``` ~~~C++ gboolean sms_decode_address_field(const unsigned char *pdu, int len, int *offset, gboolean sc, struct sms_address *out) { unsigned char addr_len; unsigned char addr_type; int byte_len; if (!next_octet(pdu, len, offset, &addr_len)) return FALSE; if (sc && addr_len == 0) { out->address[0] = '\0'; return TRUE; } if (!next_octet(pdu, len, offset, &addr_type)) return FALSE; if (sc) byte_len = addr_len - 1; else byte_len = (addr_len + 1) / 2; if ((len - *offset) < byte_len) return FALSE; out->number_type = bit_field(addr_type, 4, 3); out->numbering_plan = bit_field(addr_type, 0, 4); if (out->number_type != SMS_NUMBER_TYPE_ALPHANUMERIC) { extract_bcd_number(pdu + *offset, byte_len, out->address); // overflow within extract_bcd_number(), addr_len is from SMS PDU *offset += byte_len; } else { ... } void extract_bcd_number(const unsigned char *buf, int len, char *out) { static const char digit_lut[] = "0123456789*#abc\0"; unsigned char oct; int i; for (i = 0; i < len; i++) { oct = buf[i]; out[i * 2] = digit_lut[oct & 0x0f]; out[i * 2 + 1] = digit_lut[(oct & 0xf0) >> 4]; } out[i * 2] = '\0'; } ~~~ ASAN report ``` ================================================================= ==116978==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd18b788ac at pc 0x556e7631ff99 bp 0x7ffd18b78450 sp 0x7ffd18b78440 WRITE of size 1 at 0x7ffd18b788ac thread T0 #0 0x556e7631ff98 in extract_bcd_number src/smsutil.c:86 #1 0x556e76322c72 in sms_decode_address_field src/smsutil.c:650 #2 0x556e763237c3 in decode_deliver src/smsutil.c:761 #3 0x556e76329456 in sms_decode src/smsutil.c:1567 #4 0x556e762c508d in main src/main.c:225 #5 0x7f635c42350f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #6 0x7f635c4235c8 in __libc_start_main_impl ../csu/libc-start.c:381 #7 0x556e76064274 in _start (/root/ofono/src/ofonod+0x12b274) Address 0x7ffd18b788ac is located in stack of thread T0 at offset 316 in frame #0 0x556e762c4edd in main src/main.c:205 This frame has 1 object(s): [48, 316) 'sms1' (line 212) <== Memory access at offset 316 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow src/smsutil.c:86 in extract_bcd_number Shadow bytes around the buggy address: 0x1000231670c0: 01 f2 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 0x1000231670d0: 00 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00 0x1000231670e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 0x1000231670f0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 0x100023167100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x100023167110: 00 00 00 00 00[04]f3 f3 f3 f3 f3 f3 f3 f3 00 00 0x100023167120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100023167130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100023167140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100023167150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100023167160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==116978==ABORTING ```
Created ofono tracking bugs for this issue: Affects: fedora-all [bug 2255397]
I can't solve this bug. Source: https://uno-online.io