Heap-based buffer overread (off-by-one) #11

New Issue

Open

opened 2020-07-19 01:57:15 +00:00 by df · 0 comments

df commented 2020-07-19 01:57:15 +00:00

Owner

Copy Link

CVE Reporting (2018-12-27) reporter

Function uncompress_nlabel that uncompresses mDNS nlabels goes outside data buffer - offset variables (off and p, p2) go outside size of input buffer (pkt_len). Risk of this issue is reduced, because it is possible to only read 1 byte over the buffer, and it is very unlikely that this will lead to crash.

Proposed CVSS 3.0 score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L (3.7 Low)

Vulnerable lines: mdns.c:234
IS:
for (p = pkt_buf + off; p && p < e; p++) {
SHOULD BE:
for (p = pkt_buf + off; p+1 < e && p; p++) {

mdns.c:252
IS:
for (p = pkt_buf + off; *p && p < e; p++) {
SHOULD BE:
for (p = pkt_buf + off; p+1 < e && *p; p++) {

Packet that triggers this issue: crash_006_uncompress_nlabel.raw

Mitigation : While parsing the input buffer current offset should be checked and return with error when pkt_len is reached. Please take a look at patch that was produced to fix this issues in TizenRT (that uses tinysvcmdns): 2d9a3f156f

Crash details using Address Sanitizer:

=================================================================
==13442==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x617000010003 at pc 0x00000040305e bp 0x7ffc09280cd0 sp 0x7ffc09280cc0
READ of size 1 at 0x617000010003 thread T0
    #0 0x40305d in uncompress_nlabel src/tinysvcmdns-latest/mdns.c:234
    #1 0x409d86 in mdns_parse_qn src/tinysvcmdns-latest/mdns.c:612
    #2 0x409d86 in mdns_parse_pkt src/tinysvcmdns-latest/mdns.c:794
    #3 0x4013cb in main src/tinysvcmdns-latest/test_mdns.c:106
    #4 0x7f88e03d382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x401c48 in _start (src/tinysvcmdns-latest/test_mdns+0x401c48)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow src/tinysvcmdns-latest/mdns.c:234 uncompress_nlabel
Shadow bytes around the buggy address:
  0x0c2e7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff9fe0: 00 00 00 00 00 00 00 00 05 fa fa fa fa fa fa fa
  0x0c2e7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2e7fffa000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==13442==ABORTING

crash_006_uncompress_nlabel.raw

# CVE Reporting (2018-12-27) reporter Function uncompress_nlabel that uncompresses mDNS nlabels goes outside data buffer - offset variables (off and p, p2) go outside size of input buffer (pkt_len). Risk of this issue is reduced, because it is possible to only read 1 byte over the buffer, and it is very unlikely that this will lead to crash. Proposed CVSS 3.0 score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L (3.7 Low) Vulnerable lines: mdns.c:234 IS: ` for (p = pkt_buf + off; p && p < e; p++) { ` SHOULD BE: ` for (p = pkt_buf + off; p+1 < e && p; p++) {` mdns.c:252 IS: ` for (p = pkt_buf + off; *p && p < e; p++) {` SHOULD BE: ` for (p = pkt_buf + off; p+1 < e && *p; p++) {` Packet that triggers this issue: crash_006_uncompress_nlabel.raw Mitigation : While parsing the input buffer current offset should be checked and return with error when pkt_len is reached. Please take a look at patch that was produced to fix this issues in TizenRT (that uses tinysvcmdns): https://github.com/Samsung/TizenRT/pull/810/commits/2d9a3f156f1a5b551403aabef2fa9edfe1ad12bc Crash details using Address Sanitizer: ``` ================================================================= ==13442==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x617000010003 at pc 0x00000040305e bp 0x7ffc09280cd0 sp 0x7ffc09280cc0 READ of size 1 at 0x617000010003 thread T0 #0 0x40305d in uncompress_nlabel src/tinysvcmdns-latest/mdns.c:234 #1 0x409d86 in mdns_parse_qn src/tinysvcmdns-latest/mdns.c:612 #2 0x409d86 in mdns_parse_pkt src/tinysvcmdns-latest/mdns.c:794 #3 0x4013cb in main src/tinysvcmdns-latest/test_mdns.c:106 #4 0x7f88e03d382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x401c48 in _start (src/tinysvcmdns-latest/test_mdns+0x401c48) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow src/tinysvcmdns-latest/mdns.c:234 uncompress_nlabel Shadow bytes around the buggy address: 0x0c2e7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e7fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e7fff9fe0: 00 00 00 00 00 00 00 00 05 fa fa fa fa fa fa fa 0x0c2e7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c2e7fffa000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e7fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e7fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e7fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==13442==ABORTING ``` [crash_006_uncompress_nlabel.raw](https://bitbucket.org/geekman/tinysvcmdns/issues/attachments/12/geekman/tinysvcmdns/1545922005.8/12/crash_006_uncompress_nlabel.raw)

df referenced this issue from a commit 2020-07-23 11:10:32 +00:00

Initial working responder version reabsorbing TizenRT changes. Consequently: - fixes #9 Arbitrary memory read while parsing malicious mDNS queries (mdns.c); - fixes #10 Denial of Service vulnerability (infinite loop) while parsing malicious mDNS queries (mdns.c); - fixes #11 Heap-based buffer overread (off-by-one) (mdns.c); - fixes #12 Heap-based buffer overread while parsing mDNS RR section (off-by-one) (mdns.c).

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

HummyNew

IP-TTL-255-patch

TizenRT

philippe44_tsm

HummyPkg

zeroconf_2.0-0

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: df/zeroconf#11

No description provided.