Buffer Overflow security vulnerability in ParModelica

[OpenModelica-TracImporter]

No description provided.

[ijknabla]

Hi everyone!

In our organization, OpenModelica cannot be used because the following vulnerabilities exist in OpenModelica.

https://nvd.nist.gov/vuln/detail/CVE-2019-1010038

Is there any chance that this vulnerability will be fixed?

If not, I'd like to try to fix it, but are there any consideration?

[ijknabla]

The vulnerability is that the value of the environment variable OPENMODELICAHOME
is included in the data to be written to the fixed length (100 bytes) buffer.

A malicious user could give a long(>=100 bytes) environment variable that would cause a buffer overflow.

This issue imported from https://trac.openmodelica.org/OpenModelica/ticket/4787
@sjoelund mentioned in the above ticket:

This should naturally be fixed as soon as possible, but the impact is very low since ParModelica is rarely used.

I've confirmed that the pointed implementation still exists in the latest code.

OpenModelica/OMCompiler/SimulationRuntime/ParModelica/explicit/openclrt/ocl_offcomp.c

Lines 82 to 92 in 8911b0b

	// Build the program (OpenCL JIT compilation)
	char options[100];
	const char* flags = "-g -w -I\"";
	const char* OMHOME = getenv("OPENMODELICAHOME");
	const char* OMINCL = "/include/omc\"";
	const char* OMBIN = "/bin\"";
	if ( OMHOME != NULL )
	{
	strcpy(options, flags);
	strcat(options, OMHOME);

However, in the latest code, CMakeLists.txt to build this vulnerable target is not referenced from the CMakeLists.txt in the parent directory.

OpenModelica/OMCompiler/SimulationRuntime/CMakeLists.txt

Line 10 in 8911b0b

# omc_add_subdirectory(ParModelica)

[ijknabla]

When I checked the build settings for the OpenModelica/OMCompiler/SimulationRuntime/ParModelica/explicit/openclrt/ itself, the referenced source was ocl_offcomp.cpp, not ocl_offcomp.c.

OpenModelica/OMCompiler/SimulationRuntime/ParModelica/explicit/openclrt/CMakeLists.txt

Lines 14 to 23 in 8911b0b

	SET(PARMODELICA_OffCompiler_SRC ocl_offcomp.cpp)
	INCLUDE_DIRECTORIES(${CMAKE_CURRENT_SOURCE_DIR})
	INCLUDE_DIRECTORIES(../../../c)
	ADD_LIBRARY(ParModelicaExpl ${PARMODELICA_SRC})
	ADD_EXECUTABLE(ParModelicaOCLOffCompiler ${PARMODELICA_OffCompiler_SRC})

OpenModelica/OMCompiler/SimulationRuntime/ParModelica/explicit/openclrt/Makefile.common

Lines 16 to 17 in 8911b0b

	ocloffc: omc_ocl_util.h libParModelicaExpl.a
	$(CXX) -I. -o ocloffcomp$(EXEEXT) ocl_offcomp.cpp libParModelicaExpl.a $(OPENLC_LIB) $(CFLAGS)

---

Going back further in time, I found the following commit in the archived OpenModelica/OMCompiler repository when it was a submodule.

OpenModelica/OMCompiler@d8285af#diff-242370b48b4920f97b1e9430ae1d36a35cbd446915a89cc06b20eb334ef1154fR17

- $(CXX) -I. -o ocloffcomp$(EXEEXT) ocl_offcomp.c libOMOCLRuntime.a $(OPENLC_LIB) $(CFLAGS)
+ $(CXX) -I. -o ocloffcomp$(EXEEXT) ocl_offcomp.cpp libParModelicaExpl.a $(OPENLC_LIB) $(CFLAGS)

The commit time is 2015-09-11T19:39:08+02:00

Therefore, OpenModelica built after 2015-09-11T19:39:08+02:00 does not include this vulnerability.
Dear @mahge is this correct?

May I ask the maintainer for the following two things?

• Remove uncompiled code containing vulnerabilities (s.t. ocl_offcomp.c) from future releases
• Provide NIST with a list of versions that do not actually contain the vulnerabilities and have the database modified.

[mahge]

@ijknabla Thank you for tracking down and analyzing the issue.

As you said the code was not actually used or even built. So it has been removed in #8367. This should resolve the vulnerably. Please let us know if there is anything more that prevents you from using OpenModelica in your organization.

[ijknabla]

@mahge

anything more that prevents you from using OpenModelica in your organization.

I confirmed that the NIST page already had a list of versions.
I would like to report this list and this response to the leaders.

Thank you very much.