Skip to content

Heap buffer overflow in chmd_read_headers() #27

Closed
@JsHuang

Description

@JsHuang

Description:

Function chmd_read_headers() in libmspack has a heap buffer overflow problem( Out of Bound Read).

Affected version:

libmspack 0.9.1 alpha

Details:

In function chmd_read_headers(), line 486,memcmp(&name[33], &content_name[33], 8L) will lead to out of bound read while extracting a crafted chm file.

chmd.c ,line 486~492:

      if (name[0] == ':' && name[1] == ':') {
        /* system file */
        if (memcmp(&name[2], &content_name[2], 31L) == 0) {
          if (memcmp(&name[33], &content_name[33], 8L) == 0) {
            chm->sec1.content = fi;
          }
          else if (memcmp(&name[33], &control_name[33], 11L) == 0) {
            chm->sec1.control = fi;
          }

Details with asan output:

./chmextract chmextract-overflow-chmd-486                      
chmextract-overflow-chmd-486
chmextract-overflow-chmd-486: invalid section number '89'.
chmextract-overflow-chmd-486: invalid section number '89'.
chmextract-overflow-chmd-486: invalid section number '89'.
chmextract-overflow-chmd-486: invalid section number '71'.
chmextract-overflow-chmd-486: invalid section number '266694953'.
chmextract-overflow-chmd-486: invalid section number '114'.
chmextract-overflow-chmd-486: invalid section number '84'.
chmextract-overflow-chmd-486: invalid section number '16259'.
chmextract-overflow-chmd-486: invalid section number '58'.
chmextract-overflow-chmd-486: invalid section number '67'.
chmextract-overflow-chmd-486: invalid section number '47'.
chmextract-overflow-chmd-486: invalid section number '48'.
chmextract-overflow-chmd-486: invalid section number '71'.
chmextract-overflow-chmd-486: invalid section number '266694953'.
chmextract-overflow-chmd-486: invalid section number '114'.
chmextract-overflow-chmd-486: invalid section number '84'.
chmextract-overflow-chmd-486: invalid section number '16259'.
chmextract-overflow-chmd-486: invalid section number '58'.
=================================================================
==9457==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x0000004bf5bc bp 0x7ffebbdd6c60 sp 0x7ffebbdd6410
READ of size 31 at 0x621000002500 thread T0
    #0 0x4bf5bb in __interceptor_memcmp.part.78 /src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x7f1b498ccde1 in chmd_read_headers /src/libmspack/libmspack/mspack/chmd.c:486
    #2 0x7f1b498ccde1 in chmd_real_open /src/libmspack/libmspack/mspack/chmd.c:163
    #3 0x7f1b498ccde1 in chmd_open /src/libmspack/libmspack/mspack/chmd.c:126
    #4 0x529a23 in main /src/libmspack/libmspack/examples/chmextract.c:92:18
    #5 0x7f1b489c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x41a888 in _start (/src/libmspack/libmspack/examples/.libs/chmextract+0x41a888)

0x621000002500 is located 0 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
allocated by thread T0 here:
    #0 0x4e95bf in __interceptor_malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146
    #1 0x7f1b498cbd57 in chmd_read_headers /src/libmspack/libmspack/mspack/chmd.c:418
    #2 0x7f1b498cbd57 in chmd_real_open /src/libmspack/libmspack/mspack/chmd.c:163
    #3 0x7f1b498cbd57 in chmd_open /src/libmspack/libmspack/mspack/chmd.c:126

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcmp.part.78
Shadow bytes around the buggy address:
  0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff84a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==9457==ABORTING

poc file

https://github.com/JsHuang/pocs/blob/master/libmspack/chmextract-overflow-chmd-486

Credit: ADLab of Venustech

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions