out of bound read in trim_whitespace

[jinyu00]

libconfuse_poc.txt

When open a crafted file, The program could tigger out of bound read

[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7fc06d0 --> 0x7ffff761c14c --> 0x2000200020002 
RBX: 0x611720 (" this is a comment(\220\216\363rbose=true")
RCX: 0x1d 
RDX: 0x23 ('#')
RSI: 0x3 
RDI: 0x60ce80 --> 0x0 
RBP: 0x60ce80 --> 0x0 
RSP: 0x7fffffffdce0 --> 0x0 
RIP: 0x4054b7 (<qend+71>:	movsx  rbp,BYTE PTR [rbx+r13*1])
R8 : 0x1 
R9 : 0x3 
R10: 0x7fffffffdaa0 --> 0x0 
R11: 0x7ffff7a41110 (<__ctype_b_loc>:	mov    rax,QWORD PTR [rip+0x391ce9]        # 0x7ffff7dd2e00)
R12: 0x20 (' ')
R13: 0x20 (' ')
R14: 0x611700 --> 0x60d6a0 --> 0x60d460 --> 0xfbad2498 
R15: 0x60d6a0 --> 0x60d460 --> 0xfbad2498
EFLAGS: 0x203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x4054a9 <qend+57>:	jbe    0x405535 <qend+197>
   0x4054af <qend+63>:	mov    r13d,r12d
   0x4054b2 <qend+66>:	call   0x4012f0 <__ctype_b_loc@plt>
=> 0x4054b7 <qend+71>:	movsx  rbp,BYTE PTR [rbx+r13*1]
   0x4054bc <qend+76>:	mov    rsi,QWORD PTR [rax]
   0x4054bf <qend+79>:	jmp    0x4054ce <qend+94>
   0x4054c1 <qend+81>:	nop    DWORD PTR [rax+0x0]
   0x4054c8 <qend+88>:	cmp    r13d,0x1
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdce0 --> 0x0 
0008| 0x7fffffffdce8 --> 0x47 ('G')
0016| 0x7fffffffdcf0 --> 0x60ce80 --> 0x0 
0024| 0x7fffffffdcf8 --> 0x60d712 --> 0x72657672657300 ('')
0032| 0x7fffffffdd00 --> 0x60d711 --> 0x726576726573000a ('\n')
0040| 0x7fffffffdd08 --> 0x405fef (<cfg_yylex+447>:	add    rsp,0x38)
0048| 0x7fffffffdd10 --> 0x4010 
0056| 0x7fffffffdd18 --> 0x60d460 --> 0xfbad2498 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x00000000004054b7 in trim_whitespace (len=0x20, str=0x611720 " this is a comment(\220\216\363rbose=true") at lexer.l:397
397		if ((str[len] == 0 || isspace(str[len])) && isspace(str[len - 1]))
gdb-peda$ bt
#0  0x00000000004054b7 in trim_whitespace (len=0x20, str=0x611720 " this is a comment(\220\216\363rbose=true") at lexer.l:397
#1  qend (cfg=cfg@entry=0x60ce80, ret=0x8, trim=0x1) at lexer.l:420
#2  0x0000000000405fef in cfg_yylex (cfg=cfg@entry=0x60ce80) at lexer.l:125
#3  0x0000000000403990 in cfg_parse_internal (cfg=cfg@entry=0x60ce80, level=level@entry=0x0, force_state=force_state@entry=0xffffffff, force_opt=force_opt@entry=0x0) at confuse.c:1060
#4  0x00000000004041b9 in cfg_parse_fp (cfg=0x60ce80, fp=<optimized out>) at confuse.c:1442
#5  0x0000000000404286 in cfg_parse (cfg=cfg@entry=0x60ce80, filename=<optimized out>) at confuse.c:1535
#6  0x00000000004014ce in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe318) at simple.c:46
#7  0x00007ffff7a32f45 in __libc_start_main (main=0x4013b0 <main>, argc=0x2, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at libc-start.c:287
#8  0x0000000000401607 in _start ()
gdb-peda$ x/4xg $rbx-0x10
0x611710:	0x0000000000000000	0x0000000000000031
0x611720:	0x7369207369687420	0x656d6d6f63206120
gdb-peda$ p/x $r13
$3 = 0x20
gdb-peda$ 

As you can see $rbx point a 0x30 size malloc chunk (which size for user is 0x20), and $r13 is 0x20

then

0x4054b7 <qend+71>:	movsx  rbp,BYTE PTR [rbx+r13*1]

could access **1 byte out of ** the vaild memory.

the poc file

https://gitee.com/hac425/blog_data/blob/master/fuzz_pocs/libconfuse_poc

[troglobit]

Thank you for the report, I've attached the poc to this issue.

[zorun]

It seems that this issue has got a CVE number: https://security-tracker.debian.org/tracker/CVE-2018-14447

@troglobit Can you make a new minor release with the fix?

[troglobit]

OK sure ... next time, commenting on closed issues can be tricky to find for a maintainer.

[troglobit]

@zorun https://github.com/martinh/libconfuse/releases/tag/v3.2.2

[zorun]

Thanks!