Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in parse_dict_node #89

Closed
zhunki opened this issue Jan 18, 2017 · 8 comments

Comments

Projects
None yet
3 participants
@zhunki
Copy link
Contributor

commented Jan 18, 2017

==31012== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5802c1a at pc 0x80679a0 bp 0xbffd9648 sp 0xbffd963c
READ of size 1 at 0xb5802c1a thread T0
#0 0x806799f in parse_array_node /home/b/asan/libplist/src/bplist.c:490
#1 0x806799f in parse_bin_node /home/b/asan/libplist/src/bplist.c:645
#2 0x806a0f3 in parse_bin_node_at_index /home/b/asan/libplist/src/bplist.c:703
#3 0x806b09e in plist_from_bin /home/b/asan/libplist/src/bplist.c:767
#4 0x804a1c4 in main /home/b/asan/libplist/tools/plistutil.c:139
#5 0xb600ba82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#6 0x804ad45 in _start (/home/b/asan/libplist/tools/plistutil+0x804ad45)
0xb5802c1a is located 34 bytes to the right of 104-byte region [0xb5802b90,0xb5802bf8)
allocated by thread T0 here:
#0 0xb61d3854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
#1 0x80497ae in main /home/b/asan/libplist/tools/plistutil.c:132
#2 0xb600ba82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/b/asan/libplist/src/bplist.c:453 parse_dict_node

poc17.txt

@nikias

This comment has been minimized.

Copy link
Member

commented Jan 19, 2017

@zhunki Can you re-run your test with the latest code on git master? I fixed a couple of things so this issue might not happen anymore. Thanks.

@zhunki

This comment has been minimized.

Copy link
Contributor Author

commented Jan 20, 2017

As for me, the problem still can be reproduced under ASAN, but disappears withoutht ASAN.

==8876== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5802c12 at pc 0x80650b4 bp 0xbfa4d9c8 sp 0xbfa4d9bc
READ of size 8 at 0xb5802c12 thread T0
#0 0x80650b3 in parse_array_node /home/b/a/libplist-master/src/bplist.c:478
#1 0x80650b3 in parse_bin_node /home/b/a/libplist-master/src/bplist.c:633
#2 0x806711d in parse_bin_node_at_index /home/b/a/libplist-master/src/bplist.c:691
#3 0x8069f02 in plist_from_bin /home/b/a/libplist-master/src/bplist.c:758
#4 0x804a2d4 in main /home/b/a/libplist-master/tools/plistutil.c:145
#5 0xb5f6fa82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#6 0x804ae05 in _start (/home/b/a/libplist-master/tools/plistutil+0x804ae05)
0xb5802c12 is located 26 bytes to the right of 104-byte region [0xb5802b90,0xb5802bf8)
allocated by thread T0 here:
#0 0xb6137854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
#1 0x804990a in main /home/b/a/libplist-master/tools/plistutil.c:138
#2 0xb5f6fa82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/b/a/libplist-master/src/bplist.c:414 parse_dict_node
Shadow bytes around the buggy address:
0x36b00530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b00540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b00550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b00560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b00570: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x36b00580: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b00590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b005a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b005b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b005c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b005d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe

@zhunki

This comment has been minimized.

Copy link
Contributor Author

commented Jan 20, 2017

it must occur before the infinite recursion because it says "Recursion detected in binary plist. Aborting." without ASAN.

@ncopa

This comment has been minimized.

Copy link

commented Feb 1, 2017

@nikias I fixed a couple of things so this issue might not happen anymore.

Can you please tell exactly which commits fixes the issue so we can backport the patch for distro packages?

@nikias

This comment has been minimized.

Copy link
Member

commented Feb 1, 2017

I haven't fully confirmed this issue fixed yet. The commit 6a44dfb was the latest before replying to the initial report.

@nikias

This comment has been minimized.

Copy link
Member

commented Feb 1, 2017

Ok I checked and another issue was still there. Fixed with commit 4765d9a.

@nikias nikias closed this Feb 1, 2017

@nikias

This comment has been minimized.

Copy link
Member

commented Feb 1, 2017

Just to complete the information, the other issue was in parse_array_node where the calculation of the items in an array would read out of bounds of the plist when the ref_size is too large. I had to modify the plist for the test to work properly, otherwise it would fail to parse before it reaches the affected location in the code.

Base64 sample of poc17.bplist:

YnBsaXN0MDClATAwMDATMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwCA4BgQAAAAAAAAAGAAAAAAAAAAAAAAAAAAAASw==
@nikias

This comment has been minimized.

Copy link
Member

commented Feb 2, 2017

The original issue was assigned CVE-2017-5834.
http://seclists.org/oss-sec/2017/q1/279

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.