Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap Buffer Overflow in listfdb (master, libming 0.4.8 and earlier) #104

Closed
hlef opened this issue Jan 26, 2018 · 2 comments

Comments

Projects
None yet
1 participant
@hlef
Copy link
Contributor

commented Jan 26, 2018

The printDefineFont2 function (util/listfdb.c) in libming through 0.4.8 is vulnerable to a heap buffer overflow. This vulnerability is also affecting the master branch.

Reproduce:
$ listfdb heap-buffer-overflow-in-listfdb-poc-1.fdb

Output:

Font Name: f
number of glyphs: 1

Offset0: -8
=================================================================
==10756==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000014 at pc 0x555c8a143265 bp 0x7ffe9878bb30 sp 0x7ffe9878bb28
WRITE of size 4 at 0x602000000014 thread T0
    #0 0x555c8a143264 in printDefineFont2 (/home/hle/Development/C/libming/util/.libs/listfdb+0x3264)
    #1 0x555c8a14388c in main (/home/hle/Development/C/libming/util/.libs/listfdb+0x388c)
    #2 0x7f1f02e48f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
    #3 0x555c8a141c69 in _start (/home/hle/Development/C/libming/util/.libs/listfdb+0x1c69)

0x602000000014 is located 0 bytes to the right of 4-byte region [0x602000000010,0x602000000014)
allocated by thread T0 here:
    #0 0x7f1f035ccc20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
    #1 0x555c8a14319a in printDefineFont2 (/home/hle/Development/C/libming/util/.libs/listfdb+0x319a)
    #2 0x555c8a14388c in main (/home/hle/Development/C/libming/util/.libs/listfdb+0x388c)
    #3 0x7f1f02e48f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hle/Development/C/libming/util/.libs/listfdb+0x3264) in printDefineFont2
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10756==ABORTING

This may allow attackers to cause a denial of service or unspecified other impact via a crafted FDB file.

You can find the reproducer here.

@hlef

This comment has been minimized.

Copy link
Contributor Author

commented Jan 27, 2018

This issue is coming from the following code part:

offset = (unsigned int *)malloc(nGlyphs*sizeof(int));

(...)

for(i=0; i<=nGlyphs; ++i)
{
    if(flags & FONTINFO2_WIDEOFFSETS)
        off = readUInt32(f);
    else
         off = readUInt16(f);
    offset[i] = off-nGlyphs*4-4;
    printf("%sOffset%i: %i\n", indent(), i, offset[i]);
}

In the case of the reproducer, there is only one glyph, but listfdb is reading two and stores two glyphs in the offset array even if its size is only one.

I'll submit a fix.

@hlef

This comment has been minimized.

Copy link
Contributor Author

commented Jan 30, 2018

FTR, this issue was assigned id CVE-2018-6358.

hlef added a commit to hlef/libming that referenced this issue Mar 11, 2018

Fix heap buffer overflow in listfdb.c
listfdb reads nGlyphs + 1 glyphs and stores them in an array of size
nGlyphs*sizeof(int), resulting in a heap buffer overflow.

In this commit we replace for(i=0; i<=nGlyphs; ++i)
by for(i=0; i < nGlyphs; ++i) so that only nGlyphs glyphs are read.

This patch addresses CVE-2018-6358 (fixes libming#104).

@strk strk closed this in #124 Mar 11, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.