Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in getString(util/decompile.c:349) #112

Closed
fantasy7082 opened this issue Mar 7, 2018 · 2 comments · Fixed by #125
Closed

heap-buffer-overflow in getString(util/decompile.c:349) #112

fantasy7082 opened this issue Mar 7, 2018 · 2 comments · Fixed by #125

Comments

@fantasy7082
Copy link

Hi, i found a heap-buffer-overflow bug in the libming 0.4.8, the details are below(ASAN):

./swftocxx 004-heap-over-swf /dev/null
....
...
==15902==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000b090 at pc 0x000000410f70 bp 0x7ffe3f6b0340 sp 0x7ffe3f6b0330
READ of size 8 at 0x60b00000b090 thread T0
    #0 0x410f6f in getString /root/libming-asan/util/decompile.c:349
    #1 0x4127f1 in newVar_N /root/libming-asan/util/decompile.c:661
    #2 0x41d24c in decompileCALLMETHOD /root/libming-asan/util/decompile.c:2856
    #3 0x41e7ea in decompileAction /root/libming-asan/util/decompile.c:3285
    #4 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
    #5 0x41c727 in decompileDEFINEFUNCTION /root/libming-asan/util/decompile.c:2759
    #6 0x41e7b8 in decompileAction /root/libming-asan/util/decompile.c:3279
    #7 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
    #8 0x41b07e in decompileIF /root/libming-asan/util/decompile.c:2581
    #9 0x41e715 in decompileAction /root/libming-asan/util/decompile.c:3260
    #10 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
    #11 0x41eccd in decompile5Action /root/libming-asan/util/decompile.c:3441
    #12 0x40d221 in outputSWF_INITACTION /root/libming-asan/util/outputscript.c:1860
    #13 0x40e331 in outputBlock /root/libming-asan/util/outputscript.c:2083
    #14 0x40f3d9 in readMovie /root/libming-asan/util/main.c:286
    #15 0x40fb0e in main /root/libming-asan/util/main.c:359
    #16 0x7f49d15e582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x401b58 in _start (/usr/local/libming-asan/bin/swftocxx+0x401b58)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libming-asan/util/decompile.c:349 getString
Shadow bytes around the buggy address:
  0x0c167fff95c0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c167fff95d0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c167fff95e0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c167fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c167fff9610: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==15902==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/004-heap-over-swf

@hlef
Copy link
Contributor

hlef commented Mar 12, 2018

Reproduced on latest master together with #123. FTR, this issue was assigned CVE number CVE-2018-7875.

@hlef
Copy link
Contributor

hlef commented Mar 12, 2018

So, it looks like getString() is retrieving constants from the constant pool without verifying that the pool contains them, which may lead to heap buffer overflows.

In order to verify that we have to know how many constants are stored in the pool. Unfortunately there's currently no way to know it because we don't store such information (we only keep the pool as a char **, right ?). I propose to add a counter for that. AFAIK this shouldn't be very difficult since we only modify the pool at two places in the source code: in decompile5Action and in decompileCONSTANTPOOL.

hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

This patch fixes libming#112 (CVE-2018-7875), fixes libming#123, fixes libming#122.
hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

This patch fixes libming#112 (CVE-2018-7875), fixes libming#123, fixes libming#122.
hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

This patch fixes libming#112 (CVE-2018-7875), libming#120 (CVE-2018-7871), fixes libming#123,
fixes libming#122.
hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

Also, do not return "" when a pointer is excepted (it should be legal to free
this return value).

This patch fixes libming#112 (CVE-2018-7875), fixes libming#120 (CVE-2018-7871),
fixes libming#117 (CVE-2018-7870), fixes libming#122, fixes libming#123.
hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

Also, do not return "" when a pointer is excepted (it should be legal to free
this return value).

This patch fixes libming#112 (CVE-2018-7875), fixes libming#120 (CVE-2018-7871),
fixes libming#117 (CVE-2018-7870), fixes libming#122, fixes libming#123.
hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

Also, do not return "" when a pointer is excepted (it should be legal to free
this return value).

This patch fixes libming#112 (CVE-2018-7875), fixes libming#120 (CVE-2018-7871),
fixes libming#117 (CVE-2018-7870), fixes libming#114 (CVE-2018-7872), fixes libming#122,
fixes libming#123.
hlef added a commit to hlef/libming that referenced this issue Mar 12, 2018
Constants are usually retrieved from the constant pool without verifying
that the pool actually contains them, which may lead to various heap
buffer overflow issues.

In this patch we add a counter keeping track of how many elements the pool
contains, and checks making sure that whenever the pool is accessed, the
constant in present in the pool (constant position < pool counter).

Also, do not return "" when a pointer is excepted (it should be legal to free
this return value).

This patch fixes libming#112 (CVE-2018-7875), fixes libming#120 (CVE-2018-7871),
fixes libming#117 (CVE-2018-7870), fixes libming#114 (CVE-2018-7872), fixes libming#122,
fixes libming#113 (CVE-2018-7868), fixes libming#123.
@strk strk closed this as completed in #125 Mar 13, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants