Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

libfsclfs_block.c:742 1 byte OOB read #3

Closed
seeutonight opened this issue Aug 8, 2018 · 8 comments
Closed

libfsclfs_block.c:742 1 byte OOB read #3

seeutonight opened this issue Aug 8, 2018 · 8 comments
Assignees

Comments

@seeutonight
Copy link

the libfsclfs_block_read function in libfsclfs_block.c:742 in libfsclfs allow remote attackers to cause a denial of service(invalid memory read and application crash) via a crafted clfs file.

./fsclfsinfo libfsclfs_block_read
==9230==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000480 at pc 0x000000572f6c bp 0x7ffeaec3d480 sp 0x7ffeaec3d478
READ of size 1 at 0x619000000480 thread T0
    #0 0x572f6b in libfsclfs_block_read /home/xxx/Desktop/afl-of-things/libfsclfs/libfsclfs/libfsclfs_block.c:742:41
    #1 0x534a71 in libfsclfs_store_read_block_descriptors /home/xxx/Desktop/afl-of-things/libfsclfs/libfsclfs/libfsclfs_store.c:1849:6
    #2 0x5329dc in libfsclfs_store_open_read /home/xxx/Desktop/afl-of-things/libfsclfs/libfsclfs/libfsclfs_store.c:1678:6
    #3 0x532656 in libfsclfs_store_open_file_io_handle /home/xxx/Desktop/afl-of-things/libfsclfs/libfsclfs/libfsclfs_store.c:720:6
    #4 0x531d2d in libfsclfs_store_open /home/xxx/Desktop/afl-of-things/libfsclfs/libfsclfs/libfsclfs_store.c:419:6
    #5 0x529958 in main /home/xxx/Desktop/afl-of-things/libfsclfs/fsclfstools/fsclfsinfo.c:545:11
    #6 0x7fa17d2d882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x42c638 in _start (/home/xxx/Desktop/afl-of-things/libfsclfs/fsclfstools/fsclfsinfo+0x42c638)

0x619000000480 is located 0 bytes to the right of 1024-byte region [0x619000000080,0x619000000480)
allocated by thread T0 here:
    #0 0x4f0cd0 in realloc (/home/xxx/Desktop/afl-of-things/libfsclfs/fsclfstools/fsclfsinfo+0x4f0cd0)
    #1 0x572191 in libfsclfs_block_read /home/xxx/Desktop/afl-of-things/libfsclfs/libfsclfs/libfsclfs_block.c:533:17

poc.zip

@seeutonight
Copy link
Author

This vulnerability has been assigned as CVE-2018-15157.

@joachimmetz
Copy link
Member

This project is pre-alpha status and does not support network. Please correct your impact assessment.

@joachimmetz
Copy link
Member

joachimmetz commented Aug 8, 2018

Regarding filing cve for this, read libyal/libevt#5. And make sure your report is accurate otherwise it's a waste of people's time and resources. Seeing, based on your report, the bug appears to be an OOB read of 1 byte.

@joachimmetz
Copy link
Member

joachimmetz commented Aug 8, 2018

allow remote attackers to cause a denial of service(invalid memory read and application
crash) via a crafted clfs file.

BTW could you send me actual proof of these claims about actual crashes such as core files, which compiler / platform the binary was built.

@joachimmetz
Copy link
Member

joachimmetz commented Aug 8, 2018

Your POC does not crash, it is not even accepted as valid input

fsclfstools/fsclfsinfo ../input/clfs/corrupt/libfsclfs_block_read 
fsclfsinfo 20180725

Unable to open: ../input/clfs/corrupt/libfsclfs_block_read.
libfsclfs_store_read_store_metadata: invalid information records size value out of bounds.
libfsclfs_store_open_read: unable to read store metadata.
libfsclfs_store_open_file_io_handle: unable to read from file IO handle.
libfsclfs_store_open: unable to open store: ../input/clfs/corrupt/libfsclfs_block_read.
info_handle_open_input: unable to open input store.

So this would not lead to any hypothetical denial of service since your proof of concept file would not be accepted as valid input in the first place.

@joachimmetz joachimmetz changed the title libfsclfs_block.c:742 OOB read Access Violation libfsclfs_block.c:742 1 byte OOB read Aug 8, 2018
@joachimmetz
Copy link
Member

joachimmetz commented Aug 15, 2018

@seeutonight friendly ping are you going to provide proof to back your claims of your impact assessment?

@joachimmetz
Copy link
Member

joachimmetz commented Aug 15, 2018

Marking as:

A software vulnerability, ..., is a mistake in software that can be directly used by a hacker to gain access to a system or network. 
  • bug, for the OOB read

@joachimmetz
Copy link
Member

OOB read addressed in 7865021

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants