A heap-buffer-overflow in libnsfdb_rrv_bucket.c:381:3

[seviezhou]

System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), nsfdbinfo (latest master 62bdef)

Configure

CC=/home/seviezhou/AlphaFuzz/tools/alpha-clang CXX=/home/seviezhou/AlphaFuzz/tools/alpha-clang++ ./configure --enable-shared=no

Command line

./nsfdbtools/nsfdbinfo @@

AddressSanitizer output

=================================================================
==48413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62c00000782b at pc 0x000000533634 bp 0x7ffe4ec3c4f0 sp 0x7ffe4ec3c4e8
READ of size 1 at 0x62c00000782b thread T0
    #0 0x533633 in libnsfdb_rrv_bucket_read /home/seviezhou/libnsfdb/libnsfdb/libnsfdb_rrv_bucket.c:381:3
    #1 0x528da4 in libnsfdb_io_handle_read_superblock /home/seviezhou/libnsfdb/libnsfdb/libnsfdb_io_handle.c:3835:7
    #2 0x520902 in libnsfdb_file_open_read /home/seviezhou/libnsfdb/libnsfdb/libnsfdb_file.c:1035:6
    #3 0x51fa33 in libnsfdb_file_open_file_io_handle /home/seviezhou/libnsfdb/libnsfdb/libnsfdb_file.c:607:6
    #4 0x51f3ac in libnsfdb_file_open /home/seviezhou/libnsfdb/libnsfdb/libnsfdb_file.c:325:6
    #5 0x517598 in main /home/seviezhou/libnsfdb/nsfdbtools/nsfdbinfo.c:229:6
    #6 0x7ffb09faa83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x41a498 in _start (/home/seviezhou/libnsfdb/nsfdbtools/nsfdbinfo+0x41a498)

0x62c00000782b is located 0 bytes to the right of 30251-byte region [0x62c000000200,0x62c00000782b)
allocated by thread T0 here:
    #0 0x4de6a8 in malloc /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
    #1 0x527784 in libnsfdb_io_handle_read_superblock /home/seviezhou/libnsfdb/libnsfdb/libnsfdb_io_handle.c:3082:34
    #2 0x520902 in libnsfdb_file_open_read /home/seviezhou/libnsfdb/libnsfdb/libnsfdb_file.c:1035:6
    #3 0x51fa33 in libnsfdb_file_open_file_io_handle /home/seviezhou/libnsfdb/libnsfdb/libnsfdb_file.c:607:6

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seviezhou/libnsfdb/libnsfdb/libnsfdb_rrv_bucket.c:381:3 in libnsfdb_rrv_bucket_read
Shadow bytes around the buggy address:
  0x0c587fff8eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c587fff8f00: 00 00 00 00 00[03]fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==48413==ABORTING

POC

heap-overflow-libnsfdb_rrv_bucket_read-libnsfdb_rrv_bucket-381.zip

[joachimmetz]

@seviezhou per README:

Note that this project currently only focuses on the analysis of the format.

It is a complete waste of time to analyze this project for security bugs until it is ready to be used per #2

[joachimmetz]

Before a stable release this project will seek OSS-Fuzz integration. So that it does not need to rely on external parties that copy paste the output of a fuzzing tool directly into a github issue, without any further analysis.