Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap overflow in function MmsValue_decodeMmsData mms/iso_mms/server/mms_access_result.c:238 #194

Closed
sleicasper opened this issue Dec 20, 2019 · 0 comments

Comments

@sleicasper
Copy link

Function MmsValue_decodeMmsData has heap overflow vulnerability in file mms/iso_mms/server/mms_access_result.c.

Screen Shot 2019-12-20 at 9 48 22 PM

poc:
poc.zip

steps to reproduce:

  1. compile libiec61850 with compiler flag
CFLAGS=-fsanitize=address -g
CXXFLAGS=-fsanitize=address -g
  1. compile test.c in poc.zip
  2. run: ./test < poc in gdb

result in gdb

gdb-peda$ r < poc
Starting program: /home/casper/targets/struct/libiec61850/dbg/fuzzrun/test < poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
=================================================================
==25413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000079 at pc 0x000000491f90 bp 0x7fffffffdb10 sp 0x7fffffffd2d8
WRITE of size 18 at 0x602000000079 thread T0
[New process 25894]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
process 25894 is executing new program: /home/casper/fuzz/fuzzdeps/llvm9/bin/llvm-symbolizer
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    #0 0x491f8f in __asan_memcpy /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22:3
    #1 0x7ffff7a00519 in MmsValue_decodeMmsData /home/casper/targets/struct/libiec61850/dbg/SRC/src/mms/iso_mms/server/mms_access_result.c:239:9
    #2 0x7ffff79ff9b3 in MmsValue_decodeMmsData /home/casper/targets/struct/libiec61850/dbg/SRC/src/mms/iso_mms/server/mms_access_result.c:194:38
    #3 0x4c21df in main /home/casper/targets/struct/libiec61850/dbg/../fuzzsrc/fuzzmmsdata.c:12:21
    #4 0x7ffff6969b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41ab99 in _start (/home/casper/targets/struct/libiec61850/dbg/fuzzrun/test+0x41ab99)

0x602000000079 is located 0 bytes to the right of 9-byte region [0x602000000070,0x602000000079)
allocated by thread T0 here:
    #0 0x492c12 in calloc /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:154:3
    #1 0x7ffff7b6f15c in Memory_calloc /home/casper/targets/struct/libiec61850/dbg/SRC/hal/memory/lib_memory.c:59:20
    #2 0x7ffff7a25724 in Asn1PrimitiveValue_create /home/casper/targets/struct/libiec61850/dbg/SRC/src/mms/asn1/asn1_ber_primitive_value.c:35:28
    #3 0x7ffff7a29cfd in BerInteger_createInt64 /home/casper/targets/struct/libiec61850/dbg/SRC/src/mms/asn1/ber_integer.c:174:12
    #4 0x7ffff79891ac in MmsValue_newUnsigned /home/casper/targets/struct/libiec61850/dbg/SRC/src/mms/iso_mms/common/mms_value.c:1300:31
    #5 0x7ffff7a00300 in MmsValue_decodeMmsData /home/casper/targets/struct/libiec61850/dbg/SRC/src/mms/iso_mms/server/mms_access_result.c:238:17
    #6 0x7ffff79ff9b3 in MmsValue_decodeMmsData /home/casper/targets/struct/libiec61850/dbg/SRC/src/mms/iso_mms/server/mms_access_result.c:194:38
    #7 0x4c21df in main /home/casper/targets/struct/libiec61850/dbg/../fuzzsrc/fuzzmmsdata.c:12:21
    #8 0x7ffff6969b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 00 fa fa 01 fa fa fa 00 02 fa fa 00[01]
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==25413==ABORTING
[Inferior 2 (process 25894) exited normally]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant