Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BerDecoder_decodeUint32 in src/mms/asn1/ber_decode.c doesn't check passed arguments. intLen and bufPos can be large number, so following memory access buffer[bufPos+i] would segment fault.
intLen
bufPos
buffer[bufPos+i]
poc: poc.zip
gdb stack backtrace:
gdb-peda$ r < poc Starting program: /home/casper/targets/struct/libiec61850/dbg/fuzzrun/fuzzmmsdata < crashes/id:000010,sig:06,src:000030,op:int32,pos:16,val:-129 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0xfa9000 RBX: 0x7fffffffdfc0 --> 0x7ffff7ffe170 --> 0x0 RCX: 0xfa9000 RDX: 0x1f5200 RSI: 0x7fffff00 --> 0x0 RDI: 0xf988c0 --> 0x9292929292929280 RBP: 0x7fffffffdf70 --> 0x7fffffffe2f0 --> 0x7fffffffe320 --> 0x4c2210 (<__libc_csu_init>: push r15) RSP: 0x7fffffffdf40 --> 0x1200000001 --> 0x0 RIP: 0x7ffff7a269a7 (<BerDecoder_decodeUint32+135>: movzx ecx,BYTE PTR [rax]) R8 : 0x7fffffffdf00 --> 0x400000000000000 R9 : 0x1 R10: 0x4 R11: 0x0 R12: 0x1f3118 R13: 0x7fffffffe400 --> 0x1 R14: 0xf988c0 --> 0x9292929292929280 R15: 0x1 EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7a2699a <BerDecoder_decodeUint32+122>: mov rdi,QWORD PTR [rbp-0x20] 0x7ffff7a2699e <BerDecoder_decodeUint32+126>: call 0x7ffff79643c0 <__asan_report_load1@plt> 0x7ffff7a269a3 <BerDecoder_decodeUint32+131>: mov rax,QWORD PTR [rbp-0x20] => 0x7ffff7a269a7 <BerDecoder_decodeUint32+135>: movzx ecx,BYTE PTR [rax] 0x7ffff7a269aa <BerDecoder_decodeUint32+138>: add ecx,DWORD PTR [rbp-0x14] 0x7ffff7a269ad <BerDecoder_decodeUint32+141>: mov DWORD PTR [rbp-0x14],ecx 0x7ffff7a269b0 <BerDecoder_decodeUint32+144>: mov eax,DWORD PTR [rbp-0x18] 0x7ffff7a269b3 <BerDecoder_decodeUint32+147>: add eax,0x1 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdf40 --> 0x1200000001 --> 0x0 0008| 0x7fffffffdf48 --> 0x12 0016| 0x7fffffffdf50 --> 0xfa9000 0024| 0x7fffffffdf58 --> 0x1072c 0032| 0x7fffffffdf60 --> 0x7fffffff00000014 0040| 0x7fffffffdf68 --> 0xf988c0 --> 0x9292929292929280 0048| 0x7fffffffdf70 --> 0x7fffffffe2f0 --> 0x7fffffffe320 --> 0x4c2210 (<__libc_csu_init>: push r15) 0056| 0x7fffffffdf78 --> 0x7ffff7a01b72 (<MmsValue_decodeMmsData+1634>: mov edi,eax) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00007ffff7a269a7 in BerDecoder_decodeUint32 () from /home/casper/targets/struct/libiec61850/dbg/INSTALL/lib/libiec61850.so.1.4.0 gdb-peda$ bt #0 0x00007ffff7a269a7 in BerDecoder_decodeUint32 () from /home/casper/targets/struct/libiec61850/dbg/INSTALL/lib/libiec61850.so.1.4.0 #1 0x00007ffff7a01b72 in MmsValue_decodeMmsData () from /home/casper/targets/struct/libiec61850/dbg/INSTALL/lib/libiec61850.so.1.4.0 #2 0x00000000004c21e0 in main () #3 0x00007ffff696bb97 in __libc_start_main (main=0x4c2180 <main>, argc=0x1, argv=0x7fffffffe408, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe3f8) at ../csu/libc-start.c:310 #4 0x000000000041ab9a in _start ()
The text was updated successfully, but these errors were encountered:
- added additional length check in BerDecoder_decodeLength and checke…
6c53924
…d return values in callers (fix problem #196)
Thanks for the bug report! Problem is caused by missing check in BerDecoder_decodeLength. Should be fixed now.
Sorry, something went wrong.
CVE-2019-19944
No branches or pull requests
BerDecoder_decodeUint32 in src/mms/asn1/ber_decode.c doesn't check passed arguments.
intLenandbufPoscan be large number, so following memory accessbuffer[bufPos+i]would segment fault.poc:
poc.zip
gdb stack backtrace:
The text was updated successfully, but these errors were encountered: