libeconf: A stack-buffer-overflow vulnerability in "read_file" function

[yangjiageng]

Discoverer: Ji Tiantian of Key Laboratory of Trustworthy Distributed Computing and Service (BUPT), Ministry of Education, Beijing University of Posts and Telecommunications

Description:

A stack-buffer-overflow vulnerability exists in the read_file function. The the vulnerability is triggered at libeconf/lib/getfilecontents.c line:503.

The statement is: if (*(p + 1) != '\0' *(p + 1) = '\0'; (line 503).

The pointer variable p points to a location in the memory buffer buf.

The statements are that : name = buf; ... ... p = strchr(name, comment[i]);.

However, when the strchr function is used to search for characters in the string name, it does not check whether the pointer p is outside the bounds of the name array.

Finally, at line 503, *(p + 1) = '\0', this assignment creates a stack overflow vulnerability if the location pointed to by p is outside the bounds of the buffer.

Reproduction:

Please reproduce this vulnerability using the following PoC.
This PoC is obtained by modifying the input data based on the test/tst-logindefs1.c testcase .
Use this PoC to replace the tst-logindefs1.c file in the libeconf/tests directory and configure the C compiler to use the -fsanitize=address flag, as follows:

CC=clang CXX=$CC CFLAGS="-O2 -g -fsanitize=address -L/root/  -shared-libasan" make -C build/ check -j8

The PoC file and the input file are here and here, respectively.

Using this command : /libeconfDir/build/tests/tst-logindefs1 read_file_503, you will get the following outputs:

This is the corresponding information of this overflow vulnerability from AddressSanitizer.
And attackers can use this bug to achieve a DoS attack even remote code execution attack.
Please reproduce and fix this vulnerability.

[schubi2]

Thanks for your great work. I have released a new version 0.5.2

[jsegitz]

Please use CVE-2023-22652 for this