heap-buffer-overflow in libdap::XDRFileUnMarshaller::get_vector

[gy741]

Hello.

I found a heap-buffer-overflow bug in libdap4.

Please confirm.

Thanks.

OS: Ubuntu 17.04 64bit
Version: commit 724b8ee
PoC Download: libdap__XDRFileUnMarshaller__get_vector.zip

Steps to reproduce:
1.Download the .POC files.
2.Compile the source code with ASan.
3.Execute the following command
: ./getdap -k $POC

=================================================================
==15996==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000e040 at pc 0x7faf8d2d50c3 bp 0x7fff519c0500 sp 0x7fff519bfca8
WRITE of size 2 at 0x60300000e040 thread T0
    #0 0x7faf8d2d50c2  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6a0c2)
    #1 0x7faf8bcc3792 in xdr_array (/lib/x86_64-linux-gnu/libc.so.6+0x13a792)
    #2 0x7faf8ca06ca4 in libdap::XDRFileUnMarshaller::get_vector(char**, unsigned int&, int, libdap::Vector&) /home/karas/libdap4/XDRFileUnMarshaller.cc:186
    #3 0x7faf8c8c3896 in libdap::Vector::deserialize(libdap::UnMarshaller&, libdap::DDS*, bool) /home/karas/libdap4/Vector.cc:813
    #4 0x7faf8cf985ca in libdap::Connect::process_data(libdap::DataDDS&, libdap::Response*) /home/karas/libdap4/Connect.cc:143
    #5 0x7faf8cf9f1d4 in libdap::Connect::read_data_no_mime(libdap::DataDDS&, libdap::Response*) /home/karas/libdap4/Connect.cc:1071
    #6 0x4061f2 in main /home/karas/libdap4/getdap.cc:276
    #7 0x7faf8bba982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x40c278 in _start (/home/karas/libdap4/run/bin/getdap+0x40c278)

0x60300000e040 is located 0 bytes to the right of 32-byte region [0x60300000e020,0x60300000e040)
allocated by thread T0 here:
    #0 0x7faf8d3046b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x7faf8c8aabe7 in libdap::Vector::m_create_cardinal_data_buffer_for_type(unsigned int) /home/karas/libdap4/Vector.cc:202

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c067fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9c00: fa fa fa fa 00 00 00 00[fa]fa fd fd fd fd fa fa
  0x0c067fff9c10: 00 00 00 07 fa fa 00 00 00 01 fa fa fd fd fd fd
  0x0c067fff9c20: fa fa fd fd fd fd fa fa 00 00 00 07 fa fa 00 00
  0x0c067fff9c30: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff9c40: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff9c50: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==15996==ABORTING

==========
[Acknowledgement]
This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, Innovation hub for high Performance Computing]

[jgallagher59701]

On Feb 1, 2018, at 11:04 PM, gy741 ***@***.***> wrote: Hello. I found a heap-buffer-overflow bug in libdap4. Please confirm.

Will this show up on CentOS 7? Other versions of Ubuntu? I don’t have easy access ubuntu 17. James

…

Thanks. OS: Ubuntu 17.04 64bit Version: commit 724b8ee <724b8ee> PoC Download: libdap__XDRFileUnMarshaller__get_vector.zip <https://github.com/OPENDAP/libdap4/files/1688230/libdap__XDRFileUnMarshaller__get_vector.zip> Steps to reproduce: 1.Download the .POC files. 2.Compile the source code with ASan. 3.Execute the following command : ./getdap -k $POC ================================================================= ==15996==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000e040 at pc 0x7faf8d2d50c3 bp 0x7fff519c0500 sp 0x7fff519bfca8 WRITE of size 2 at 0x60300000e040 thread T0 #0 0x7faf8d2d50c2 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6a0c2) #1 0x7faf8bcc3792 in xdr_array (/lib/x86_64-linux-gnu/libc.so.6+0x13a792) #2 0x7faf8ca06ca4 in libdap::XDRFileUnMarshaller::get_vector(char**, unsigned int&, int, libdap::Vector&) /home/karas/libdap4/XDRFileUnMarshaller.cc:186 #3 0x7faf8c8c3896 in libdap::Vector::deserialize(libdap::UnMarshaller&, libdap::DDS*, bool) /home/karas/libdap4/Vector.cc:813 #4 0x7faf8cf985ca in libdap::Connect::process_data(libdap::DataDDS&, libdap::Response*) /home/karas/libdap4/Connect.cc:143 #5 0x7faf8cf9f1d4 in libdap::Connect::read_data_no_mime(libdap::DataDDS&, libdap::Response*) /home/karas/libdap4/Connect.cc:1071 #6 0x4061f2 in main /home/karas/libdap4/getdap.cc:276 #7 0x7faf8bba982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x40c278 in _start (/home/karas/libdap4/run/bin/getdap+0x40c278) 0x60300000e040 is located 0 bytes to the right of 32-byte region [0x60300000e020,0x60300000e040) allocated by thread T0 here: #0 0x7faf8d3046b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2) #1 0x7faf8c8aabe7 in libdap::Vector::m_create_cardinal_data_buffer_for_type(unsigned int) /home/karas/libdap4/Vector.cc:202 SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0c067fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c067fff9c00: fa fa fa fa 00 00 00 00[fa]fa fd fd fd fd fa fa 0x0c067fff9c10: 00 00 00 07 fa fa 00 00 00 01 fa fa fd fd fd fd 0x0c067fff9c20: fa fa fd fd fd fd fa fa 00 00 00 07 fa fa 00 00 0x0c067fff9c30: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 0x0c067fff9c40: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 0x0c067fff9c50: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==15996==ABORTING ========== [Acknowledgement] This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, Innovation hub for high Performance Computing] — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#40>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AH8OKsvYnIA4HMVqZNSiL2-N7L2YFN6Qks5tQqVfgaJpZM4R2uJo>.

-- James Gallagher jgallagher@opendap.org

[gy741]

Hello,

CentOS 7 was able to reproduce the problem.

Thanks.

[karas]$ cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

[karas]$ valgrind ./getdap -k libdap__XDRFileUnMarshaller__get_vector
==8659== Invalid write of size 2
==8659==    at 0x5F719D5: xdr_int16_t (in /usr/lib64/libc-2.17.so)
==8659==    by 0x5F70603: xdr_array (in /usr/lib64/libc-2.17.so)
==8659==    by 0x5A1E7A: libdap::XDRFileUnMarshaller::get_vector(char**, unsigned int&, int, libdap::Vector&) (XDRFileUnMarshaller.cc:186)
==8659==    by 0x4FFA00: libdap::Vector::deserialize(libdap::UnMarshaller&, libdap::DDS*, bool) (Vector.cc:813)
==8659==    by 0x42835E: libdap::Connect::process_data(libdap::DataDDS&, libdap::Response*) (Connect.cc:143)
==8659==    by 0x44934D: libdap::Connect::read_data_no_mime(libdap::DataDDS&, libdap::Response*) (Connect.cc:1071)
==8659==    by 0x4102F0: main (getdap.cc:276)
==8659==  Address 0xa46a8b0 is 0 bytes after a block of size 32 alloc'd
==8659==    at 0x4C2A8A8: operator new[](unsigned long) (vg_replace_malloc.c:423)
==8659==    by 0x4F949F: libdap::Vector::m_create_cardinal_data_buffer_for_type(unsigned int) (Vector.cc:202)
==8659==    by 0x4FF796: libdap::Vector::deserialize(libdap::UnMarshaller&, libdap::DDS*, bool) (Vector.cc:797)
==8659==    by 0x42835E: libdap::Connect::process_data(libdap::DataDDS&, libdap::Response*) (Connect.cc:143)
==8659==    by 0x44934D: libdap::Connect::read_data_no_mime(libdap::DataDDS&, libdap::Response*) (Connect.cc:1071)
==8659==    by 0x4102F0: main (getdap.cc:276)