Potential buffer overread in cborparser.c

[szszszsz]

Description

Another issue found by address sanitizer; this time in the CBOR parsing code - cborparser.c (3rd party dependency).

• To confirm, possibly fix
• To report upstream, if needed

Reproduction route

1. Compile simulation app with Clang 7 and -lasan -fsanitize=address -O1 -g -fno-omit-frame-pointer
2. Run simulation
3. Run Python test: tools/ctap_test.py

With WIP code, from https://github.com/Nitrokey/nitrokey-fido2-firmware/tree/testing:

1. make clean
2. make CC=clang
3. make test_simulation

Frequency: always

Environment

• Fedora 29
• clang version 7.0.1 (Fedora 7.0.1-1.fc29)
• libasan.so.5 => /lib64/libasan.so.5

Log

ASAN log (click)

==28946==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffc8e3df4f0 at pc 0x000000420baa bp 0x7ffc8e3df280 sp 0x7ffc8e3df270 
READ of size 8 at 0x7ffc8e3df4f0 thread T0 
    #0 0x420ba9 in get_string_chunk src/cborparser.c:1014 
    #1 0x420d57 in iterate_string_chunks src/cborparser.c:1094 
    #2 0x42062e in _cbor_value_copy_string src/cborparser.c:1192 
    #3 0x404fea in parse_credential_descriptor fido2/ctap_parse.c:757 
    #4 0x40d098 in ctap_make_credential fido2/ctap.c:603 
    #5 0x411207 in ctap_request fido2/ctap.c:1407 
    #6 0x409bb5 in ctaphid_handle_packet fido2/ctaphid.c:638 
    #7 0x412251 in main fido2/main.c:91 
    #8 0x7fb9fa431412 in __libc_start_main (/lib64/libc.so.6+0x24412) 
    #9 0x40243d in _start (/home/sz/work/conor-solo/solo-simulation-main+0x40243d) 
 
Address 0x7ffc8e3df4f0 is located in stack of thread T0 at offset 48 in frame 
    #0 0x42057f in _cbor_value_copy_string src/cborparser.c:1190 
 
  This frame has 1 object(s): 
    [32, 33) 'copied_all' (line 1191) <== Memory access at offset 48 overflows this variable 
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext 
      (longjmp and C++ exceptions *are* supported) 
SUMMARY: AddressSanitizer: stack-buffer-overflow src/cborparser.c:1014 in get_string_chunk 
Shadow bytes around the buggy address: 
  0x100011c73e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
  0x100011c73e50: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 
  0x100011c73e60: 00 00 00 f2 f2 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 
  0x100011c73e70: 00 f2 f2 f2 f8 f3 f3 f3 00 00 00 00 00 00 00 00 
  0x100011c73e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
=>0x100011c73e90: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 01 f3[f3]f3 
  0x100011c73ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
  0x100011c73eb0: f1 f1 f1 f1 00 f2 f2 f2 00 04 f2 f2 00 00 00 f3 
  0x100011c73ec0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 
  0x100011c73ed0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 
  0x100011c73ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
Shadow byte legend (one shadow byte represents 8 application bytes): 
  Addressable:           00 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa 
  Freed heap region:       fd 
  Stack left redzone:      f1 
  Stack mid redzone:       f2 
  Stack right redzone:     f3 
  Stack after return:      f5 
  Stack use after scope:   f8 
  Global redzone:          f9 
  Global init order:       f6 
  Poisoned by user:        f7 
  Container overflow:      fc 
  Array cookie:            ac 
  Intra object redzone:    bb 
  ASan internal:           fe 
  Left alloca redzone:     ca 
  Right alloca redzone:    cb 
==28946==ABORTING 

Related

• Potential buffer overread in ctap_encode_der_sig() #94