-
-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
some memory corruption problems when the library parse the mat file #103
Comments
@tbeu, can you comment on this and say if it is a real vulnerability or not and if so when it is likely to be fixed? There are 13 CVEs related to this
|
Working on them. (That's why I pinned the issue). |
And, it only happens with crafted MAT-files (created by fuzzing). |
@tbeu, thank you. We use this library and appreciate its compactness and usefulness. Do you know anything about @cool-tomato and why she would fuzz your code? |
Fuzzing is easy, probably fun and gives you some credits. Do not know him/her. |
* Check read success * Check allocation success * Fix array index out of bounds (if rank > 14) * As reported by #103 and https://github.com/TeamSeri0us/pocs/tree/master/matio
* Fix illegal memory access * Fix array index out of bounds * As reported by #103 and https://github.com/TeamSeri0us/pocs/tree/master/matio
* Check read success * Check allocation success * Fix array index out of bounds (if rank > 14) * As reported by #103 and https://github.com/TeamSeri0us/pocs/tree/master/matio
* Fix illegal memory access * Fix array index out of bounds * As reported by #103 and https://github.com/TeamSeri0us/pocs/tree/master/matio
Great to hear that this has been resolved. On what time scale will we be able to download 1.5.14 and get access to these security improvements? Thanks, T. |
Will release v1.5.14 probably tonight. |
As far as I can tell, CVE-2019-9036 (heap-based buffer overflow in the function |
Hm, can no longer reproduce. Can you give some more details? |
On git HEAD (9f7f96d), with Debian 9, configured with
|
Got it. |
Should the issue in meanwhile be reopened until as well the last bit fixed? |
@svillemot Can you please check if 539ca4d fixes the issue for you. Thanks. |
The overflow seems to be correctly worked around. But then MatIO apparently attempts to allocate an insane amount of memory, I am not sure this is expected:
|
Thanks for confirmation. One other possibility would be to let SafeMulDims return 0 in case of an overflow. What do you think? |
Indeed it's probably better to have a zero return value from |
@svillemot Could you please give 077cbf9 one more try and verify if it finally resolves this issue? Thanks. |
Thanks. The only thing still detected by ASAN is a 1-byte memory leak. So, security-wise, the issue is fixed.
|
Thanks for confirmation. The memory leak actually is a separate issue discoverd en passant and resolved by b73f135. |
I backported those security fixes to MatIO 1.5.13 for Debian (I had to limit myself to minimal changes, since Debian is currently in freeze). There are test failures on several architectures, all of which are big-endian, in tests 621, 2825 and 2827. Any idea of what's going on? |
The logfiles are accessible at: https://buildd.debian.org/status/package.php?p=libmatio |
And here are the patches that I applied: https://salsa.debian.org/science-team/libmatio/tree/master/debian/patches Note that avoid-int-mult-overflow.patch is a trimmed-down version of your commit. |
Ok, got it, it's a manifestation of #108. |
Applying adfa218 fixes the testsuite regression, but unfortunately it reintroduces CVE-2019-9027 and CVE-2019-9038. On the current git HEAD, I now get the following:
So this issue should be reopened… |
One more iteration loop please: 02625a0 adds another sanity check. |
It is good now, thanks! |
I found several memory corruption problem in the library.
More details can be found at here.
The text was updated successfully, but these errors were encountered: