Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a stack-based buffer overflow in the ReadNextStructField function of mat5.c(at 1393) #128

Closed
gutiniao opened this issue Nov 7, 2019 · 5 comments

Comments

@gutiniao
Copy link

gutiniao commented Nov 7, 2019

A crafted input will lead to crash in mat5.c at matio 1.5.17.
Triggered by
./matdump POC

Poc
002-stackover-ReadNextStructField-mat51393

The ASAN information is as follows:

./matdump 002-stackover-ReadNextStructField-mat51393 
InflateArrayFlags: inflate returned data error
InflateRankDims: inflate returned data error
InflateVarTag: inflate returned data error
InflateVarTag: inflate returned data error
      Rank: 0
InflateRankDims: inflate returned data error
=================================================================
==32164==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcc03efb10 at pc 0x7f0ff115f208 bp 0x7ffcc03ef900 sp 0x7ffcc03ef8f0
READ of size 4 at 0x7ffcc03efb10 thread T0
    #0 0x7f0ff115f207 in ReadNextStructField /home/matio_asan/src/mat5.c:1393
    #1 0x7f0ff1219e10 in Mat_VarReadNextInfo5 /home/matio_asan/src/mat5.c:4959
    #2 0x7f0ff123046b in Mat_VarReadNextInfo /home/matio_asan/src/mat.c:2342
    #3 0x408126 in main /home/matio_asan/tools/matdump.c:944
    #4 0x7f0ff0a0b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x401b58 in _start (/usr/local/matio_asan/bin/matdump+0x401b58)

Address 0x7ffcc03efb10 is located in stack of thread T0 at offset 352 in frame
    #0 0x7f0ff115d8d6 in ReadNextStructField /home/matio_asan/src/mat5.c:1212

  This frame has 5 object(s):
    [32, 40) 'nelems'
    [96, 104) 'nelems_x_nfields'
    [160, 168) 'dims'
    [224, 248) 'buf'
    [288, 352) 'uncomp_buf' <== Memory access at offset 352 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/matio_asan/src/mat5.c:1393 ReadNextStructField
Shadow bytes around the buggy address:
  0x100018075f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100018075f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100018075f30: 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2
  0x100018075f40: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2
  0x100018075f50: f2 f2 00 00 00 f4 f2 f2 f2 f2 00 00 00 00 00 00
=>0x100018075f60: 00 00[f3]f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
  0x100018075f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x100018075f80: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2
  0x100018075f90: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2
  0x100018075fa0: f2 f2 00 00 00 f4 f2 f2 f2 f2 00 00 00 00 00 00
  0x100018075fb0: 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==32164==ABORTING

about code (1393):

/* Rank and dimension */
                if ( uncomp_buf[0] == MAT_T_INT32 ) {
                    int j;
                    fields[i]->rank = uncomp_buf[1];
                    nbytes -= fields[i]->rank;
                    fields[i]->rank /= 4;
                    fields[i]->dims = (size_t*)malloc(fields[i]->rank*
                                             sizeof(*fields[i]->dims));
                    if ( mat->byteswap ) {
                        for ( j = 0; j < fields[i]->rank; j++ )
                            fields[i]->dims[j] = Mat_uint32Swap(dims+j);
                    } else {
                        for ( j = 0; j < fields[i]->rank; j++ )
-------------------> fields[i]->dims[j] = dims[j];
                    }
@tbeu
Copy link
Owner

tbeu commented Nov 9, 2019

No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues.

Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.

@tbeu tbeu closed this as completed Nov 9, 2019
@gutiniao
Copy link
Author

No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues.

Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.

Yes, I just use 'git clone' to fetch the current master of the matio,the issue is still reproducible.
image

image
i 'm sure the issue is different from the fuzzing issues on OSS-fuzz.

tbeu added a commit that referenced this issue Nov 11, 2019
@tbeu
Copy link
Owner

tbeu commented Nov 11, 2019

Should be fixed now.

@carnil
Copy link

carnil commented Dec 27, 2019

CVE-2019-20020 has been assigned for this issue.

@tbeu
Copy link
Owner

tbeu commented Dec 27, 2019

OK, need to mention those CVE numbers in the changelog when making the new release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants