Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

it is a memory exhaustion issue in Mat_VarRead5 (mat5.c:3574) #130

Closed
gutiniao opened this issue Nov 7, 2019 · 4 comments
Closed

it is a memory exhaustion issue in Mat_VarRead5 (mat5.c:3574) #130

gutiniao opened this issue Nov 7, 2019 · 4 comments

Comments

@gutiniao
Copy link

gutiniao commented Nov 7, 2019

A crafted input will lead to crash in mat5.c at matio 1.5.17.
Triggered by
./matdump POC

Poc
004Mat_VarRead53574

The ASAN information is as follows:

./matdump 004Mat_VarRead53574 
==22145==ERROR: AddressSanitizer failed to allocate 0x4c1a84000 (20428898304) bytes of LargeMmapAllocator (errno: 12)
==22145==Process memory map follows:
	0x000000400000-0x00000040d000	/usr/local/matio_asan/bin/matdump
	0x00000060c000-0x00000060d000	/usr/local/matio_asan/bin/matdump
	0x00000060d000-0x000000610000	/usr/local/matio_asan/bin/matdump
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x60b000000000	
	0x60b000000000-0x60b000010000	
	0x60b000010000-0x60c000000000	
	0x60c000000000-0x60c000010000	
	0x60c000010000-0x616000000000	
	0x616000000000-0x616000020000	
	0x616000020000-0x619000000000	
	0x619000000000-0x619000020000	
	0x619000020000-0x621000000000	
	0x621000000000-0x621000020000	
	0x621000020000-0x624000000000	
	0x624000000000-0x624000020000	
	0x624000020000-0x62d000000000	
	0x62d000000000-0x62d000020000	
	0x62d000020000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7fd221600000-0x7fd221700000	
	0x7fd221800000-0x7fd221900000	
	0x7fd22191d000-0x7fd223c6f000	
	0x7fd223c6f000-0x7fd223c8a000	/usr/local/lib/libz.so.1.2.11
	0x7fd223c8a000-0x7fd223e89000	/usr/local/lib/libz.so.1.2.11
	0x7fd223e89000-0x7fd223e8a000	/usr/local/lib/libz.so.1.2.11
	0x7fd223e8a000-0x7fd223e8b000	/usr/local/lib/libz.so.1.2.11
	0x7fd223e8b000-0x7fd223ea1000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7fd223ea1000-0x7fd2240a0000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7fd2240a0000-0x7fd2240a1000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7fd2240a1000-0x7fd2240a4000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7fd2240a4000-0x7fd2242a3000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7fd2242a3000-0x7fd2242a4000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7fd2242a4000-0x7fd2242a5000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7fd2242a5000-0x7fd2242bd000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7fd2242bd000-0x7fd2244bc000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7fd2244bc000-0x7fd2244bd000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7fd2244bd000-0x7fd2244be000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7fd2244be000-0x7fd2244c2000	
	0x7fd2244c2000-0x7fd224682000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7fd224682000-0x7fd224882000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7fd224882000-0x7fd224886000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7fd224886000-0x7fd224888000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7fd224888000-0x7fd22488c000	
	0x7fd22488c000-0x7fd224994000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7fd224994000-0x7fd224b93000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7fd224b93000-0x7fd224b94000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7fd224b94000-0x7fd224b95000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7fd224b95000-0x7fd224d18000	/usr/local/matio_asan/lib/libmatio.so.10.0.2
	0x7fd224d18000-0x7fd224f17000	/usr/local/matio_asan/lib/libmatio.so.10.0.2
	0x7fd224f17000-0x7fd224f18000	/usr/local/matio_asan/lib/libmatio.so.10.0.2
	0x7fd224f18000-0x7fd224f1b000	/usr/local/matio_asan/lib/libmatio.so.10.0.2
	0x7fd224f1b000-0x7fd22500f000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7fd22500f000-0x7fd22520f000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7fd22520f000-0x7fd225212000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7fd225212000-0x7fd225213000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7fd225213000-0x7fd225e88000	
	0x7fd225e88000-0x7fd225eae000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7fd22605c000-0x7fd226093000	
	0x7fd226096000-0x7fd2260ad000	
	0x7fd2260ad000-0x7fd2260ae000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7fd2260ae000-0x7fd2260af000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7fd2260af000-0x7fd2260b0000	
	0x7ffe32830000-0x7ffe32851000	[stack]
	0x7ffe328fa000-0x7ffe328fd000	[vvar]
	0x7ffe328fd000-0x7ffe328ff000	[vdso]
	0xffffffffff600000-0xffffffffff601000	[vsyscall]
==22145==End of process memory map.
==22145==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0x7fd224fbb631  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
    #1 0x7fd224fc05e3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
    #2 0x7fd224fc8611  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xad611)
    #3 0x7fd224f3dc0c  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22c0c)
    #4 0x7fd224fb35d2 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2)
    #5 0x7fd224c486d6 in Mat_VarRead5 /home/matio_asan/src/mat5.c:3574
    #6 0x7fd224c333b5 in ReadNextCell /home/matio_asan/src/mat5.c:1063
    #7 0x7fd224cf0e78 in Mat_VarReadNextInfo5 /home/matio_asan/src/mat5.c:4961
    #8 0x7fd224d0746b in Mat_VarReadNextInfo /home/matio_asan/src/mat.c:2342
    #9 0x408126 in main /home/matio_asan/tools/matdump.c:944
    #10 0x7fd2244e282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x401b58 in _start (/usr/local/matio_asan/bin/matdump+0x401b58)

about code (3574)

Mat_VarReadNumeric5(mat,matvar,complex_data->Im,nelems);
               matvar->data = complex_data;
           } else {
               err = SafeMul(&matvar->nbytes, nelems, matvar->data_size);
               if ( err ) {
                   Mat_Critical("Integer multiplication overflow");
                   break;
               }

----------> matvar->data = malloc(matvar->nbytes);
               if ( NULL == matvar->data ) {
                   Mat_Critical("Couldn't allocate memory for the data");
@tbeu
Copy link
Owner

tbeu commented Nov 9, 2019

No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues.

Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.

@tbeu tbeu closed this as completed Nov 9, 2019
@gutiniao
Copy link
Author

No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues.

Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.

Yes, I just use 'git clone' to fetch the current master of the matio,the issue is still reproducible.
image

image
i 'm sure the issue is different from the fuzzing issues on OSS-fuzz.

@tbeu
Copy link
Owner

tbeu commented Nov 11, 2019

I can confirm that the number of allocated bytes is high, but I cannot confirm the crash.

@carnil
Copy link

carnil commented Dec 27, 2019

CVE-2019-20019 has been assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @tbeu @gutiniao