Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2021-46142] uriNormalizeSyntax* may free stack memory in out-of-memory situation when handling URIs containing empty segments #122

Closed
autofuzzoss opened this issue Sep 29, 2021 · 5 comments · Fixed by #124
Assignees
Labels
bug Something isn't working security
Milestone

Comments

@autofuzzoss
Copy link

autofuzzoss commented Sep 29, 2021

A bug was found within the uriparser. Though it might not be an intended use of the relevant API, the bug can still produce critical issues within a program using uriparser. It would be best if the affected logic is checked beforehand.
The bug was found with a fuzzer based on the test-code"NormalizeSyntaxExMm"

_crash log

==3440==ERROR: AddressSanitizer: SEGV on unknown address 0x0000004d9be0 (pc 0x00000041ca94 bp 0x000000000000 sp 0x7ffd2468e6e0 T0)
==3440==The signal is caused by a WRITE memory access.
    #0 0x41ca94 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType)
    #1 0x493d41 in free 
    #2 0x4c6892 in (anonymous namespace)::countingFree(UriMemoryManagerStruct*, void*) 
    #3 0x7faf2e1ac4b2 in uriNormalizeSyntaxExMmA_ 

Steps to reproduce:

  1. git clone https://github.com/uriparser/uriparser.git
  2. cd uriparser & mkdir build & cd build
  3. Build
    cmake -DCMAKE_BUILD_TYPE=Release -DURIPARSER_BUILD_DOCS:BOOL=OFF -DBUILD_SHARED_LIBS:BOOL=ON ..
    make -j8
  4. Download the attached file(2.cpp)
  5. Build TEST CODE (2.cpp)
    clang++ -g -fsanitize=address,fuzzer-no-link -o 2 2.cpp -I uriparser/include/ -I uriparser/ -Luriparser/build -luriparser
  6. Run
    LD_LIBRARY_PATH=uriparser/build/ ./2

OS:ubuntu 18.04
uriparser_poc2.tar.gz

@hartwork
Copy link
Member

@afosscontact thanks for the detailed report, I will have a closer look.

@hartwork hartwork changed the title input format check and memory manager issue2 uriNormalizeSyntax* may free stack memory in out-of-memory situation when handling URIs containing empty segments Oct 15, 2021
@hartwork hartwork added the bug Something isn't working label Oct 15, 2021
@hartwork hartwork added this to the 0.9.6 milestone Oct 15, 2021
@hartwork
Copy link
Member

@afosscontact confirming as a bug, fixed by pull request #124 (along with issue #121). Thanks for the report again! 🙏

@hartwork hartwork self-assigned this Oct 15, 2021
@autofuzzoss
Copy link
Author

Thank you for the fix
Is it possible to issue CVE ID?
If you are not possible, should you ask MITRE?

@hartwork
Copy link
Member

hartwork commented Oct 18, 2021

@afosscontact speaking for #121 and #122, I can request a CVE (or two) once the security impact of these two bugs is clear. If you could add a security assessment to the two issues — detailed or brief — that would help. Also, giving credit to your real name both inside uriparser and/or in the mitre submission form is still an option, if you're comfortable disclosing your name to either me and mitre (by e-mail) or everyone here. Or you submit to mitre and only they get your name or no one. I'd also be curious, what the context of this work of yours was, if you'd be up for sharing that with me off-list. Thanks in advance.

hartwork added a commit that referenced this issue Oct 21, 2021
Fix memory handling of uriNormalizeSyntax*, uriMakeOwner* and uriNormalizeSyntax* (fixes #121, fixes #122)
@hartwork
Copy link
Member

PS: @afosscontact the two bugs are closed as fixed now. I'm still happy to team up with you on the CVE subject as mentioned above.

@hartwork hartwork changed the title uriNormalizeSyntax* may free stack memory in out-of-memory situation when handling URIs containing empty segments [CVE-2021-46142] uriNormalizeSyntax* may free stack memory in out-of-memory situation when handling URIs containing empty segments Jan 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working security
Projects
None yet
2 participants