Bug#874754: libbson: CVE-2017-14227

Sat, 09 Sep 2017 08:40:03 -0700 

Some debugging information:

=================================================================
==7414==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000980 
at pc 0x5555555759b3 bp 0x7fffffffd9b0 sp 0x7fffffffd9a8
READ of size 1 at 0x619000000980 thread T0
    #0 0x5555555759b2 in _bson_utf8_get_sequence src/bson/bson-utf8.c:49
    #1 0x555555575c3b in bson_utf8_validate src/bson/bson-utf8.c:131
    #2 0x55555556cbf4 in bson_iter_visit_all src/bson/bson-iter.c:2069
    #3 0x5555555607d5 in bson_metrics examples/bson-metrics.c:208
    #4 0x555555560b01 in main examples/bson-metrics.c:257
    #5 0x7f8775da02e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #6 0x55555555fce9 in _start (/root/libbson/bson-metrics+0xbce9)

0x619000000980 is located 0 bytes to the right of 1024-byte region 
[0x619000000580,0x619000000980)
allocated by thread T0 here:
    #0 0x7f8776717bb8 in __interceptor_calloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9bb8)
    #1 0x55555556eb0c in bson_malloc0 src/bson/bson-memory.c:105
    #2 0x555555571614 in bson_reader_new_from_handle src/bson/bson-reader.c:173
    #3 0x555555571a2a in bson_reader_new_from_fd src/bson/bson-reader.c:304
    #4 0x5555555731d4 in bson_reader_new_from_file src/bson/bson-reader.c:806
    #5 0x5555555609fe in main examples/bson-metrics.c:244
    #6 0x7f8775da02e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/bson/bson-utf8.c:49 in 
_bson_utf8_get_sequence
Shadow bytes around the buggy address:
  0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8130:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7414==ABORTING
[
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007f8775db442a in __GI_abort () at abort.c:89
#2  0x00007f877673741b in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
#3  0x00007f877673ebb8 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
#4  0x00007f8776721a8d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
#5  0x00007f87767224e8 in __asan_report_load1 () from 
/usr/lib/x86_64-linux-gnu/libasan.so.4
#6  0x00005555555759b3 in _bson_utf8_get_sequence (utf8=0x619000000980 "", 
    seq_length=0x7fffffffda90 "\001\220VUUU", first_mask=0x7fffffffda50 
"\177\005")
    at src/bson/bson-utf8.c:49
#7  0x0000555555575c3c in bson_utf8_validate (utf8=0x61900000058e "\006", 
utf8_len=4294967295, 
    allow_null=true) at src/bson/bson-utf8.c:131
#8  0x000055555556cbf5 in bson_iter_visit_all (iter=0x7fffffffe680, 
    visitor=0x5555557a4a20 <bson_metrics_visitors>, data=0x5555557ad960 <state>)
    at src/bson/bson-iter.c:2069
#9  0x00005555555607d6 in bson_metrics (bson=0x6130000000c0, length=0x0, 
    data=0x5555557ad960 <state>) at examples/bson-metrics.c:208
#10 0x0000555555560b02 in main (argc=2, argv=0x7fffffffebe8) at 
examples/bson-metrics.c:257

and

(gdb) list src/bson/bson-iter.c:2069
2064             uint32_t doclen = 0;
2065             bson_t b;
2066
2067             code = bson_iter_codewscope (iter, &length, &doclen, &docbuf);
2068
2069             if (!bson_utf8_validate (code, length, true)) {
2070                iter->err_off = iter->off;
2071                return true;
2072             }
2073
(gdb) list src/bson/bson-utf8.c:131
126        unsigned j;
127
128        BSON_ASSERT (utf8);
129
130        for (i = 0; i < utf8_len; i += seq_length) {
131           _bson_utf8_get_sequence (&utf8[i], &seq_length, &first_mask);
132
133           /*
134            * Ensure we have a valid multi-byte sequence length.
135            */
(gdb)

cf. as well https://bugzilla.redhat.com/show_bug.cgi?id=1489355#c2

Regards,
Salvatore

Reply via email to