While testing fuzzipp, I found a stack overflow vulnerability located in the ippWriteIO function in the /src/libcups/cups/ipp.c file.
In line 5263 of the function, an irregular use of the memcpy function causes a heap overflow vulnerability.
The crash information is as follows:
=================================================================
==14==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000006a78 at pc 0x5616b8dea6da bp 0x7ffcac3a7010 sp 0x7ffcac3a67d0
READ of size 27252 at 0x502000006a78 thread T0
SCARINESS: 26 (multi-byte-read-heap-buffer-overflow)
#0 0x5616b8dea6d9 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3
#1 0x5616b8e646ba in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
#2 0x5616b8e646ba in ippWriteIO /src/libcups/cups/ipp.c:5263:7
#3 0x5616b8e62633 in ippWriteIO /src/libcups/cups/ipp.c:5199:9
#4 0x5616b8e2baba in LLVMFuzzerTestOneInput /src/libcups/ossfuzz/fuzzipp.c:119:15
#5 0x5616b8cde080 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#6 0x5616b8cdd8a5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
#7 0x5616b8cdf075 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:760:19
#8 0x5616b8cdfe65 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:905:5
#9 0x5616b8cce176 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
#10 0x5616b8cfa6a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#11 0x7fcd6234d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
#12 0x5616b8cbf2ed in _start (/out/fuzzipp+0x9a2ed)
DEDUP_TOKEN: __asan_memcpy--memcpy--ippWriteIO
0x502000006a78 is located 0 bytes after 8-byte region [0x502000006a70,0x502000006a78)
allocated by thread T0 here:
#0 0x5616b8dec808 in calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
#1 0x5616b8e7185c in _cupsStrAlloc /src/libcups/cups/string.c:548:29
#2 0x5616b8e59ffa in ippReadIO /src/libcups/cups/ipp.c:2981:28
#3 0x5616b8e59997 in ippReadIO /src/libcups/cups/ipp.c:3008:7
#4 0x5616b8e59997 in ippReadIO /src/libcups/cups/ipp.c:3008:7
#5 0x5616b8e2ba69 in LLVMFuzzerTestOneInput /src/libcups/ossfuzz/fuzzipp.c:107:15
#6 0x5616b8cde080 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#7 0x5616b8cdd8a5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
#8 0x5616b8cdf075 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:760:19
#9 0x5616b8cdfe65 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:905:5
#10 0x5616b8cce176 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
#11 0x5616b8cfa6a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#12 0x7fcd6234d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
DEDUP_TOKEN: ___interceptor_calloc--_cupsStrAlloc--ippReadIO
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3 in __asan_memcpy
Shadow bytes around the buggy address:
0x502000006780: fa fa 00 07 fa fa 04 fa fa fa fa fa fa fa fa fa
0x502000006800: fa fa 04 fa fa fa fa fa fa fa 00 fa fa fa 04 fa
0x502000006880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 04
0x502000006900: fa fa 00 fa fa fa 04 fa fa fa fa fa fa fa 04 fa
0x502000006980: fa fa 04 fa fa fa 00 04 fa fa fd fd fa fa 00 fa
=>0x502000006a00: fa fa fd fd fa fa 00 fa fa fa fd fd fa fa 00[fa]
0x502000006a80: fa fa fa fa fa fa fa fa fa fa 04 fa fa fa fd fd
0x502000006b00: fa fa fa fa fa fa fd fa fa fa 04 fa fa fa fd fd
0x502000006b80: fa fa 00 fa fa fa 04 fa fa fa 00 00 fa fa fd fd
0x502000006c00: fa fa 00 01 fa fa 04 fa fa fa 00 00 fa fa fd fd
0x502000006c80: fa fa fa fa fa fa 00 fa fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==14==ABORTING
While testing fuzzipp, I found a stack overflow vulnerability located in the ippWriteIO function in the /src/libcups/cups/ipp.c file. In line 5263 of the function, an irregular use of the memcpy function causes a heap overflow vulnerability.
The crash information is as follows: