A heap-buffer-overflow vulnerability was discovered

MageWeiG commented 3 months ago

While testing fuzzipp, I found a stack overflow vulnerability located in the ippWriteIO function in the /src/libcups/cups/ipp.c file. In line 5263 of the function, an irregular use of the memcpy function causes a heap overflow vulnerability.

The crash information is as follows：

=================================================================
==14==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000006a78 at pc 0x5616b8dea6da bp 0x7ffcac3a7010 sp 0x7ffcac3a67d0
READ of size 27252 at 0x502000006a78 thread T0
SCARINESS: 26 (multi-byte-read-heap-buffer-overflow)
    #0 0x5616b8dea6d9 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3
    #1 0x5616b8e646ba in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
    #2 0x5616b8e646ba in ippWriteIO /src/libcups/cups/ipp.c:5263:7
    #3 0x5616b8e62633 in ippWriteIO /src/libcups/cups/ipp.c:5199:9
    #4 0x5616b8e2baba in LLVMFuzzerTestOneInput /src/libcups/ossfuzz/fuzzipp.c:119:15
    #5 0x5616b8cde080 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #6 0x5616b8cdd8a5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
    #7 0x5616b8cdf075 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:760:19
    #8 0x5616b8cdfe65 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:905:5
    #9 0x5616b8cce176 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
    #10 0x5616b8cfa6a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7fcd6234d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #12 0x5616b8cbf2ed in _start (/out/fuzzipp+0x9a2ed)

DEDUP_TOKEN: __asan_memcpy--memcpy--ippWriteIO
0x502000006a78 is located 0 bytes after 8-byte region [0x502000006a70,0x502000006a78)
allocated by thread T0 here:
    #0 0x5616b8dec808 in calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
    #1 0x5616b8e7185c in _cupsStrAlloc /src/libcups/cups/string.c:548:29
    #2 0x5616b8e59ffa in ippReadIO /src/libcups/cups/ipp.c:2981:28
    #3 0x5616b8e59997 in ippReadIO /src/libcups/cups/ipp.c:3008:7
    #4 0x5616b8e59997 in ippReadIO /src/libcups/cups/ipp.c:3008:7
    #5 0x5616b8e2ba69 in LLVMFuzzerTestOneInput /src/libcups/ossfuzz/fuzzipp.c:107:15
    #6 0x5616b8cde080 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #7 0x5616b8cdd8a5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
    #8 0x5616b8cdf075 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:760:19
    #9 0x5616b8cdfe65 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:905:5
    #10 0x5616b8cce176 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
    #11 0x5616b8cfa6a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #12 0x7fcd6234d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

DEDUP_TOKEN: ___interceptor_calloc--_cupsStrAlloc--ippReadIO
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x502000006780: fa fa 00 07 fa fa 04 fa fa fa fa fa fa fa fa fa
  0x502000006800: fa fa 04 fa fa fa fa fa fa fa 00 fa fa fa 04 fa
  0x502000006880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 04
  0x502000006900: fa fa 00 fa fa fa 04 fa fa fa fa fa fa fa 04 fa
  0x502000006980: fa fa 04 fa fa fa 00 04 fa fa fd fd fa fa 00 fa
=>0x502000006a00: fa fa fd fd fa fa 00 fa fa fa fd fd fa fa 00[fa]
  0x502000006a80: fa fa fa fa fa fa fa fa fa fa 04 fa fa fa fd fd
  0x502000006b00: fa fa fa fa fa fa fd fa fa fa 04 fa fa fa fd fd
  0x502000006b80: fa fa 00 fa fa fa 04 fa fa fa 00 00 fa fa fd fd
  0x502000006c00: fa fa 00 01 fa fa 04 fa fa fa 00 00 fa fa fd fd
  0x502000006c80: fa fa fa fa fa fa 00 fa fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14==ABORTING

michaelrsweet commented 3 months ago

Do you have the "corpus" that caused the issue?

MageWeiG commented 3 months ago

Ok, I've attached the corpus。 crash-d8616e43ff1db1b8e21f333287caa47d88d6a8fa.zip

michaelrsweet commented 3 months ago

[master a7a28e643] Error out if an attribute conversion is unsuccessful.

OpenPrinting / libcups

A heap-buffer-overflow vulnerability was discovered #83