Open lometsj opened 1 year ago
Also, generally don't request a CVE ID for every finding via fuzzing as they are prone to false positives in one manner or another. You triggered an OOB whatever? Great! Is it in the test suite or CLI utils with no real vector? Not so great. Give time for the developers of the project to confirm it is a valid issue before requesting.
I know I know, for the rare ones in the peanut gallery that say "but wasn't the original purpose of CVE to provide an ID while that is figured out?" Yep! But also, back then? They were quick to REJECT an ID and add a meaningful description update to an entry which is like getting a FFRDC to look past the price-gouged bill that tax-payers have to fund. It just doesn't happen much these days.
When you fuzz things and get CVEs for the issues you find, please also report to upstream in an accessible way to CVE consumers (ie, reference them in the CVE). You generally do more harm than good when you publicize security issues in this way without doing the minimum to get the issues fixed.
Also, generally don't request a CVE ID for every finding via fuzzing as they are prone to false positives in one manner or another. You triggered an OOB whatever? Great! Is it in the test suite or CLI utils with no real vector? Not so great. Give time for the developers of the project to confirm it is a valid issue before requesting.
I know I know, for the rare ones in the peanut gallery that say "but wasn't the original purpose of CVE to provide an ID while that is figured out?" Yep! But also, back then? They were quick to REJECT an ID and add a meaningful description update to an entry which is like getting a FFRDC to look past the price-gouged bill that tax-payers have to fund. It just doesn't happen much these days.
I do commit bug report to maintainer or developer before publicizing it and they do confirm it. I also try my best to do source code analysis to help maintainer to figure it. I don't know how to request a CVE id without a reference of bug report, so I create this issue. I admit I created this issue before repairing it, it's my fault. I know you guys hate fuzzing police. I'm sorry to make you think I'm.
When you fuzz things and get CVEs for the issues you find, please also report to upstream in an accessible way to CVE consumers (ie, reference them in the CVE). You generally do more harm than good when you publicize security issues in this way without doing the minimum to get the issues fixed.
Also, generally don't request a CVE ID for every finding via fuzzing as they are prone to false positives in one manner or another. You triggered an OOB whatever? Great! Is it in the test suite or CLI utils with no real vector? Not so great. Give time for the developers of the project to confirm it is a valid issue before requesting. I know I know, for the rare ones in the peanut gallery that say "but wasn't the original purpose of CVE to provide an ID while that is figured out?" Yep! But also, back then? They were quick to REJECT an ID and add a meaningful description update to an entry which is like getting a FFRDC to look past the price-gouged bill that tax-payers have to fund. It just doesn't happen much these days.
I do commit bug report to maintainer or developer before publicizing it and they do confirm it. I also try my best to do source code analysis to help maintainer to figure it.
The problem was that you guys told me that you'd like to fix them upstream as well, yet I don't find that happen in time until these two CVEs unvealed so I have to fix them urgently upstream although these are all about malicious images.
I know you guys hate fuzzing police. I'm sorry to make you think I'm.
Fuzzing is always a good attempt, yet I also don't think each fuzzing issue needs to raise an individual CVE (If you pay more time fuzzing other stuffs I think that is also the case). Compared with your reports, how about contributing a fuzzing framework to the opensource community as well? Personally I have quite limited time on all stuffs if someone else could help on that that would be much better.
https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/patch/?id=2145dff03dd3f3f74bcda3b52160fbad37f7fcfe The proposed fix for this issue.
heap-base overflow of erofs-utils
project
https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git
env
tested on fedora 37
version
erofs-utils v1.6
reproduce
source code analysis
in erofs_read_one_data function at data.c, it call dev_read to read from buf
and the var
len
is depends onmap->m_plen
, andmap->m_plen
depends oninode->i_size
which import from image file without check, lead to heap overflowthe top chunk is override as below
default_id_000011,sig_06,src_000303,time_17951196,execs_70778046,op_havoc,rep_16.zip