search

tbeu / matio

MATLAB MAT File I/O Library
https://matio.sourceforge.io
BSD 2-Clause "Simplified" License
330 stars 97 forks source link

There is a stack-based buffer overflow in the ReadNextStructField function of mat5.c(at 1393) #128

Closed gutiniao closed 4 years ago

gutiniao commented 4 years ago

A crafted input will lead to crash in mat5.c at matio 1.5.17. Triggered by ./matdump POC

Poc 002-stackover-ReadNextStructField-mat51393

The ASAN information is as follows:

./matdump 002-stackover-ReadNextStructField-mat51393 
InflateArrayFlags: inflate returned data error
InflateRankDims: inflate returned data error
InflateVarTag: inflate returned data error
InflateVarTag: inflate returned data error
      Rank: 0
InflateRankDims: inflate returned data error
=================================================================
==32164==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcc03efb10 at pc 0x7f0ff115f208 bp 0x7ffcc03ef900 sp 0x7ffcc03ef8f0
READ of size 4 at 0x7ffcc03efb10 thread T0
    #0 0x7f0ff115f207 in ReadNextStructField /home/matio_asan/src/mat5.c:1393
    #1 0x7f0ff1219e10 in Mat_VarReadNextInfo5 /home/matio_asan/src/mat5.c:4959
    #2 0x7f0ff123046b in Mat_VarReadNextInfo /home/matio_asan/src/mat.c:2342
    #3 0x408126 in main /home/matio_asan/tools/matdump.c:944
    #4 0x7f0ff0a0b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x401b58 in _start (/usr/local/matio_asan/bin/matdump+0x401b58)

Address 0x7ffcc03efb10 is located in stack of thread T0 at offset 352 in frame
    #0 0x7f0ff115d8d6 in ReadNextStructField /home/matio_asan/src/mat5.c:1212

  This frame has 5 object(s):
    [32, 40) 'nelems'
    [96, 104) 'nelems_x_nfields'
    [160, 168) 'dims'
    [224, 248) 'buf'
    [288, 352) 'uncomp_buf' <== Memory access at offset 352 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/matio_asan/src/mat5.c:1393 ReadNextStructField
Shadow bytes around the buggy address:
  0x100018075f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100018075f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100018075f30: 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2
  0x100018075f40: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2
  0x100018075f50: f2 f2 00 00 00 f4 f2 f2 f2 f2 00 00 00 00 00 00
=>0x100018075f60: 00 00[f3]f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
  0x100018075f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x100018075f80: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2
  0x100018075f90: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2
  0x100018075fa0: f2 f2 00 00 00 f4 f2 f2 f2 f2 00 00 00 00 00 00
  0x100018075fb0: 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==32164==ABORTING

about code (1393):

/* Rank and dimension */
                if ( uncomp_buf[0] == MAT_T_INT32 ) {
                    int j;
                    fields[i]->rank = uncomp_buf[1];
                    nbytes -= fields[i]->rank;
                    fields[i]->rank /= 4;
                    fields[i]->dims = (size_t*)malloc(fields[i]->rank*
                                             sizeof(*fields[i]->dims));
                    if ( mat->byteswap ) {
                        for ( j = 0; j < fields[i]->rank; j++ )
                            fields[i]->dims[j] = Mat_uint32Swap(dims+j);
                    } else {
                        for ( j = 0; j < fields[i]->rank; j++ )
-------------------> fields[i]->dims[j] = dims[j];
                    }
tbeu commented 4 years ago

No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues.

Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.

gutiniao commented 4 years ago

No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues.

Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.

Yes, I just use 'git clone' to fetch the current master of the matio,the issue is still reproducible. image

image i 'm sure the issue is different from the fuzzing issues on OSS-fuzz.

tbeu commented 4 years ago

Should be fixed now.

carnil commented 4 years ago

CVE-2019-20020 has been assigned for this issue.

tbeu commented 4 years ago

OK, need to mention those CVE numbers in the changelog when making the new release.