search

tbeu / matio

MATLAB MAT File I/O Library
https://matio.sourceforge.io
BSD 2-Clause "Simplified" License
330 stars 97 forks source link

it is a memory exhaustion issue in Mat_VarRead5 (mat5.c:3574) #130

Closed gutiniao closed 4 years ago

gutiniao commented 4 years ago

A crafted input will lead to crash in mat5.c at matio 1.5.17. Triggered by ./matdump POC

Poc 004Mat_VarRead53574

The ASAN information is as follows:

./matdump 004Mat_VarRead53574 
==22145==ERROR: AddressSanitizer failed to allocate 0x4c1a84000 (20428898304) bytes of LargeMmapAllocator (errno: 12)
==22145==Process memory map follows:
    0x000000400000-0x00000040d000   /usr/local/matio_asan/bin/matdump
    0x00000060c000-0x00000060d000   /usr/local/matio_asan/bin/matdump
    0x00000060d000-0x000000610000   /usr/local/matio_asan/bin/matdump
    0x00007fff7000-0x00008fff7000   
    0x00008fff7000-0x02008fff7000   
    0x02008fff7000-0x10007fff8000   
    0x600000000000-0x602000000000   
    0x602000000000-0x602000010000   
    0x602000010000-0x603000000000   
    0x603000000000-0x603000010000   
    0x603000010000-0x604000000000   
    0x604000000000-0x604000010000   
    0x604000010000-0x607000000000   
    0x607000000000-0x607000010000   
    0x607000010000-0x60b000000000   
    0x60b000000000-0x60b000010000   
    0x60b000010000-0x60c000000000   
    0x60c000000000-0x60c000010000   
    0x60c000010000-0x616000000000   
    0x616000000000-0x616000020000   
    0x616000020000-0x619000000000   
    0x619000000000-0x619000020000   
    0x619000020000-0x621000000000   
    0x621000000000-0x621000020000   
    0x621000020000-0x624000000000   
    0x624000000000-0x624000020000   
    0x624000020000-0x62d000000000   
    0x62d000000000-0x62d000020000   
    0x62d000020000-0x640000000000   
    0x640000000000-0x640000003000   
    0x7fd221600000-0x7fd221700000   
    0x7fd221800000-0x7fd221900000   
    0x7fd22191d000-0x7fd223c6f000   
    0x7fd223c6f000-0x7fd223c8a000   /usr/local/lib/libz.so.1.2.11
    0x7fd223c8a000-0x7fd223e89000   /usr/local/lib/libz.so.1.2.11
    0x7fd223e89000-0x7fd223e8a000   /usr/local/lib/libz.so.1.2.11
    0x7fd223e8a000-0x7fd223e8b000   /usr/local/lib/libz.so.1.2.11
    0x7fd223e8b000-0x7fd223ea1000   /lib/x86_64-linux-gnu/libgcc_s.so.1
    0x7fd223ea1000-0x7fd2240a0000   /lib/x86_64-linux-gnu/libgcc_s.so.1
    0x7fd2240a0000-0x7fd2240a1000   /lib/x86_64-linux-gnu/libgcc_s.so.1
    0x7fd2240a1000-0x7fd2240a4000   /lib/x86_64-linux-gnu/libdl-2.23.so
    0x7fd2240a4000-0x7fd2242a3000   /lib/x86_64-linux-gnu/libdl-2.23.so
    0x7fd2242a3000-0x7fd2242a4000   /lib/x86_64-linux-gnu/libdl-2.23.so
    0x7fd2242a4000-0x7fd2242a5000   /lib/x86_64-linux-gnu/libdl-2.23.so
    0x7fd2242a5000-0x7fd2242bd000   /lib/x86_64-linux-gnu/libpthread-2.23.so
    0x7fd2242bd000-0x7fd2244bc000   /lib/x86_64-linux-gnu/libpthread-2.23.so
    0x7fd2244bc000-0x7fd2244bd000   /lib/x86_64-linux-gnu/libpthread-2.23.so
    0x7fd2244bd000-0x7fd2244be000   /lib/x86_64-linux-gnu/libpthread-2.23.so
    0x7fd2244be000-0x7fd2244c2000   
    0x7fd2244c2000-0x7fd224682000   /lib/x86_64-linux-gnu/libc-2.23.so
    0x7fd224682000-0x7fd224882000   /lib/x86_64-linux-gnu/libc-2.23.so
    0x7fd224882000-0x7fd224886000   /lib/x86_64-linux-gnu/libc-2.23.so
    0x7fd224886000-0x7fd224888000   /lib/x86_64-linux-gnu/libc-2.23.so
    0x7fd224888000-0x7fd22488c000   
    0x7fd22488c000-0x7fd224994000   /lib/x86_64-linux-gnu/libm-2.23.so
    0x7fd224994000-0x7fd224b93000   /lib/x86_64-linux-gnu/libm-2.23.so
    0x7fd224b93000-0x7fd224b94000   /lib/x86_64-linux-gnu/libm-2.23.so
    0x7fd224b94000-0x7fd224b95000   /lib/x86_64-linux-gnu/libm-2.23.so
    0x7fd224b95000-0x7fd224d18000   /usr/local/matio_asan/lib/libmatio.so.10.0.2
    0x7fd224d18000-0x7fd224f17000   /usr/local/matio_asan/lib/libmatio.so.10.0.2
    0x7fd224f17000-0x7fd224f18000   /usr/local/matio_asan/lib/libmatio.so.10.0.2
    0x7fd224f18000-0x7fd224f1b000   /usr/local/matio_asan/lib/libmatio.so.10.0.2
    0x7fd224f1b000-0x7fd22500f000   /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
    0x7fd22500f000-0x7fd22520f000   /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
    0x7fd22520f000-0x7fd225212000   /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
    0x7fd225212000-0x7fd225213000   /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
    0x7fd225213000-0x7fd225e88000   
    0x7fd225e88000-0x7fd225eae000   /lib/x86_64-linux-gnu/ld-2.23.so
    0x7fd22605c000-0x7fd226093000   
    0x7fd226096000-0x7fd2260ad000   
    0x7fd2260ad000-0x7fd2260ae000   /lib/x86_64-linux-gnu/ld-2.23.so
    0x7fd2260ae000-0x7fd2260af000   /lib/x86_64-linux-gnu/ld-2.23.so
    0x7fd2260af000-0x7fd2260b0000   
    0x7ffe32830000-0x7ffe32851000   [stack]
    0x7ffe328fa000-0x7ffe328fd000   [vvar]
    0x7ffe328fd000-0x7ffe328ff000   [vdso]
    0xffffffffff600000-0xffffffffff601000   [vsyscall]
==22145==End of process memory map.
==22145==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0x7fd224fbb631  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
    #1 0x7fd224fc05e3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
    #2 0x7fd224fc8611  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xad611)
    #3 0x7fd224f3dc0c  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22c0c)
    #4 0x7fd224fb35d2 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2)
    #5 0x7fd224c486d6 in Mat_VarRead5 /home/matio_asan/src/mat5.c:3574
    #6 0x7fd224c333b5 in ReadNextCell /home/matio_asan/src/mat5.c:1063
    #7 0x7fd224cf0e78 in Mat_VarReadNextInfo5 /home/matio_asan/src/mat5.c:4961
    #8 0x7fd224d0746b in Mat_VarReadNextInfo /home/matio_asan/src/mat.c:2342
    #9 0x408126 in main /home/matio_asan/tools/matdump.c:944
    #10 0x7fd2244e282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x401b58 in _start (/usr/local/matio_asan/bin/matdump+0x401b58)

about code (3574)

Mat_VarReadNumeric5(mat,matvar,complex_data->Im,nelems);
                matvar->data = complex_data;
            } else {
                err = SafeMul(&matvar->nbytes, nelems, matvar->data_size);
                if ( err ) {
                    Mat_Critical("Integer multiplication overflow");
                    break;
                }

----------> matvar->data = malloc(matvar->nbytes);
                if ( NULL == matvar->data ) {
                    Mat_Critical("Couldn't allocate memory for the data");
tbeu commented 4 years ago

No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues.

Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.

gutiniao commented 4 years ago

No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues.

Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.

Yes, I just use 'git clone' to fetch the current master of the matio,the issue is still reproducible. image

image i 'm sure the issue is different from the fuzzing issues on OSS-fuzz.

tbeu commented 4 years ago

I can confirm that the number of allocated bytes is high, but I cannot confirm the crash.

carnil commented 4 years ago

CVE-2019-20019 has been assigned for this issue.