Bug#874754: libbson: CVE-2017-14227

Sat, 09 Sep 2017 08:52:26 -0700 

Thanks, we've diagnosed the bug and we're tracking the fix in
https://jira.mongodb.org/browse/CDRIVER-2269 . We'll release the fix
in libbson 1.8.0 next week.

On Sat, Sep 9, 2017 at 11:36 AM, Salvatore Bonaccorso <car...@debian.org> wrote:
> Some debugging information:
>
> =================================================================
> ==7414==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x619000000980 at pc 0x5555555759b3 bp 0x7fffffffd9b0 sp 0x7fffffffd9a8
> READ of size 1 at 0x619000000980 thread T0
>     #0 0x5555555759b2 in _bson_utf8_get_sequence src/bson/bson-utf8.c:49
>     #1 0x555555575c3b in bson_utf8_validate src/bson/bson-utf8.c:131
>     #2 0x55555556cbf4 in bson_iter_visit_all src/bson/bson-iter.c:2069
>     #3 0x5555555607d5 in bson_metrics examples/bson-metrics.c:208
>     #4 0x555555560b01 in main examples/bson-metrics.c:257
>     #5 0x7f8775da02e0 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
>     #6 0x55555555fce9 in _start (/root/libbson/bson-metrics+0xbce9)
>
> 0x619000000980 is located 0 bytes to the right of 1024-byte region 
> [0x619000000580,0x619000000980)
> allocated by thread T0 here:
>     #0 0x7f8776717bb8 in __interceptor_calloc 
> (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9bb8)
>     #1 0x55555556eb0c in bson_malloc0 src/bson/bson-memory.c:105
>     #2 0x555555571614 in bson_reader_new_from_handle 
> src/bson/bson-reader.c:173
>     #3 0x555555571a2a in bson_reader_new_from_fd src/bson/bson-reader.c:304
>     #4 0x5555555731d4 in bson_reader_new_from_file src/bson/bson-reader.c:806
>     #5 0x5555555609fe in main examples/bson-metrics.c:244
>     #6 0x7f8775da02e0 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow src/bson/bson-utf8.c:49 in 
> _bson_utf8_get_sequence
> Shadow bytes around the buggy address:
>   0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c327fff8130:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c327fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==7414==ABORTING
> [
> Program received signal SIGABRT, Aborted.
> __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
> 51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
> (gdb) bt
> #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
> #1  0x00007f8775db442a in __GI_abort () at abort.c:89
> #2  0x00007f877673741b in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
> #3  0x00007f877673ebb8 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
> #4  0x00007f8776721a8d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
> #5  0x00007f87767224e8 in __asan_report_load1 () from 
> /usr/lib/x86_64-linux-gnu/libasan.so.4
> #6  0x00005555555759b3 in _bson_utf8_get_sequence (utf8=0x619000000980 "",
>     seq_length=0x7fffffffda90 "\001\220VUUU", first_mask=0x7fffffffda50 
> "\177\005")
>     at src/bson/bson-utf8.c:49
> #7  0x0000555555575c3c in bson_utf8_validate (utf8=0x61900000058e "\006", 
> utf8_len=4294967295,
>     allow_null=true) at src/bson/bson-utf8.c:131
> #8  0x000055555556cbf5 in bson_iter_visit_all (iter=0x7fffffffe680,
>     visitor=0x5555557a4a20 <bson_metrics_visitors>, data=0x5555557ad960 
> <state>)
>     at src/bson/bson-iter.c:2069
> #9  0x00005555555607d6 in bson_metrics (bson=0x6130000000c0, length=0x0,
>     data=0x5555557ad960 <state>) at examples/bson-metrics.c:208
> #10 0x0000555555560b02 in main (argc=2, argv=0x7fffffffebe8) at 
> examples/bson-metrics.c:257
>
> and
>
> (gdb) list src/bson/bson-iter.c:2069
> 2064             uint32_t doclen = 0;
> 2065             bson_t b;
> 2066
> 2067             code = bson_iter_codewscope (iter, &length, &doclen, 
> &docbuf);
> 2068
> 2069             if (!bson_utf8_validate (code, length, true)) {
> 2070                iter->err_off = iter->off;
> 2071                return true;
> 2072             }
> 2073
> (gdb) list src/bson/bson-utf8.c:131
> 126        unsigned j;
> 127
> 128        BSON_ASSERT (utf8);
> 129
> 130        for (i = 0; i < utf8_len; i += seq_length) {
> 131           _bson_utf8_get_sequence (&utf8[i], &seq_length, &first_mask);
> 132
> 133           /*
> 134            * Ensure we have a valid multi-byte sequence length.
> 135            */
> (gdb)
>
> cf. as well https://bugzilla.redhat.com/show_bug.cgi?id=1489355#c2
>
> Regards,
> Salvatore

Reply via email to