xt-cve created an issue (kamailio/kamailio#4494)
### Description
Continuous fuzzing of the pp_subst_add function using LibFuzzer and
AddressSanitizer (ASAN) has revealed a Stack Buffer Overflow vulnerability in
the pv_parse_spec2 function, which is part of the Process Variable (PV) parsing
logic utilized by the substitution parser.
The crash occurs during the initialization (via memset) of the pv_spec_t
structure, indicating that the size used for memset exceeds the actual size of
the memory allocated for the structure on the stack.
### Vulnerability Details
1. Crash Backtrace (ASAN Output)
```
==12==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fbe92dde0d0
at pc 0x55924b7b85c5 bp 0x7ffd36c23590 sp 0x7ffd36c22d60
WRITE of size 88 at 0x7fbe92dde0d0 thread T0
SCARINESS: 70 (multi-byte-write-stack-buffer-overflow-far-from-bounds)
#0 0x55924b7b85c4 in __asan_memset
/src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:67:3
#1 0x55924b88ef43 in pv_parse_spec2 /src/kamailio/src/core/pvapi.c:853:2
<-- Crash location
#2 0x55924b8e83c6 in parse_repl /src/kamailio/src/core/re.c:172:9
#3 0x55924b8eb6ad in subst_parser /src/kamailio/src/core/re.c:256:14
#4 0x55924b849104 in pp_subst_add /src/kamailio/src/core/ppcfg.c:98:7
#5 0x55924b7f9b8e in LLVMFuzzerTestOneInput
/src/kamailio/./misc/fuzz/fuzz_uri.c:17:9
...
```
### Analysis of the Crash Location
The ASAN report points to a memory write of 88 bytes (WRITE of size 88)
originating from a memset call inside pv_parse_spec2 (around line 859 in
pvapi.c).
The relevant section in pv_parse_spec2 is the initialization of the output
structure e:
```c
/* Inside pv_parse_spec2 function */
// ...
pvstate = 0;
memset(e, 0, sizeof(pv_spec_t)); // <-- Suspected overflow here
e->pvp.pvi.type = PV_IDX_NONE;
// ...
```
The pointer e is passed from the caller, parse_repl, which calls pv_parse_spec
(a macro wrapper for pv_parse_spec2) like this:
```c
// Inside parse_repl function
struct replace_with rw[MAX_REPLACE_WITH];
// ...
p0 = pv_parse_spec(&s, &rw[token_nb].u.spec);
```
The pointer e points to &rw[token_nb].u.spec. This spec field is part of a
union (u) within the struct replace_with:
```c
// Simplified structure definitions
struct replace_with {
// ... other members
union {
// ... other union members
struct pv_spec spec;
} u;
};
```
The root cause is likely a mismatch in structure sizing:
pv_parse_spec2 attempts to write sizeof(pv_spec_t) bytes (which is 88 bytes
based on the ASAN report).
The memory passed via e is part of a union u (or the containing struct
replace_with), which is allocated on the stack.
If sizeof(struct pv_spec) (88 bytes) is larger than the actual size allocated
for the union u in the struct replace_with definition (or if the pv_spec
structure definition was updated without updating the encompassing structures),
the memset will write beyond the bounds of the allocated stack memory, leading
to a Stack Buffer Overflow.
### Reproduction & Suggested Fix
#### Reproduction
The issue can be reliably reproduced by running the Fuzzer Harness for
pp_subst_add with AddressSanitizer enabled (-fsanitize=address).
#### Suggested Fix
Please investigate the following:
Verify the size of struct pv_spec (sizeof(pv_spec_t)) and confirm if it is
indeed 88 bytes.
Review the definition of struct replace_with and its union u to ensure that all
union members are large enough to contain the current struct pv_spec.
If the structure definitions cannot be adjusted, the memset call in
pv_parse_spec2 needs to be reviewed to ensure it only initializes the memory
actually allocated by the caller for the pv_spec instance.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4494
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/[email protected]>_______________________________________________
Kamailio - Development Mailing List -- [email protected]
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the
sender!
