Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-2819

Heap buffer overflow at libbson

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor - P4
    • Resolution: Fixed
    • Affects Version/s: 1.12.0
    • Fix Version/s: 1.13.0
    • Component/s: libbson
    • Labels:
      None
    • Environment:
      Ubuntu 14.04

      Description

      We tested the newest libbson from master at mongo-c-driver and found crash when parsing corrupted bson buffer.

      base64 encoded payload: GAAAAAUOGS4ABAAAAAIAAAAAAAAFDgAAGAAAAAUOGS4ABAAAAAIAAAAAAAAFDgAAGAAAAAUAAAAAAAAFDhkuAAQAAAACAAAA

      ASAN report:
      ==39647==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000070068 at pc 0x000000530cc2 bp 0x7ffdde442010 sp 0x7ffdde442008
      READ of size 4 at 0x607000070068 thread T0
      #0 0x530cc1 in _bson_iter_next_internal /home/xm1994/dive-test/sources/mongo-c-driver-1.12.0/src/libbson/src/bson/bson-iter.c:632:10
      #1 0x536986 in bson_iter_visit_all /home/xm1994/dive-test/sources/mongo-c-driver-1.12.0/src/libbson/src/bson/bson-iter.c:1934:11
      #2 0x51fcfd in _bson_as_json_visit_all /home/xm1994/dive-test/sources/mongo-c-driver-1.12.0/src/libbson/src/bson/bson.c:3158:8
      #3 0x513076 in LLVMFuzzerTestOneInput /home/xm1994/dive-test/sources/mongo-c-driver-1.12.0/fuzz/fuzzer.c:42:13
      #4 0x42d6ac in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:515:13
      #5 0x42cf0b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:440
      :3
      #6 0x42e8bd in fuzzer::Fuzzer::MutateAndTestOne() /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:648:19
      #7 0x42f505 in fuzzer::Fuzzer::Loop(std::vector<std::string, fuzzer::fuzzer_allocator<std::string> > const&) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:77
      5:5
      #8 0x424363 in fuzzer::FuzzerDriver(int*, char**, int (unsigned char const, unsigned long)) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:754:6
      #9 0x445c82 in main /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
      #10 0x7fa8b4624f44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287
      #11 0x41ce7b in _start (/home/xm1994/dive-test/sources/mongo-c-driver-1.12.0/fuzz/fuzzer+0x41ce7b)

      0x607000070068 is located 0 bytes to the right of 72-byte region [0x607000070020,0x607000070068)
      allocated by thread T0 here:
      #0 0x4e62e3 in __interceptor_malloc /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
      #1 0x7fa8b5580697 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x6c697)
      #2 0x42cf0b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:440
      :3
      #3 0x42e8bd in fuzzer::Fuzzer::MutateAndTestOne() /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:648:19
      #4 0x42f505 in fuzzer::Fuzzer::Loop(std::vector<std::string, fuzzer::fuzzer_allocator<std::string> > const&) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:77
      5:5
      #5 0x424363 in fuzzer::FuzzerDriver(int*, char**, int (unsigned char const, unsigned long)) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:754:6
      #6 0x445c82 in main /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
      #7 0x7fa8b4624f44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287

      SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xm1994/dive-test/sources/mongo-c-driver-1.12.0/src/libbson/src/bson/bson-iter.c:632:10 in _bson_iter_next_internal
       

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: