[CDRIVER-2819] Heap buffer overflow at libbson Created: 10/Sep/18 Updated: 28/Oct/23 Resolved: 17/Sep/18 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | libbson |
| Affects Version/s: | 1.12.0 |
| Fix Version/s: | 1.13.0 |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | Yibai | Assignee: | A. Jesse Jiryu Davis |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Ubuntu 14.04 |
||
| Description |
|
We tested the newest libbson from master at mongo-c-driver and found crash when parsing corrupted bson buffer. base64 encoded payload: GAAAAAUOGS4ABAAAAAIAAAAAAAAFDgAAGAAAAAUOGS4ABAAAAAIAAAAAAAAFDgAAGAAAAAUAAAAAAAAFDhkuAAQAAAACAAAA ASAN report: 0x607000070068 is located 0 bytes to the right of 72-byte region [0x607000070020,0x607000070068) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xm1994/dive-test/sources/mongo-c-driver-1.12.0/src/libbson/src/bson/bson-iter.c:632:10 in _bson_iter_next_internal |
| Comments |
| Comment by Githook User [ 17/Sep/18 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Author: {'name': 'Scott Gayou', 'email': 'sgayou@redhat.com'}Message: Fix for CVE-2018-16790 – Verify bounds before binary length read. As reported here: https://jira.mongodb.org/browse/CDRIVER-2819, In the original check, len - o returns the data left including the Added in test for corrupted BSON example. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Scott Gayou [ 14/Sep/18 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Took a stab at a fix here: https://github.com/mongodb/mongo-c-driver/pull/537 Parsing code is dense, so this may be incorrect. Could use some additional eyes. Fix removes Valgrind/ASAN errors on my box. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Scott Gayou [ 14/Sep/18 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Looks like we're running off the end of a binary buffer. Reproducer that triggers the ASAN error can be reduced to: {0x11, 0x0, 0x0, 0x0, 0x5, 0xe, 0x19, 0x2e, 0x0, 0x4, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0}which I believe decodes to: 0x11, 0x0, 0x0, 0x0 – Length of document is 0x11 (17) bytes Thus, if we change the final binary length to a 3 instead of a 4, we no longer trigger the out of bounds read. Looking at the code now...
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Petr Pisar [ 14/Sep/18 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Yes. I can reproduce it with libbson-1.9.5 https://bugzilla.redhat.com/show_bug.cgi?id=1627923#c3. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by A. Jesse Jiryu Davis [ 13/Sep/18 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Probably affects libbson before 1.12, since the bson_iter_next logic hasn't changed in a while. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by A. Jesse Jiryu Davis [ 10/Sep/18 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Thanks for your report! | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Yibai [ 10/Sep/18 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
LLVM Fuzzer Code here:
Backtrace and ASAN info Here:
|