[MONGOCRYPT-592] Potential buffer overflow in libmongocrypt found by Veracode Created: 07/Sep/23  Updated: 27/Oct/23  Resolved: 26/Sep/23

Status: Closed
Project: Libmongocrypt
Component/s: None
Affects Version/s: 1.8.0
Fix Version/s: None

Type: Bug Priority: Unknown
Reporter: Juan Emilio Inzaurraga Assignee: Kevin Albertson
Resolution: Gone away Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-09-07-14-58-47-909.png    

 Comments   
Comment by PM Bot [ 26/Sep/23 ]

There hasn't been any recent activity on this ticket, so we're resolving it. Thanks for reaching out! Please feel free to reopen this ticket if you're still experiencing the issue, and add a comment if you're able to provide more information.

Comment by PM Bot [ 18/Sep/23 ]

Hi jinzaurraga@coalfire.com! MONGOCRYPT-592 is awaiting your response.

If this is still an issue for you, please open Jira to review the latest status and provide your feedback. Thanks!

Comment by Kevin Albertson [ 08/Sep/23 ]

Hello jinzaurraga@coalfire.com, thank you for the report.

mc-writer.c line 110 is (and has always been) an empty line: https://github.com/mongodb/libmongocrypt/blob/9b07846bef9c5bf23b1978a7765337afe9ba90fe/src/mc-writer.c#L110

Does Veracode provide more information to identify the line of code referenced (e.g. a code snippet)?

The function containing line mc-writer.c line 110 contains a memcpy. There are checks to guarantee the destination has sufficient space:

CHECK_REMAINING_BUFFER_AND_RET(length);
 
if (length > SIZE_MAX) {
    CLIENT_ERR("%s failed to copy "
                "data of length %" PRIu64,
                writer->parser_name,
                length);
    return false;
}
 
memcpy(writer->ptr + writer->pos, buf->data, (size_t)length);

If Veracode is referencing the memcpy, my guess is the cast to (size_t) may result in a false positive warning.

Comment by James Kovacs [ 07/Sep/23 ]

Hi, jinzaurraga@coalfire.com,

Thank you for reaching out to us regarding this vulnerability. The problem identified is in the unmanaged libmongocrypt.so, which the .NET/C# Driver uses for field level encryption (FLE) and queryable encryption (QE). I have moved this ticket to MONGOCRYPT-593 so that the appropriate engineers can investigate. Please continue following this ticket for updates.

Sincerely,
James

Comment by Juan Emilio Inzaurraga [ 07/Sep/23 ]

Hello team!

 

Our veracode scan found a very high vuln on the latest version of the driver. Here are the details:

 

Wanted to check if you are awere of this issue and if you have any remediation plan.

 

Thank you 

Juan

 

Comment by PM Bot [ 07/Sep/23 ]

Hi jinzaurraga@coalfire.com, thank you for reporting this issue! The team will look into it and get back to you soon.

Generated at Thu Feb 08 09:09:03 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.