oss-sec mailing list archives
libcroco: heap overflow and undefined behavior
From: Agostino Sarubbo <ago () gentoo org>
Date: Sun, 23 Apr 2017 12:42:04 +0200
Description: libcroco is a Generic Cascading Style Sheet (CSS) parsing and manipulation toolkit. A fuzz on it discovered and heap overflow and an undefined behavior. The complete ASan output: # csslint-0.6 $FILE ==9246==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000007a at pc 0x7f3771a05074 bp 0x7fff426076a0 sp 0x7fff42607698 READ of size 1 at 0x60400000007a thread T0 #0 0x7f3771a05073 in cr_input_read_byte /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:416:19 #1 0x7f3771a3c0ba in cr_tknzr_parse_rgb /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:1295:17 #2 0x7f3771a3c0ba in cr_tknzr_get_next_token /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:2127 #3 0x7f3771ab6688 in cr_parser_parse_any_core /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1179:18 #4 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34 #5 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34 #6 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34 #7 0x7f3771ab9579 in cr_parser_parse_block_core /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1005:26 #8 0x7f3771a8882a in cr_parser_parse_atrule_core /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:798:26 #9 0x7f3771ab0644 in cr_parser_parse_stylesheet /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c #10 0x7f3771a8131e in cr_parser_parse /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:4381:26 #11 0x7f3771a804f1 in cr_parser_parse_file /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:2993:18 #12 0x7f3771b04869 in cr_om_parser_parse_file /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-om-parser.c:956:18 #13 0x51506f in cssom_parse /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:252:18 #14 0x51506f in main /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:997 #15 0x7f377041b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23- r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #16 0x41a9b8 in _init (/usr/bin/csslint-0.6+0x41a9b8) 0x60400000007a is located 0 bytes to the right of 42-byte region [0x604000000050,0x60400000007a) allocated by thread T0 here: #0 0x4da285 in calloc /tmp/portage/sys-libs/compiler-rt- sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74 #1 0x7f377168a1a0 in g_malloc0 /tmp/portage/dev- libs/glib-2.48.2/work/glib-2.48.2/glib/gmem.c:124 #2 0x7f3771a00c4d in cr_input_new_from_buf /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:151:26 #3 0x7f3771a027d6 in cr_input_new_from_uri /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:251:26 #4 0x7f3771a22797 in cr_tknzr_new_from_uri /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:1642:17 #5 0x7f3771a8047c in cr_parser_parse_file /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:2986:17 #6 0x7f3771b04869 in cr_om_parser_parse_file /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-om-parser.c:956:18 #7 0x51506f in cssom_parse /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:252:18 #8 0x51506f in main /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:997 #9 0x7f377041b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23- r3/work/glibc-2.23/csu/../csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev- libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:416:19 in cr_input_read_byte Shadow bytes around the buggy address: 0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c087fff8000: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00[02] 0x0c087fff8010: fa fa 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==9246==ABORTING Commit fix: https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Reproducer: https://github.com/asarubbo/poc/blob/master/00267-libcroco-heapoverflow-cr_input_read_byte CVE: CVE-2017-7960 ##################################### # csslint-0.6 $FILE /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr- tknzr.c:1283:15: runtime error: value 9.11111e+19 is outside the range of representable values of type 'long' Commit fix: https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Reproducer: https://github.com/asarubbo/poc/blob/master/00268-libcroco-outside-long CVE: CVE-2017-7961 Affected version: 0.6.11 and 0.6.12 Fixed version: 0.6.13 (not released atm) Credit: These bugs were discovered by Agostino Sarubbo of Gentoo. Timeline: 2017-04-12: bugs discovered and reported to upstream 2017-04-16: upstream released a patch 2017-04-17: blog post about the issues 2017-04-19: CVE assigned Note: These bugs were found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/ -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- libcroco: heap overflow and undefined behavior Agostino Sarubbo (Apr 23)
- Re: libcroco: heap overflow and undefined behavior Marcus Meissner (Apr 24)