diff options
author | Petr Štetiar <ynezz@true.cz> | 2019-12-09 17:27:16 +0300 |
---|---|---|
committer | Petr Štetiar <ynezz@true.cz> | 2019-12-25 12:31:58 +0300 |
commit | 478597b9f9ae66836759701a9ec708816506d07c (patch) | |
tree | 97aab389162f8008384a8b38794c869707606119 | |
parent | 325418a7a3c0e22cfbd6726693d780c1afd9d9c6 (diff) |
blob: fix OOB access in blob_check_type
Found by fuzzer:
ERROR: AddressSanitizer: SEGV on unknown address 0x602100000455
The signal is caused by a READ memory access.
#0 in blob_check_type blob.c:214:43
#1 in blob_parse_attr blob.c:234:9
#2 in blob_parse_untrusted blob.c:272:12
#3 in fuzz_blob_parse tests/fuzzer/test-blob-parse-fuzzer.c:34:2
#4 in LLVMFuzzerTestOneInput tests/fuzzer/test-blob-parse-fuzzer.c:39:2
Caused by following line:
if (type == BLOB_ATTR_STRING && data[len - 1] != 0)
where len was pointing outside of the data buffer.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
-rw-r--r-- | blob.c | 23 | ||||
-rw-r--r-- | tests/cram/test_blob_parse.t | 2 | ||||
-rw-r--r-- | tests/fuzz/corpus/crash-333757b203a44751d3535f24b05f467183a96d09 | bin | 0 -> 10 bytes |
3 files changed, 20 insertions, 5 deletions
@@ -218,20 +218,33 @@ blob_check_type(const void *ptr, unsigned int len, int type) } static int -blob_parse_attr(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max) +blob_parse_attr(struct blob_attr *attr, size_t attr_len, struct blob_attr **data, const struct blob_attr_info *info, int max) { + int id; + size_t len; int found = 0; - int id = blob_id(attr); - size_t len = blob_len(attr); + size_t data_len; + if (!attr || attr_len < sizeof(struct blob_attr)) + return 0; + + id = blob_id(attr); if (id >= max) return 0; + len = blob_raw_len(attr); + if (len > attr_len || len < sizeof(struct blob_attr)) + return 0; + + data_len = blob_len(attr); + if (data_len > len) + return 0; + if (info) { int type = info[id].type; if (type < BLOB_ATTR_LAST) { - if (!blob_check_type(blob_data(attr), len, type)) + if (!blob_check_type(blob_data(attr), data_len, type)) return 0; } @@ -285,7 +298,7 @@ blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_at memset(data, 0, sizeof(struct blob_attr *) * max); blob_for_each_attr(pos, attr, rem) { - found += blob_parse_attr(pos, data, info, max); + found += blob_parse_attr(pos, rem, data, info, max); } return found; diff --git a/tests/cram/test_blob_parse.t b/tests/cram/test_blob_parse.t index 77d8bdd..1fd60bc 100644 --- a/tests/cram/test_blob_parse.t +++ b/tests/cram/test_blob_parse.t @@ -56,6 +56,8 @@ check that blob_parse is producing expected results: cannot parse cert c42ac1c46f1d4e211c735cc7dfad4ff8391110e9 cannot parse cert crash-1b8fb1be45db3aff7699100f497fb74138f3df4f cannot parse cert crash-1b8fb1be45db3aff7699100f497fb74138f3df4f + cannot parse cert crash-333757b203a44751d3535f24b05f467183a96d09 + cannot parse cert crash-333757b203a44751d3535f24b05f467183a96d09 cannot parse cert crash-4c4d2c3c9ade5da9347534e290305c3b9760f627 cannot parse cert crash-4c4d2c3c9ade5da9347534e290305c3b9760f627 cannot parse cert crash-5e9937b197c88bf4e7b7ee2612456cad4cb83f5b diff --git a/tests/fuzz/corpus/crash-333757b203a44751d3535f24b05f467183a96d09 b/tests/fuzz/corpus/crash-333757b203a44751d3535f24b05f467183a96d09 Binary files differnew file mode 100644 index 0000000..b9a958e --- /dev/null +++ b/tests/fuzz/corpus/crash-333757b203a44751d3535f24b05f467183a96d09 |