Headline
CVE-2022-1908: Heap-buffer-overflow in mobi_search_links_kf7 in libmobi
Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to 0.11.
Description
heap-buffer-overflow /home/ubuntu/libmobi-public/src/parse_rawml.c:110 in mobi_search_links_kf7
Environment
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
mobitool build: Apr 29 2022 20:52:30 (gcc 9.3.0)
libmobi: 0.10
Build
export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
autogen.sh && ./configure && make
POC
./mobitool -e -o ./tmp/ ./poc5
poc5
ASAN
==1028892==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000748f at pc 0x5631f27052e4 bp 0x7ffe6493c610 sp 0x7ffe6493c600
READ of size 1 at 0x62500000748f thread T0
#0 0x5631f27052e3 in mobi_search_links_kf7 /home/ubuntu/libmobi-public/src/parse_rawml.c:110
#1 0x5631f27052e3 in mobi_search_links_kf7 /home/ubuntu/libmobi-public/src/parse_rawml.c:63
#2 0x5631f2714a31 in mobi_reconstruct_links_kf7 /home/ubuntu/libmobi-public/src/parse_rawml.c:1679
#3 0x5631f27180d0 in mobi_reconstruct_links /home/ubuntu/libmobi-public/src/parse_rawml.c:1849
#4 0x5631f27180d0 in mobi_parse_rawml_opt /home/ubuntu/libmobi-public/src/parse_rawml.c:2153
#5 0x5631f27180d0 in mobi_parse_rawml /home/ubuntu/libmobi-public/src/parse_rawml.c:2009
#6 0x5631f25bbe00 in loadfilename /home/ubuntu/libmobi-public/tools/mobitool.c:852
#7 0x5631f25bbe00 in main /home/ubuntu/libmobi-public/tools/mobitool.c:1051
#8 0x7f5bf47900b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#9 0x5631f25c76fd in _start (/home/ubuntu/libmobi-public/tools/mobitool+0x266fd)
0x62500000748f is located 0 bytes to the right of 9103-byte region [0x625000005100,0x62500000748f)
allocated by thread T0 here:
#0 0x5631f26b2748 in malloc (/home/ubuntu/libmobi-public/tools/mobitool+0x111748)
#1 0x5631f270cfc0 in mobi_reconstruct_parts /home/ubuntu/libmobi-public/src/parse_rawml.c:805
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/libmobi-public/src/parse_rawml.c:110 in mobi_search_links_kf7
Shadow bytes around the buggy address:
0x0c4a7fff8e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8e90: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1028892==ABORTING
Impact
The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.
Occurrences