Headline
CVE-2023-29596: [BUG]: ERROR memcpy-param-overlap · Issue #54 · byronknoll/cmix
Buffer Overflow vulnerability found in ByronKnoll Cmix v.19 allows an attacker to execute arbitrary code and cause a denial of service via the paq8 function.
Crash Inputs
Here is the crash file that trigger the error
cmix_asan_crash_mem_overlap.zip
Bug Description:
When executing cmix (new release version) with the file inputs and parameter "-n", the ASan (Memory Sanitizer ) instrumented program terminates with Nonfatal Error shown below.
==102390==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x619000041c63,0x619000041c67) and [0x619000041c64, 0x619000041c68) overlap
#0 0x4ca038 in __asan_memcpy (/cmix/cmix_asan+0x4ca038)
#1 0x656a09 in paq8::FrenchStemmer::ConvertUTF8(paq8::Word*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:2502:11
#2 0x65569b in paq8::FrenchStemmer::Stem(paq8::Word*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:2782:5
#3 0x558c65 in paq8::TextModel::Update(paq8::Buf&, paq8::ModelStats*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3258:28
#4 0x63978b in paq8::TextModel::Predict(paq8::Mixer&, paq8::Buf&, paq8::ModelStats*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3160:7
#5 0x615679 in paq8::contextModel2(paq8::ModelStats*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:8183:13
#6 0x61867b in paq8::Predictor::update() /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:8277:11
#7 0x6c0d24 in Predictor::Perceive(int) /data/Deter-Study/temp/benchmark/crash/cmix/src/predictor.cpp:394:12
#8 0x4fed5c in Encoder::Encode(int) /data/Deter-Study/temp/benchmark/crash/cmix/src/coder/encoder.cpp:23:7
#9 0x6ef0d0 in Compress(unsigned long long, std::basic_ifstream<char, std::char_traits<char> >*, std::basic_ofstream<char, std::char_traits<char> >*, unsigned long long*, Predictor*) /data/Deter-Study/temp/benchmark/crash/cmix/src/runner.cpp:106:9
#10 0x6f06d3 in RunCompression(bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, _IO_FILE*, unsigned long long*, unsigned long long*) /data/Deter-Study/temp/benchmark/crash/cmix/src/runner.cpp:203:3
#11 0x6f3b13 in main /data/Deter-Study/temp/benchmark/crash/cmix/src/runner.cpp:298:10
#12 0x7f0cc1be9c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x41f819 in _start (/cmix/cmix_asan+0x41f819)
0x619000041c63 is located 483 bytes inside of 960-byte region [0x619000041a80,0x619000041e40)
allocated by thread T0 here:
#0 0x4cb3ba in calloc (/cmix/cmix_asan+0x4cb3ba)
#1 0x654691 in paq8::Array<paq8::Word, 0>::create(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:118:16
#2 0x654691 in paq8::Array<paq8::Word, 0>::Array(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:76
#3 0x654691 in paq8::Cache<paq8::Word, 8u>::Cache() /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3013
0x619000041c64 is located 484 bytes inside of 960-byte region [0x619000041a80,0x619000041e40)
allocated by thread T0 here:
#0 0x4cb3ba in calloc (/cmix/cmix_asan+0x4cb3ba)
#1 0x654691 in paq8::Array<paq8::Word, 0>::create(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:118:16
#2 0x654691 in paq8::Array<paq8::Word, 0>::Array(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:76
#3 0x654691 in paq8::Cache<paq8::Word, 8u>::Cache() /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3013
SUMMARY: AddressSanitizer: memcpy-param-overlap (/cmix/cmix_asan+0x4ca038) in __asan_memcpy
Step to reproduce
- download the cmix from github and build it with ASAN
- Execute cmix with provide files and given parameters "-n".