Headline
CVE-2022-1907: heap-buffer-overflow in mobi_get_attribute_value in libmobi
Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to 0.11.
Description
heap-buffer-overflow /home/ubuntu/libmobi-public/src/parse_rawml.c:357 in mobi_get_attribute_value
Environment
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
mobitool build: Apr 29 2022 20:52:30 (gcc 9.3.0)
libmobi: 0.10
Build
export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
autogen.sh && ./configure && make
POC
./mobitool -e -o ./tmp/ ./poc4
poc4
ASAN
=================================================================
==150005==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00000141f at pc 0x55dae390a641 bp 0x7ffefa5218a0 sp 0x7ffefa521890
READ of size 1 at 0x61b00000141f thread T0
#0 0x55dae390a640 in mobi_get_attribute_value /home/ubuntu/libmobi-public/src/parse_rawml.c:357
#1 0x55dae391760d in mobi_get_filepos_array /home/ubuntu/libmobi-public/src/parse_rawml.c:1003
#2 0x55dae391760d in mobi_reconstruct_links_kf7 /home/ubuntu/libmobi-public/src/parse_rawml.c:1660
#3 0x55dae391b0d0 in mobi_reconstruct_links /home/ubuntu/libmobi-public/src/parse_rawml.c:1849
#4 0x55dae391b0d0 in mobi_parse_rawml_opt /home/ubuntu/libmobi-public/src/parse_rawml.c:2153
#5 0x55dae391b0d0 in mobi_parse_rawml /home/ubuntu/libmobi-public/src/parse_rawml.c:2009
#6 0x55dae37bee00 in loadfilename /home/ubuntu/libmobi-public/tools/mobitool.c:852
#7 0x55dae37bee00 in main /home/ubuntu/libmobi-public/tools/mobitool.c:1051
#8 0x7feb6690f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#9 0x55dae37ca6fd in _start (/home/ubuntu/libmobi-public/tools/mobitool+0x266fd)
0x61b00000141f is located 0 bytes to the right of 1439-byte region [0x61b000000e80,0x61b00000141f)
allocated by thread T0 here:
#0 0x55dae38b5748 in malloc (/home/ubuntu/libmobi-public/tools/mobitool+0x111748)
#1 0x55dae390ffc0 in mobi_reconstruct_parts /home/ubuntu/libmobi-public/src/parse_rawml.c:805
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/libmobi-public/src/parse_rawml.c:357 in mobi_get_attribute_value
Shadow bytes around the buggy address:
0x0c367fff8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff8250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff8260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff8270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fff8280: 00 00 00[07]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==150005==ABORTING
Impact
The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.
Occurrences