Headline
CVE-2022-2279: NULL Pointer Dereference in function mobi_build_opf_metadata at opf.c:1161 in libmobi
NULL Pointer Dereference in GitHub repository bfabiszewski/libmobi prior to 0.11.
Description
NULL Pointer Dereference in function mobi_build_opf_metadata at opf.c:1161 allows attackers to cause a denial of service (application crash) via a crafted input file
Build
git clone https://github.com/bfabiszewski/libmobi.git
cd libmobi
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./autogen.sh
./configure --disable-shared
make
POC
./tools/mobitool -e -o ./tmp/ ./poc_n.mobi
Title: libmobi ncx test
Publishing date: 2018-08-07
Language: en (utf8)
Dictionary
__
Mobi version: 1 (hybrid with version 6)
Creator software: kindlegen 2.9.0 (mac)
Reconstructing source resources...
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3686533==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff7bde5f5 bp 0x7fffffffbfb0 sp 0x7fffffffb768 T0)
==3686533==The signal is caused by a READ memory access.
==3686533==Hint: address points to the zero page.
#0 0x7ffff7bde5f5 /build/glibc-sMfBJT/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1 0x483442 in strdup (/home/fuzz/libmobi/tools/mobitool+0x483442)
#2 0x554adf in mobi_build_opf_metadata /home/fuzz/libmobi/src/opf.c:1161:64
#3 0x55e2a3 in mobi_build_opf /home/fuzz/libmobi/src/opf.c:1901:20
#4 0x501166 in mobi_parse_rawml_opt /home/fuzz/libmobi/src/parse_rawml.c:2144:15
#5 0x4ff78f in mobi_parse_rawml /home/fuzz/libmobi/src/parse_rawml.c:2005:12
#6 0x4c98d4 in loadfilename /home/fuzz/libmobi/tools/mobitool.c:852:20
#7 0x4c8b36 in main /home/fuzz/libmobi/tools/mobitool.c:1051:11
#8 0x7ffff7a7a0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x41d57d in _start (/home/fuzz/libmobi/tools/mobitool+0x41d57d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-sMfBJT/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
==3686533==ABORTING
poc_n.mobi
GDB
Breakpoint 1, mobi_build_opf_metadata (opf=0x7fffffffc6c0, m=0x607000000100, rawml=0x6080000000a0) at opf.c:1161
1161 opf->metadata->x_meta->dictionary_in_lang[0] = strdup(mobi_get_locale_string(dict_lang_in));
─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x0000000000554ab2 mobi_build_opf_metadata+12530 mov 0x168(%rbx),%rdi
0x0000000000554ab9 mobi_build_opf_metadata+12537 callq 0x49d910 <__asan_report_load4>
0x0000000000554abe mobi_build_opf_metadata+12542 mov 0x168(%rbx),%rax
0x0000000000554ac5 mobi_build_opf_metadata+12549 mov (%rax),%ecx
0x0000000000554ac7 mobi_build_opf_metadata+12551 mov %ecx,0x680(%rbx)
!0x0000000000554acd mobi_build_opf_metadata+12557 mov 0x680(%rbx),%edi
0x0000000000554ad3 mobi_build_opf_metadata+12563 callq 0x5158a0 <mobi_get_locale_string>
0x0000000000554ad8 mobi_build_opf_metadata+12568 mov %rax,%rdi
0x0000000000554adb mobi_build_opf_metadata+12571 callq 0x483400 <strdup>
0x0000000000554ae0 mobi_build_opf_metadata+12576 mov 0x6d0(%rbx),%rdx
─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] break at 0x0000000000554acd in opf.c:1161 for opf.c:1161 hit 1 time
─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
rax 0x0000602000000ef0 rbx 0x00007fffffffbfa0 rcx 0x00000000007f0000 rdx 0x00000c04000001de rsi 0x00000ffffffff804 rdi 0x000061d000003200 rbp 0x00007fffffffc690 rsp 0x00007fffffffbf60 r8 0x00000c0e00000024
r9 0x0000000000000002 r10 0x0000000000000040 r11 0x0000000000000001 r12 0x000000000041d550 r13 0x00007fffffffe400 r14 0x00006080000000a0 r15 0x0000000000000000 rip 0x0000000000554acd eflags [ CF PF AF SF IF ]
cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000
─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1156 if (opf->metadata->x_meta->dictionary_in_lang == NULL) {
1157 debug_print("%s\n", "Memory allocation failed");
1158 return MOBI_MALLOC_FAILED;
1159 }
1160 uint32_t dict_lang_in = *m->mh->dict_input_lang;
!1161 opf->metadata->x_meta->dictionary_in_lang[0] = strdup(mobi_get_locale_string(dict_lang_in));
1162 }
1163 }
1164 if (opf->metadata->x_meta->dictionary_out_lang == NULL) {
1165 if (m->mh && m->mh->dict_output_lang) {
─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[0] from 0x0000000000554acd in mobi_build_opf_metadata+12557 at opf.c:1161
[1] from 0x000000000055e2a4 in mobi_build_opf+436 at opf.c:1901
[2] from 0x0000000000501167 in mobi_parse_rawml_opt+6599 at parse_rawml.c:2144
[3] from 0x00000000004ff790 in mobi_parse_rawml+96 at parse_rawml.c:2005
[4] from 0x00000000004c98d5 in loadfilename+2613 at mobitool.c:852
[5] from 0x00000000004c8b37 in main+5959 at mobitool.c:1051
─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] id 3795174 name mobitool from 0x0000000000554acd in mobi_build_opf_metadata+12557 at opf.c:1161
─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
arg opf = 0x7fffffffc6c0: {metadata = 0x603000000e50,manifest = 0x0,spine = 0x0,guide = 0x0}, m = 0x607000000100: {use_kf8 = true,kf8_boundary_offset = 11,drm_key = 0x0,ph = 0x608000000020,…, rawml = 0x6080000000a0: {version = 1,fdst = 0x0,skel = 0x0,frag = 0x0,guide = 0x0,ncx = 0x608000000…
loc dict_lang_in = 8323072
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
>>> p mobi_get_locale_string(dict_lang_in)
$1 = 0x0
Impact
NULL Pointer Dereference in function mobi_build_opf_metadata at opf.c:1161 allows attackers to cause a denial of service (application crash) via a crafted input file
Occurrences
opf.c L1161
Call strdup with NULL pointer: strdup(NULL)