[Bug libc/19728] New: out of bounds stack read in libidn function idna_to_ascii_4i

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug libc/19728] New: out of bounds stack read in libidn function idna_to_ascii_4i

macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

            Bug ID: 19728
           Summary: out of bounds stack read in libidn function
                    idna_to_ascii_4i
           Product: glibc
           Version: 2.23
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: hanno at hboeck dot de
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 9038
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9038&action=edit
sample input

I had reported this a while ago to the developer of libidn, glibc bundles that
code. libidn has committed my patch here:
http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commit;h=f20ce1128fb7f4d33297eee307dddaf0f92ac72d

When passing an input of exactly 64 bytes to the idn tool it will
generate an out of bounds stack read.
This happens in the function idna_to_ascii_4i.

In Line 213 if the input is less than 64 bytes it will zero-terminate
the string. However if it's exactly 64 bytes the input will fill the
out buffer and no zero termination will happen. Therefore the strlen
call in line 271 will cause an out of bounds.

The strlen (out) > 63 check doesn't really make sense,
because inside a 64 byte buffer there can never be a correct
zero-terminated string longer than 63 bytes. Therefore I've removed
that check.

Found with the help of american fuzzy lop.

Address Sanitizer output:

==8591==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffd6c39b5e0 at pc 0x7eff8b780e00 bp 0x7ffd6c39b420 sp 0x7ffd6c39b3f0
READ of size 66 at 0x7ffd6c39b5e0 thread T0
    #0 0x7eff8b780dff in strlen
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x32dff)
    #1 0x412220 in idna_to_ascii_4i /mnt/ram/libidn-1.31-vanilla/lib/idna.c:269
    #2 0x4131fb in idna_to_ascii_4z /mnt/ram/libidn-1.31-vanilla/lib/idna.c:519
    #3 0x403582 in main /mnt/ram/libidn-1.31-vanilla/src/idn.c:374
    #4 0x7eff8b3d0f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #5 0x401c78 (/mnt/ram/libidn-1.31-vanilla/src/idn+0x401c78)

Address 0x7ffd6c39b5e0 is located in stack of thread T0 at offset 96 in frame
    #0 0x412c10 in idna_to_ascii_4z /mnt/ram/libidn-1.31-vanilla/lib/idna.c:472

  This frame has 1 object(s):
    [32, 96) 'buf' <== Memory access at offset 96 overflows this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 strlen
Shadow bytes around the buggy address:
  0x10002d86b660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002d86b670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002d86b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002d86b690: 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 00 00 00 00
  0x10002d86b6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10002d86b6b0: f1 f1 f1 f1 00 00 00 00 00 00 00 00[f3]f3 f3 f3  
  0x10002d86b6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002d86b6d0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10002d86b6e0: 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
  0x10002d86b6f0: 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
  0x10002d86b700: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19728] out of bounds stack read in libidn function idna_to_ascii_4i

macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|libc                        |network

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19728] out of bounds stack read in libidn function idna_to_ascii_4i

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19728] out of bounds stack read in libidn function idna_to_ascii_4i

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19728] out of bounds stack read in libidn function idna_to_ascii_4i

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
The plan is to fix this by unbundling libidn from glibc.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19728] out of bounds stack read in libidn function idna_to_ascii_4i

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.redhat.com
                   |                            |/show_bug.cgi?id=1452750

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19728] out of bounds stack read in libidn function idna_to_ascii_4i

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |NEW
           Assignee|fweimer at redhat dot com          |unassigned at sourceware dot org

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19728] out of bounds stack read in libidn function idna_to_ascii_4i

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19728] out of bounds stack read in libidn function idna_to_ascii_4i

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security+

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19728] out of bounds stack read in libidn function idna_to_ascii_4i (CVE-2016-6261)

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|out of bounds stack read in |out of bounds stack read in
                   |libidn function             |libidn function
                   |idna_to_ascii_4i            |idna_to_ascii_4i
                   |                            |(CVE-2016-6261)
              Alias|                            |CVE-2016-6261

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19728] out of bounds stack read in libidn function idna_to_ascii_4i (CVE-2016-6261)

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dilfridge at gentoo dot org

--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
*** Bug 22333 has been marked as a duplicate of this bug. ***

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19728] out of bounds stack read in libidn function idna_to_ascii_4i (CVE-2016-6261)

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
*** Bug 22333 has been marked as a duplicate of this bug. ***

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19728] out of bounds stack read in libidn function idna_to_ascii_4i (CVE-2016-6261)

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  7f9f1ecb710eac4d65bb02785ddf288cac098323 (commit)
      from  5f7b841d3aebdccc2baed27cb4b22ddb08cd7c0c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7f9f1ecb710eac4d65bb02785ddf288cac098323

commit 7f9f1ecb710eac4d65bb02785ddf288cac098323
Author: Florian Weimer <[hidden email]>
Date:   Wed May 23 15:26:19 2018 +0200

    Switch IDNA implementation to libidn2 [BZ #19728] [BZ #19729] [BZ #22247]

    This provides an implementation of the IDNA2008 standard and fixes
    CVE-2016-6261, CVE-2016-6263, CVE-2017-14062.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                            |   64 +
 LICENSES                             |   69 -
 NEWS                                 |   24 +-
 config.h.in                          |    3 -
 include/dlfcn.h                      |    2 +-
 include/idna.h                       |    8 -
 inet/Makefile                        |   12 +-
 inet/Versions                        |    2 +
 inet/getnameinfo.c                   |   56 +-
 inet/idna.c                          |  182 +
 inet/idna_name_classify.c            |   75 +
 inet/net-internal.h                  |   27 +
 inet/tst-idna_name_classify.c        |   73 +
 libidn/Makefile                      |   34 -
 libidn/Versions                      |    6 -
 libidn/gunicomp.h                    |  658 ---
 libidn/gunidecomp.h                  |10362 ----------------------------------
 libidn/iconvme.c                     |  171 -
 libidn/iconvme.h                     |   25 -
 libidn/idn-stub.c                    |  142 -
 libidn/idna.c                        |  834 ---
 libidn/idna.h                        |   96 -
 libidn/nfkc.c                        | 1057 ----
 libidn/profiles.c                    |  308 -
 libidn/punycode.c                    |  454 --
 libidn/punycode.h                    |  214 -
 libidn/rfc3454.c                     | 3544 ------------
 libidn/shlib-versions                |    1 -
 libidn/stringprep.c                  |  668 ---
 libidn/stringprep.h                  |  209 -
 libidn/toutf8.c                      |  150 -
 nscd/gai.c                           |    3 -
 resolv/Makefile                      |   24 +-
 resolv/netdb.h                       |   16 +-
 resolv/tst-no-libidn2.c              |    2 +
 resolv/tst-resolv-ai_idn-common.c    |  569 ++
 resolv/tst-resolv-ai_idn-latin1.c    |   50 +
 resolv/tst-resolv-ai_idn-nolibidn2.c |  151 +
 resolv/tst-resolv-ai_idn.c           |   49 +
 support/support_format_addrinfo.c    |    2 -
 sysdeps/posix/getaddrinfo.c          |   81 +-
 sysdeps/unix/inet/Subdirs            |    1 -
 sysdeps/unix/inet/configure          |    9 -
 sysdeps/unix/inet/configure.ac       |    7 -
 44 files changed, 1351 insertions(+), 19143 deletions(-)
 delete mode 100644 include/idna.h
 create mode 100644 inet/idna.c
 create mode 100644 inet/idna_name_classify.c
 create mode 100644 inet/tst-idna_name_classify.c
 delete mode 100644 libidn/Makefile
 delete mode 100644 libidn/Versions
 delete mode 100644 libidn/gunicomp.h
 delete mode 100644 libidn/gunidecomp.h
 delete mode 100644 libidn/iconvme.c
 delete mode 100644 libidn/iconvme.h
 delete mode 100644 libidn/idn-stub.c
 delete mode 100644 libidn/idna.c
 delete mode 100644 libidn/idna.h
 delete mode 100644 libidn/nfkc.c
 delete mode 100644 libidn/profiles.c
 delete mode 100644 libidn/punycode.c
 delete mode 100644 libidn/punycode.h
 delete mode 100644 libidn/rfc3454.c
 delete mode 100644 libidn/shlib-versions
 delete mode 100644 libidn/stringprep.c
 delete mode 100644 libidn/stringprep.h
 delete mode 100644 libidn/toutf8.c
 create mode 100644 resolv/tst-no-libidn2.c
 create mode 100644 resolv/tst-resolv-ai_idn-common.c
 create mode 100644 resolv/tst-resolv-ai_idn-latin1.c
 create mode 100644 resolv/tst-resolv-ai_idn-nolibidn2.c
 create mode 100644 resolv/tst-resolv-ai_idn.c
 delete mode 100644 sysdeps/unix/inet/configure
 delete mode 100644 sysdeps/unix/inet/configure.ac

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19728] out of bounds stack read in libidn function idna_to_ascii_4i (CVE-2016-6261)

macro@linux-mips.org
In reply to this post by macro@linux-mips.org
https://sourceware.org/bugzilla/show_bug.cgi?id=19728

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.28

--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in 2.28.

--
You are receiving this mail because:
You are on the CC list for the bug.