OOB (buffer overflow or buffer underflow) is found in lecp.c
iwashiira opened this issue · comments
Our fuzzer found buffer overflow or buffer underflow in lecp.c in the current main(1e0953f).
The location of the buffer where OOB occurs depends on the memory area where the lecp_ctx structure is stored.
Whether overflow or underflow occurs depends on the endian.
Following is an output of ASAN.
vuln34 is in vuln34.zip
$ cat vuln34 | libwebsockets-test-lecp
[2024/05/29 09:56:54:1159] N: libwebsockets-test-lecp (C) 2017 - 2021 andy@warmcat.com
[2024/05/29 09:56:54:1161] N: usage: cat my.cbor | libwebsockets-test-lecp
[2024/05/29 09:56:54:1161] N: LECPCB_CONSTRUCTED: path match 0 statckp 0
[2024/05/29 09:56:54:1161] N: LECPCB_VAL_NUM_UINT: path match 0 statckp 0
[2024/05/29 09:56:54:1162] N: value 0
[2024/05/29 09:56:54:1162] N: LECPCB_VAL_NUM_UINT: path match 0 statckp 0
[2024/05/29 09:56:54:1162] N: value 0
[2024/05/29 09:56:54:1162] N: LECPCB_ARRAY_START: path [] match 0 statckp 2
[2024/05/29 09:56:54:1162] N: LECPCB_ARRAY_END: path [] match 0 statckp 2
[2024/05/29 09:56:54:1162] N: LECPCB_VAL_NUM_UINT: path match 0 statckp 0
[2024/05/29 09:56:54:1163] N: value 0
[2024/05/29 09:56:54:1163] N: LECPCB_VAL_NUM_INT: path match 0 statckp 0
[2024/05/29 09:56:54:1163] N: value -10
[2024/05/29 09:56:54:1163] N: LECPCB_VAL_NUM_UINT: path match 0 statckp 0
[2024/05/29 09:56:54:1163] N: value 0
[2024/05/29 09:56:54:1163] N: LECPCB_OBJECT_START: path . match 0 statckp 1
[2024/05/29 09:56:54:1163] N: LECPCB_OBJECT_START: path .. match 0 statckp 2
[2024/05/29 09:56:54:1163] N: LECPCB_OBJECT_START: path ... match 0 statckp 3
[2024/05/29 09:56:54:1164] N: LECPCB_OBJECT_START: path .... match 0 statckp 4
[2024/05/29 09:56:54:1164] N: LECPCB_OBJECT_START: path ..... match 0 statckp 5
[2024/05/29 09:56:54:1164] N: LECPCB_OBJECT_START: path ...... match 0 statckp 6
[2024/05/29 09:56:54:1164] N: LECPCB_OBJECT_START: path ....... match 0 statckp 7
[2024/05/29 09:56:54:1164] N: LECPCB_OBJECT_START: path ........ match 0 statckp 8
[2024/05/29 09:56:54:1164] N: LECPCB_OBJECT_START: path ......... match 0 statckp 9
[2024/05/29 09:56:54:1165] N: LECPCB_OBJECT_START: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1165] N: LECPCB_OBJECT_START: path ........... match 0 statckp 11
[2024/05/29 09:56:54:1165] N: LECPCB_OBJECT_START: path ............ match 0 statckp 12
[2024/05/29 09:56:54:1167] N: LECPCB_OBJECT_START: path ............. match 0 statckp 13
[2024/05/29 09:56:54:1167] N: LECPCB_OBJECT_START: path .............. match 0 statckp 14
[2024/05/29 09:56:54:1167] N: LECPCB_OBJECT_START: path ............... match 0 statckp 15
[2024/05/29 09:56:54:1167] N: LECPCB_OBJECT_START: path ................ match 0 statckp 16
[2024/05/29 09:56:54:1167] N: LECPCB_OBJECT_START: path ................. match 0 statckp 17
[2024/05/29 09:56:54:1168] N: LECPCB_OBJECT_START: path .................. match 0 statckp 18
[2024/05/29 09:56:54:1168] N: LECPCB_OBJECT_START: path ................... match 0 statckp 19
[2024/05/29 09:56:54:1168] N: LECPCB_OBJECT_START: path .................... match 0 statckp 20
[2024/05/29 09:56:54:1168] N: LECPCB_VAL_NUM_INT: path .................... match 0 statckp 20
[2024/05/29 09:56:54:1168] N: value -13
[2024/05/29 09:56:54:1169] N: LECPCB_VAL_NUM_UINT: path .................... match 0 statckp 20
[2024/05/29 09:56:54:1169] N: value 437918269
[2024/05/29 09:56:54:1169] N: LECPCB_VAL_NUM_UINT: path .................... match 0 statckp 20
[2024/05/29 09:56:54:1169] N: value 454709612
[2024/05/29 09:56:54:1169] N: LECPCB_VAL_NUM_UINT: path .................... match 0 statckp 20
[2024/05/29 09:56:54:1170] N: value 1
[2024/05/29 09:56:54:1171] N: LECPCB_OBJECT_END: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1171] N: LECPCB_VAL_NUM_UINT: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1171] N: value 1
[2024/05/29 09:56:54:1172] N: LECPCB_VAL_NUM_UINT: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1172] N: value 446865952
[2024/05/29 09:56:54:1174] N: LECPCB_VAL_NUM_INT: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1175] N: value -1
[2024/05/29 09:56:54:1175] N: LECPCB_OBJECT_END: path ......... match 0 statckp 9
[2024/05/29 09:56:54:1175] N: LECPCB_VAL_NUM_INT: path ......... match 0 statckp 9
[2024/05/29 09:56:54:1175] N: value -1
[2024/05/29 09:56:54:1175] N: LECPCB_VAL_NUM_INT: path ......... match 0 statckp 9
[2024/05/29 09:56:54:1175] N: value -1
[2024/05/29 09:56:54:1176] N: LECPCB_VAL_NUM_INT: path ......... match 0 statckp 9
[2024/05/29 09:56:54:1176] N: value -1
[2024/05/29 09:56:54:1176] N: LECPCB_OBJECT_END: path ........ match 0 statckp 8
[2024/05/29 09:56:54:1176] N: LECPCB_VAL_NUM_INT: path ........ match 0 statckp 8
[2024/05/29 09:56:54:1177] N: value -1
[2024/05/29 09:56:54:1177] N: LECPCB_VAL_NUM_INT: path ........ match 0 statckp 8
[2024/05/29 09:56:54:1177] N: value -1
[2024/05/29 09:56:54:1177] N: LECPCB_VAL_NUM_INT: path ........ match 0 statckp 8
[2024/05/29 09:56:54:1177] N: value -1
[2024/05/29 09:56:54:1177] N: LECPCB_OBJECT_END: path ....... match 0 statckp 7
[2024/05/29 09:56:54:1178] N: LECPCB_VAL_NUM_INT: path ....... match 0 statckp 7
[2024/05/29 09:56:54:1178] N: value -1
[2024/05/29 09:56:54:1178] N: LECPCB_VAL_NUM_INT: path ....... match 0 statckp 7
[2024/05/29 09:56:54:1178] N: value -1
[2024/05/29 09:56:54:1179] N: LECPCB_VAL_NUM_INT: path ....... match 0 statckp 7
[2024/05/29 09:56:54:1179] N: value -1
[2024/05/29 09:56:54:1179] N: LECPCB_OBJECT_END: path ...... match 0 statckp 6
[2024/05/29 09:56:54:1179] N: LECPCB_VAL_NUM_INT: path ...... match 0 statckp 6
[2024/05/29 09:56:54:1179] N: value -1
[2024/05/29 09:56:54:1180] N: LECPCB_VAL_NUM_INT: path ...... match 0 statckp 6
[2024/05/29 09:56:54:1180] N: value -1
[2024/05/29 09:56:54:1180] N: LECPCB_VAL_NUM_INT: path ...... match 0 statckp 6
[2024/05/29 09:56:54:1180] N: value -1
[2024/05/29 09:56:54:1181] N: LECPCB_OBJECT_END: path ..... match 0 statckp 5
[2024/05/29 09:56:54:1181] N: LECPCB_VAL_NUM_INT: path ..... match 0 statckp 5
[2024/05/29 09:56:54:1181] N: value -1
[2024/05/29 09:56:54:1181] N: LECPCB_VAL_NUM_INT: path ..... match 0 statckp 5
[2024/05/29 09:56:54:1181] N: value -1
[2024/05/29 09:56:54:1182] N: LECPCB_VAL_NUM_INT: path ..... match 0 statckp 5
[2024/05/29 09:56:54:1182] N: value -1
[2024/05/29 09:56:54:1182] N: LECPCB_OBJECT_END: path .... match 0 statckp 4
[2024/05/29 09:56:54:1182] N: LECPCB_VAL_NUM_INT: path .... match 0 statckp 4
[2024/05/29 09:56:54:1182] N: value -1
[2024/05/29 09:56:54:1183] N: LECPCB_VAL_NUM_INT: path .... match 0 statckp 4
[2024/05/29 09:56:54:1183] N: value -1
[2024/05/29 09:56:54:1183] N: LECPCB_VAL_NUM_INT: path .... match 0 statckp 4
[2024/05/29 09:56:54:1183] N: value -1
[2024/05/29 09:56:54:1183] N: LECPCB_OBJECT_END: path ... match 0 statckp 3
[2024/05/29 09:56:54:1183] N: LECPCB_VAL_NUM_INT: path ... match 0 statckp 3
[2024/05/29 09:56:54:1184] N: value -1
[2024/05/29 09:56:54:1184] N: LECPCB_VAL_NUM_INT: path ... match 0 statckp 3
[2024/05/29 09:56:54:1184] N: value -1
[2024/05/29 09:56:54:1184] N: LECPCB_VAL_NUM_INT: path ... match 0 statckp 3
[2024/05/29 09:56:54:1185] N: value -1
[2024/05/29 09:56:54:1185] N: LECPCB_OBJECT_END: path .. match 0 statckp 2
[2024/05/29 09:56:54:1185] N: LECPCB_VAL_NUM_INT: path .. match 0 statckp 2
[2024/05/29 09:56:54:1185] N: value -1
[2024/05/29 09:56:54:1186] N: LECPCB_VAL_NUM_INT: path .. match 0 statckp 2
[2024/05/29 09:56:54:1186] N: value -1
[2024/05/29 09:56:54:1186] N: LECPCB_VAL_NUM_INT: path .. match 0 statckp 2
[2024/05/29 09:56:54:1186] N: value -1
[2024/05/29 09:56:54:1186] N: LECPCB_OBJECT_END: path . match 0 statckp 1
[2024/05/29 09:56:54:1187] N: LECPCB_VAL_NUM_INT: path . match 0 statckp 1
[2024/05/29 09:56:54:1187] N: value -1
[2024/05/29 09:56:54:1187] N: LECPCB_VAL_NUM_INT: path . match 0 statckp 1
[2024/05/29 09:56:54:1187] N: value -1
[2024/05/29 09:56:54:1187] N: LECPCB_VAL_NUM_INT: path . match 0 statckp 1
[2024/05/29 09:56:54:1188] N: value -1
[2024/05/29 09:56:54:1188] N: LECPCB_OBJECT_END: path match 0 statckp 0
[2024/05/29 09:56:54:1188] N: LECPCB_VAL_NUM_INT: path match 0 statckp 0
[2024/05/29 09:56:54:1188] N: value -1
[2024/05/29 09:56:54:1188] N: LECPCB_VAL_NUM_INT: path match 0 statckp 0
[2024/05/29 09:56:54:1189] N: value -1
[2024/05/29 09:56:54:1189] N: LECPCB_OBJECT_START: path . match 0 statckp 1
[2024/05/29 09:56:54:1189] N: LECPCB_OBJECT_START: path .. match 0 statckp 2
[2024/05/29 09:56:54:1189] N: LECPCB_OBJECT_START: path ... match 0 statckp 3
[2024/05/29 09:56:54:1189] N: LECPCB_OBJECT_START: path .... match 0 statckp 4
[2024/05/29 09:56:54:1190] N: LECPCB_OBJECT_START: path ..... match 0 statckp 5
[2024/05/29 09:56:54:1190] N: LECPCB_OBJECT_START: path ...... match 0 statckp 6
[2024/05/29 09:56:54:1190] N: LECPCB_OBJECT_START: path ....... match 0 statckp 7
[2024/05/29 09:56:54:1190] N: LECPCB_OBJECT_START: path ........ match 0 statckp 8
[2024/05/29 09:56:54:1191] N: LECPCB_OBJECT_START: path ......... match 0 statckp 9
[2024/05/29 09:56:54:1191] N: LECPCB_OBJECT_START: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1191] N: LECPCB_VAL_NUM_INT: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1191] N: value -17
[2024/05/29 09:56:54:1191] N: LECPCB_VAL_BLOB_START: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1192] N: LECPCB_VAL_BLOB_END: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1192] N:
[2024/05/29 09:56:54:1192] N: 0000: 48 A2 A2 02 A2 A2 A2 6A H......j
[2024/05/29 09:56:54:1192] N:
[2024/05/29 09:56:54:1193] N:
[2024/05/29 09:56:54:1193] N: LECPCB_VAL_STR_START: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1193] N: LECPCB_VAL_STR_END: path .........jjjjjjjjjj match 0 statckp 19
[2024/05/29 09:56:54:1193] N: value 'jjjjjjjjjj'
[2024/05/29 09:56:54:1194] N: LECPCB_VAL_STR_START: path .........jjjjjjjjjj match 0 statckp 19
[2024/05/29 09:56:54:1194] N: LECPCB_VAL_STR_END: path .........jjjjjjjjjj match 0 statckp 19
[2024/05/29 09:56:54:1194] N: value 'jjjjjjj�'
[2024/05/29 09:56:54:1194] N: LECPCB_OBJECT_END: path ......... match 0 statckp 9
[2024/05/29 09:56:54:1194] N: LECPCB_OBJECT_START: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1195] N: LECPCB_VAL_NUM_INT: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1195] N: value -17
[2024/05/29 09:56:54:1195] N: LECPCB_VAL_NUM_INT: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1195] N: value -17
[2024/05/29 09:56:54:1195] N: LECPCB_VAL_NUM_UINT: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1196] N: value 2
[2024/05/29 09:56:54:1196] N: LECPCB_VAL_NUM_UINT: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1196] N: value 2
[2024/05/29 09:56:54:1196] N: LECPCB_OBJECT_END: path ......... match 0 statckp 9
[2024/05/29 09:56:54:1196] N: LECPCB_VAL_NUM_UINT: path ......... match 0 statckp 9
[2024/05/29 09:56:54:1196] N: value 2
[2024/05/29 09:56:54:1197] N: LECPCB_VAL_NUM_UINT: path ......... match 0 statckp 9
[2024/05/29 09:56:54:1197] N: value 2
[2024/05/29 09:56:54:1197] N: LECPCB_OBJECT_END: path ........ match 0 statckp 8
[2024/05/29 09:56:54:1197] N: LECPCB_OBJECT_START: path ......... match 0 statckp 9
[2024/05/29 09:56:54:1197] N: LECPCB_TAG_START: path ......... match 0 statckp 9
[2024/05/29 09:56:54:1198] N: LECPCB_TAG_START: 1
[2024/05/29 09:56:54:1198] N: LECPCB_OBJECT_START: path .......... match 0 statckp 10
[2024/05/29 09:56:54:1198] N: LECPCB_OBJECT_START: path ........... match 0 statckp 11
[2024/05/29 09:56:54:1198] N: LECPCB_OBJECT_START: path ............ match 0 statckp 12
[2024/05/29 09:56:54:1199] N: LECPCB_OBJECT_START: path ............. match 0 statckp 13
[2024/05/29 09:56:54:1199] N: okay (-1)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==31073==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x563814de8543 bp 0x7ffe4c04df70 sp 0x7ffe4c04df60 T0)
==31073==The signal is caused by a READ memory access.
==31073==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x563814de8543 in lecp_destruct /home/vagrant/resear/for_build/lib/misc/lecp.c:78
#1 0x563814de2e5a in main test-apps/test-lecp.c:167
#2 0x7f246f948d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#3 0x7f246f948e3f in __libc_start_main_impl ../csu/libc-start.c:392
#4 0x563814de2224 in _start (/home/vagrant/resear/for_build/libwebsockets-test-lecp+0xc224)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/vagrant/resear/for_build/lib/misc/lecp.c:78 in lecp_destruct
==31073==ABORTINGIt is caused by these line.
Lines 676 to 679 in 1e0953f
There is no check on the range of *ctx->collect_tgt, so it goes beyond the lecp_item structure and destroys the lecp_ctx structure.
In the case of little endian, buffer underflow occurs and the pointer to the cb callback function in _lecp_parsing_stack is overwritten. This is the cause of the PoC crash,
Also, if lecp_ctx is taken to the stack as in this case, there is a danger of bypassing stack canary and executing ROP.
In the case of big endian, buffer overflow will occur, and by overwriting ctx->be in this BOF, it can be changed to cause buffer underflow as in the case of little endian.
Ricerca Security, Inc.