NULL Pointer Dereference in function mobi_build_opf_metadata at opf.c:1161 in bfabiszewski/libmobi

Valid

Reported on

Apr 27th 2022


Description

NULL Pointer Dereference in function mobi_build_opf_metadata at opf.c:1161 allows attackers to cause a denial of service (application crash) via a crafted input file

Build

git clone https://github.com/bfabiszewski/libmobi.git
cd libmobi

export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"

./autogen.sh

./configure --disable-shared

make

POC

./tools/mobitool -e -o ./tmp/ ./poc_n.mobi

Title: libmobi ncx test
Publishing date: 2018-08-07
Language: en (utf8)
Dictionary
__
Mobi version: 1 (hybrid with version 6)
Creator software: kindlegen 2.9.0 (mac)

Reconstructing source resources...
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3686533==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff7bde5f5 bp 0x7fffffffbfb0 sp 0x7fffffffb768 T0)
==3686533==The signal is caused by a READ memory access.
==3686533==Hint: address points to the zero page.
    #0 0x7ffff7bde5f5  /build/glibc-sMfBJT/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
    #1 0x483442 in strdup (/home/fuzz/libmobi/tools/mobitool+0x483442)
    #2 0x554adf in mobi_build_opf_metadata /home/fuzz/libmobi/src/opf.c:1161:64
    #3 0x55e2a3 in mobi_build_opf /home/fuzz/libmobi/src/opf.c:1901:20
    #4 0x501166 in mobi_parse_rawml_opt /home/fuzz/libmobi/src/parse_rawml.c:2144:15
    #5 0x4ff78f in mobi_parse_rawml /home/fuzz/libmobi/src/parse_rawml.c:2005:12
    #6 0x4c98d4 in loadfilename /home/fuzz/libmobi/tools/mobitool.c:852:20
    #7 0x4c8b36 in main /home/fuzz/libmobi/tools/mobitool.c:1051:11
    #8 0x7ffff7a7a0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x41d57d in _start (/home/fuzz/libmobi/tools/mobitool+0x41d57d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-sMfBJT/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
==3686533==ABORTING

poc_n.mobi

GDB

Breakpoint 1, mobi_build_opf_metadata (opf=0x7fffffffc6c0, m=0x607000000100, rawml=0x6080000000a0) at opf.c:1161
1161                    opf->metadata->x_meta->dictionary_in_lang[0] = strdup(mobi_get_locale_string(dict_lang_in));
─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 0x0000000000554ab2  mobi_build_opf_metadata+12530 mov    0x168(%rbx),%rdi
 0x0000000000554ab9  mobi_build_opf_metadata+12537 callq  0x49d910 <__asan_report_load4>
 0x0000000000554abe  mobi_build_opf_metadata+12542 mov    0x168(%rbx),%rax
 0x0000000000554ac5  mobi_build_opf_metadata+12549 mov    (%rax),%ecx
 0x0000000000554ac7  mobi_build_opf_metadata+12551 mov    %ecx,0x680(%rbx)
!0x0000000000554acd  mobi_build_opf_metadata+12557 mov    0x680(%rbx),%edi
 0x0000000000554ad3  mobi_build_opf_metadata+12563 callq  0x5158a0 <mobi_get_locale_string>
 0x0000000000554ad8  mobi_build_opf_metadata+12568 mov    %rax,%rdi
 0x0000000000554adb  mobi_build_opf_metadata+12571 callq  0x483400 <strdup>
 0x0000000000554ae0  mobi_build_opf_metadata+12576 mov    0x6d0(%rbx),%rdx
─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] break at 0x0000000000554acd in opf.c:1161 for opf.c:1161 hit 1 time
─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    rax 0x0000602000000ef0     rbx 0x00007fffffffbfa0     rcx 0x00000000007f0000    rdx 0x00000c04000001de    rsi 0x00000ffffffff804    rdi 0x000061d000003200    rbp 0x00007fffffffc690    rsp 0x00007fffffffbf60        r8 0x00000c0e00000024
     r9 0x0000000000000002     r10 0x0000000000000040     r11 0x0000000000000001    r12 0x000000000041d550    r13 0x00007fffffffe400    r14 0x00006080000000a0    r15 0x0000000000000000    rip 0x0000000000554acd    eflags [ CF PF AF SF IF ]
     cs 0x00000033              ss 0x0000002b              ds 0x00000000             es 0x00000000             fs 0x00000000             gs 0x00000000
─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 1156                  if (opf->metadata->x_meta->dictionary_in_lang == NULL) {
 1157                      debug_print("%s\n", "Memory allocation failed");
 1158                      return MOBI_MALLOC_FAILED;
 1159                  }
 1160                  uint32_t dict_lang_in = *m->mh->dict_input_lang;
!1161                  opf->metadata->x_meta->dictionary_in_lang[0] = strdup(mobi_get_locale_string(dict_lang_in));
 1162              }
 1163          }
 1164          if (opf->metadata->x_meta->dictionary_out_lang == NULL) {
 1165              if (m->mh && m->mh->dict_output_lang) {
─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[0] from 0x0000000000554acd in mobi_build_opf_metadata+12557 at opf.c:1161
[1] from 0x000000000055e2a4 in mobi_build_opf+436 at opf.c:1901
[2] from 0x0000000000501167 in mobi_parse_rawml_opt+6599 at parse_rawml.c:2144
[3] from 0x00000000004ff790 in mobi_parse_rawml+96 at parse_rawml.c:2005
[4] from 0x00000000004c98d5 in loadfilename+2613 at mobitool.c:852
[5] from 0x00000000004c8b37 in main+5959 at mobitool.c:1051
─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] id 3795174 name mobitool from 0x0000000000554acd in mobi_build_opf_metadata+12557 at opf.c:1161
─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
arg opf = 0x7fffffffc6c0: {metadata = 0x603000000e50,manifest = 0x0,spine = 0x0,guide = 0x0}, m = 0x607000000100: {use_kf8 = true,kf8_boundary_offset = 11,drm_key = 0x0,ph = 0x608000000020,…, rawml = 0x6080000000a0: {version = 1,fdst = 0x0,skel = 0x0,frag = 0x0,guide = 0x0,ncx = 0x608000000…
loc dict_lang_in = 8323072
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
>>> p mobi_get_locale_string(dict_lang_in)
$1 = 0x0

Impact

NULL Pointer Dereference in function mobi_build_opf_metadata at opf.c:1161 allows attackers to cause a denial of service (application crash) via a crafted input file

Occurrences

Call strdup with NULL pointer: strdup(NULL)

We are processing your report and will contact the bfabiszewski/libmobi team within 24 hours. a month ago
We have contacted a member of the bfabiszewski/libmobi team and are waiting to hear back a month ago
We have sent a follow up to the bfabiszewski/libmobi team. We will try again in 7 days. 23 days ago
Bartek
23 days ago

Maintainer


Thanks for another report

Bartek Fabiszewski validated this vulnerability 23 days ago
TDHX ICS Security has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bartek Fabiszewski confirmed that a fix has been merged on c0699c 23 days ago
Bartek Fabiszewski has been awarded the fix bounty
opf.c#L1161 has been validated
to join this conversation