Heap-based Buffer Overflow in hoene/libmysofa

Valid

Reported on

Sep 27th 2021


Description

There are some heap-buffer-overflows in mysofa2json of libmysofa. They are in function loudness, mysofa_check and readOHDRHeaderMessageDataLayout.

System info

Ubuntu 20.04.3 LTS

clang 12.0.1

libmysofa (github master branch commit 0cb89cb)

Command to Reproduce

build libmysofa with AddressSanitizer

cd libmysofa
mkdir build
cd build
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../
make all

execute mysofa2json with poc

./src/mysofa2json -c poc

Proof of Concept

POC POC2 POC3

ASAN output

POC

==32642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001f30 at pc 0x000000504266 bp 0x7ffd90b79510 sp 0x7ffd90b79508
READ of size 4 at 0x602000001f30 thread T0
    #0 0x504265 in loudness /VulMin/libmysofa/libmysofa/src/hrtf/tools.c:183:12
    #1 0x522e98 in mysofa_loudness /VulMin/libmysofa/libmysofa/src/hrtf/loudness.c:49:12
    #2 0x504d22 in mysofa_open_default /VulMin/libmysofa/libmysofa/src/hrtf/easy.c:56:5
    #3 0x4ca783 in main /VulMin/libmysofa/libmysofa/src/tests/sofa2json.c:104:13
    #4 0x7fcc7c4220b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #5 0x41e4dd in _start (/VulMin/libmysofa/build/src/mysofa2json+0x41e4dd)

POC2

==12027==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000024100 at pc 0x00000051255c bp 0x7fff68b0a490 sp 0x7fff68b0a488
READ of size 4 at 0x621000024100 thread T0
    #0 0x51255b in mysofa_check /VulMin/libmysofa/libmysofa/src/hrtf/check.c:153:14
    #1 0x504463 in mysofa_open_default /VulMin/libmysofa/libmysofa/src/hrtf/easy.c:43:10
    #2 0x4ca783 in main /VulMin/libmysofa/libmysofa/src/tests/sofa2json.c:104:13
    #3 0x7f5185b890b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #4 0x41e4dd in _start (/VulMin/libmysofa/build/src/mysofa2json+0x41e4dd)

POC3

==12079==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000005060 at pc 0x000000435cde bp 0x7ffd91bcd2d0 sp 0x7ffd91bcca98
WRITE of size 28771 at 0x62a000005060 thread T0
    #0 0x435cdd in fread (/VulMin/libmysofa/build/src/mysofa2json+0x435cdd)
    #1 0x4e14bc in readOHDRHeaderMessageDataLayout /VulMin/libmysofa/libmysofa/src/hdf/dataobject.c:511:13
    #2 0x4e14bc in readOHDRmessages /VulMin/libmysofa/libmysofa/src/hdf/dataobject.c:1123:20
    #3 0x4dcee6 in dataobjectRead /VulMin/libmysofa/libmysofa/src/hdf/dataobject.c:1226:9
    #4 0x4f7023 in directblockRead /VulMin/libmysofa/libmysofa/src/hdf/fractalhead.c:239:15
    #5 0x4f39ba in fractalheapRead /VulMin/libmysofa/libmysofa/src/hdf/fractalhead.c:638:13
    #6 0x4dd43a in dataobjectRead /VulMin/libmysofa/libmysofa/src/hdf/dataobject.c:1251:11
    #7 0x4da3dd in superblockRead /VulMin/libmysofa/libmysofa/src/hdf/superblock.c:201:12
    #8 0x4d0483 in mysofa_load /VulMin/libmysofa/libmysofa/src/hrtf/reader.c:305:10
    #9 0x4ca71b in main VulMin/libmysofa/libmysofa/src/tests/sofa2json.c:90:10
    #10 0x7f6b102d00b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #11 0x41e4dd in _start (/VulMin/libmysofa/build/src/mysofa2json+0x41e4dd)
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
Zhengjie Du modified their report
2 months ago
Zhengjie Du modified their report
2 months ago
Zhengjie Du modified their report
2 months ago
We have contacted a member of the hoene/libmysofa team and are waiting to hear back 2 months ago
Christian Hoene
2 months ago

Maintainer


I cannot confirm any issue on Ubuntu 18.04

Christian Hoene validated this vulnerability 2 months ago
Zhengjie Du has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christian Hoene confirmed that a fix has been merged on 890400 2 months ago
Christian Hoene has been awarded the fix bounty
Zhengjie Du
a month ago

Researcher


Hi, could you assign a CVE number to this vulnerability?

Christian Hoene
a month ago

Maintainer


thank you for finding the bug.

Sorry, I do not have time to take care of CVE numbers.

Zhengjie Du
a month ago

Researcher


Thank you, I actually asked for @admin

Jamie Slome
a month ago

Admin


Sure! 🙌

@maintainer - can you please confirm that you are happy for a CVE to be published for this, and we will handle it for you ♥️

Christian Hoene
a month ago

Maintainer


@admin CVE approved

Jamie Slome
a month ago

Admin


Great, I will get this sorted for you.

Zhengjie Du
a month ago

Researcher


Thank you.

Jamie Slome
a month ago

Admin


CVE published! 🎊