Heap-based Buffer Overflow in hoene/libmysofa

Valid

Reported on

Oct 6th 2021


Description

system : ubuntu 20.04

build command

cd libmysofa
mkdir build
cd build
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../
make all

run cmd

./mysofa2json -c ./heap_oob_read_memcpy

./mysofa2json -c ./heap_oob_read

Proof of Concept

poc 1 : https://drive.google.com/file/d/10jAPwk25mWYmL2pgp_9ZhOwzHBqOjIll/view?usp=sharing poc 2: https://drive.google.com/file/d/15Sia7jfpbwsCQnGX5mLuUNKgouNO2o-z/view?usp=sharing

ASAN reports1

==1280671==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001c91 at pc 0x00000049500a bp 0x7ffd8641ec00 sp 0x7ffd8641e3c8
READ of size 12 at 0x602000001c91 thread T0
    #0 0x495009 in __asan_memcpy (/home/fuzz/libmysofa/mysofa2json+0x495009)
    #1 0x509f75 in mysofa_lookup_init /home/fuzz/libmysofa/src/hrtf/lookup.c:46:5
    #2 0x4fb022 in mysofa_open_default /home/fuzz/libmysofa/src/hrtf/easy.c:65:18
    #3 0x4c5637 in main /home/fuzz/libmysofa/src/tests/sofa2json.c:104:13
    #4 0x7fa1a26850b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41d47d in _start (/home/fuzz/libmysofa/mysofa2json+0x41d47d)

0x602000001c91 is located 0 bytes to the right of 1-byte region [0x602000001c90,0x602000001c91)
allocated by thread T0 here:
    #0 0x495ed9 in realloc (/home/fuzz/libmysofa/mysofa2json+0x495ed9)
    #1 0x4cee3e in getArray /home/fuzz/libmysofa/src/hrtf/reader.c:115:19
    #2 0x4cee3e in getHrtf /home/fuzz/libmysofa/src/hrtf/reader.c:256:14
    #3 0x4cee3e in mysofa_load /home/fuzz/libmysofa/src/hrtf/reader.c:308:12
    #4 0x4faa5e in mysofa_open_default /home/fuzz/libmysofa/src/hrtf/easy.c:37:16
==3156106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001db0 at pc 0x000000531268 bp 0x7ffd237f47d0 sp 0x7ffd237f47c8
READ of size 4 at 0x602000001db0 thread T0
    #0 0x531267 in mysofa_resampler_process_float /home/fuzz/libmysofa/src/resampler/speex_resampler.c:697:30
    #1 0x519a09 in mysofa_resample /home/fuzz/libmysofa/src/hrtf/resample.c:57:5
    #2 0x4fad17 in mysofa_open_default /home/fuzz/libmysofa/src/hrtf/easy.c:49:10
    #3 0x4c5637 in main /home/fuzz/libmysofa/src/tests/sofa2json.c:104:13
    #4 0x7f8673f9b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41d47d in _start (/home/fuzz/libmysofa/mysofa2json+0x41d47d)

0x602000001db1 is located 0 bytes to the right of 1-byte region [0x602000001db0,0x602000001db1)
allocated by thread T0 here:
    #0 0x495ed9 in realloc (/home/fuzz/libmysofa/mysofa2json+0x495ed9)
    #1 0x4d15af in getArray /home/fuzz/libmysofa/src/hrtf/reader.c:115:19
    #2 0x4d15af in getHrtf /home/fuzz/libmysofa/src/hrtf/reader.c:264:14
    #3 0x4d15af in mysofa_load /home/fuzz/libmysofa/src/hrtf/reader.c:308:12
    #4 0x4faa5e in mysofa_open_default /home/fuzz/libmysofa/src/hrtf/easy.c:37:16
We have contacted a member of the hoene/libmysofa team and are waiting to hear back 2 months ago
aletheaz modified their report
2 months ago
aletheaz modified their report
2 months ago
aletheaz modified their report
2 months ago
Christian Hoene
2 months ago

Maintainer


@aletheaz Please give me access to the files

aletheaz
2 months ago

Researcher


Try it again

Christian Hoene
2 months ago

Maintainer


poc2 works. poc1 not yet.

Christian Hoene
2 months ago

Maintainer


poc2 crash confirmed

aletheaz
2 months ago

Researcher


Hi, i test poc1 again, and it still work

aletheaz
2 months ago

Researcher


@Christian Hoene Is poc1 worked yet?

Christian Hoene validated this vulnerability 2 months ago
aletheaz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christian Hoene confirmed that a fix has been merged on b6a369 2 months ago
Christian Hoene has been awarded the fix bounty