Heap-buffer-overflow in mobi_search_links_kf7 in bfabiszewski/libmobi

Valid

Reported on

Apr 30th 2022


Description

heap-buffer-overflow /home/ubuntu/libmobi-public/src/parse_rawml.c:110 in mobi_search_links_kf7

Environment

Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:    20.04
Codename:   focal
mobitool build: Apr 29 2022 20:52:30 (gcc 9.3.0)
libmobi: 0.10

Build

export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
autogen.sh &&  ./configure && make

POC

./mobitool -e -o ./tmp/ ./poc5

poc5

ASAN

==1028892==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000748f at pc 0x5631f27052e4 bp 0x7ffe6493c610 sp 0x7ffe6493c600
READ of size 1 at 0x62500000748f thread T0
    #0 0x5631f27052e3 in mobi_search_links_kf7 /home/ubuntu/libmobi-public/src/parse_rawml.c:110
    #1 0x5631f27052e3 in mobi_search_links_kf7 /home/ubuntu/libmobi-public/src/parse_rawml.c:63
    #2 0x5631f2714a31 in mobi_reconstruct_links_kf7 /home/ubuntu/libmobi-public/src/parse_rawml.c:1679
    #3 0x5631f27180d0 in mobi_reconstruct_links /home/ubuntu/libmobi-public/src/parse_rawml.c:1849
    #4 0x5631f27180d0 in mobi_parse_rawml_opt /home/ubuntu/libmobi-public/src/parse_rawml.c:2153
    #5 0x5631f27180d0 in mobi_parse_rawml /home/ubuntu/libmobi-public/src/parse_rawml.c:2009
    #6 0x5631f25bbe00 in loadfilename /home/ubuntu/libmobi-public/tools/mobitool.c:852
    #7 0x5631f25bbe00 in main /home/ubuntu/libmobi-public/tools/mobitool.c:1051
    #8 0x7f5bf47900b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #9 0x5631f25c76fd in _start (/home/ubuntu/libmobi-public/tools/mobitool+0x266fd)

0x62500000748f is located 0 bytes to the right of 9103-byte region [0x625000005100,0x62500000748f)
allocated by thread T0 here:
    #0 0x5631f26b2748 in malloc (/home/ubuntu/libmobi-public/tools/mobitool+0x111748)
    #1 0x5631f270cfc0 in mobi_reconstruct_parts /home/ubuntu/libmobi-public/src/parse_rawml.c:805

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/libmobi-public/src/parse_rawml.c:110 in mobi_search_links_kf7
Shadow bytes around the buggy address:
  0x0c4a7fff8e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8e90: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1028892==ABORTING

Impact

The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.

We are processing your report and will contact the bfabiszewski/libmobi team within 24 hours. a month ago
We have contacted a member of the bfabiszewski/libmobi team and are waiting to hear back a month ago
Bartek Fabiszewski modified the Severity from High (8.5) to Low (3.6) 25 days ago
Bartek
25 days ago

Maintainer


Thanks!

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Bartek Fabiszewski validated this vulnerability 25 days ago
cnitlrt has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bartek Fabiszewski confirmed that a fix has been merged on 1e0378 25 days ago
Bartek Fabiszewski has been awarded the fix bounty
parse_rawml.c#L110 has been validated
to join this conversation