Heap-based Buffer Overflow in hoene/libmysofa
Valid
Reported on
Nov 1st 2021
Description
The variable st->filt_len in the function speex_resampler_reset_mem is not checked to see if it is 0 before it is used, and after subtracting one, it becomes 0xffffffff, causing heap overflow
Proof of Concept
#src/mysofa2json -c poc
==30201==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160000008fc at pc 0x00000049726c bp 0x7fffffffdfd0 sp 0x7fffffffd798
WRITE of size 17179869180 at 0x6160000008fc thread T0
#0 0x49726b in __asan_memset /src/llvm-project-12.0.0.src/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3
#1 0x533d2e in mysofa_resampler_reset_mem /src/libmysofa/src/resampler/speex_resampler.c:799:16
#2 0x521c58 in mysofa_resample /src/libmysofa/src/hrtf/resample.c:56:5
#3 0x502d3c in mysofa_open_default /src/libmysofa/src/hrtf/easy.c:53:10
#4 0x502b6b in mysofa_open /src/libmysofa/src/hrtf/easy.c:101:10
#5 0x4c8b04 in main /src/libmysofa/src/tests/sofa2json.c:104:13
#6 0x7ffff6cc983f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x41cff8 in _start (/mnt/disk/out/libmysofa/mysofa2json_asan+0x41cff8)
0x6160000008fc is located 0 bytes to the right of 636-byte region [0x616000000680,0x6160000008fc)
allocated by thread T0 here:
#0 0x497ea3 in realloc /src/llvm-project-12.0.0.src/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
#1 0x533df2 in speex_realloc /src/libmysofa/src/resampler/speex_resampler.c:62:58
#2 0x528fc0 in update_filter /src/libmysofa/src/resampler/speex_resampler.c:454:38
#3 0x52560c in mysofa_resampler_init_frac /src/libmysofa/src/resampler/speex_resampler.c:596:16
#4 0x5250a0 in mysofa_resampler_init /src/libmysofa/src/resampler/speex_resampler.c:539:10
#5 0x521868 in mysofa_resample /src/libmysofa/src/hrtf/resample.c:44:15
#6 0x502d3c in mysofa_open_default /src/libmysofa/src/hrtf/easy.c:53:10
#7 0x502b6b in mysofa_open /src/libmysofa/src/hrtf/easy.c:101:10
#8 0x4c8b04 in main /src/libmysofa/src/tests/sofa2json.c:104:13
#9 0x7ffff6cc983f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm-project-12.0.0.src/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3 in __asan_memset
Shadow bytes around the buggy address:
0x0c2c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]
0x0c2c7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==30201==ABORTING
We have contacted a member of the
hoene/libmysofa
team and are waiting to hear back
2 years ago
We have sent a
follow up to the
hoene/libmysofa
team.
We will try again in 7 days.
2 years ago
to join this conversation