Heap-based Buffer Overflow in hoene/libmysofa

Valid

Reported on

Nov 1st 2021


Description

The variable st->filt_len in the function speex_resampler_reset_mem is not checked to see if it is 0 before it is used, and after subtracting one, it becomes 0xffffffff, causing heap overflow

Proof of Concept

#src/mysofa2json -c poc
==30201==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160000008fc at pc 0x00000049726c bp 0x7fffffffdfd0 sp 0x7fffffffd798
WRITE of size 17179869180 at 0x6160000008fc thread T0
    #0 0x49726b in __asan_memset /src/llvm-project-12.0.0.src/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3
    #1 0x533d2e in mysofa_resampler_reset_mem /src/libmysofa/src/resampler/speex_resampler.c:799:16
    #2 0x521c58 in mysofa_resample /src/libmysofa/src/hrtf/resample.c:56:5
    #3 0x502d3c in mysofa_open_default /src/libmysofa/src/hrtf/easy.c:53:10
    #4 0x502b6b in mysofa_open /src/libmysofa/src/hrtf/easy.c:101:10
    #5 0x4c8b04 in main /src/libmysofa/src/tests/sofa2json.c:104:13
    #6 0x7ffff6cc983f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x41cff8 in _start (/mnt/disk/out/libmysofa/mysofa2json_asan+0x41cff8)

0x6160000008fc is located 0 bytes to the right of 636-byte region [0x616000000680,0x6160000008fc)
allocated by thread T0 here:
    #0 0x497ea3 in realloc /src/llvm-project-12.0.0.src/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
    #1 0x533df2 in speex_realloc /src/libmysofa/src/resampler/speex_resampler.c:62:58
    #2 0x528fc0 in update_filter /src/libmysofa/src/resampler/speex_resampler.c:454:38
    #3 0x52560c in mysofa_resampler_init_frac /src/libmysofa/src/resampler/speex_resampler.c:596:16
    #4 0x5250a0 in mysofa_resampler_init /src/libmysofa/src/resampler/speex_resampler.c:539:10
    #5 0x521868 in mysofa_resample /src/libmysofa/src/hrtf/resample.c:44:15
    #6 0x502d3c in mysofa_open_default /src/libmysofa/src/hrtf/easy.c:53:10
    #7 0x502b6b in mysofa_open /src/libmysofa/src/hrtf/easy.c:101:10
    #8 0x4c8b04 in main /src/libmysofa/src/tests/sofa2json.c:104:13
    #9 0x7ffff6cc983f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm-project-12.0.0.src/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3 in __asan_memset
Shadow bytes around the buggy address:
  0x0c2c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]
  0x0c2c7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==30201==ABORTING

We have contacted a member of the hoene/libmysofa team and are waiting to hear back a month ago
We have sent a follow up to the hoene/libmysofa team. We will try again in 7 days. a month ago
Christian Hoene validated this vulnerability a month ago
yifengchen-cc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christian Hoene confirmed that a fix has been merged on 151e71 a month ago
Christian Hoene has been awarded the fix bounty