Null pointer dereference in index.c in bfabiszewski/libmobi

Valid

Reported on

May 25th 2022


Description

Null pointer dereference in bfabiszewski/libmobi at index.c:1076.

Build

export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"

./autogen.sh
./configure --disable-shared

make

POC

./mobitool -e -o /tmp/mobi POC

POC

Asan

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1984==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0000005b0416 bp 0x000000000032 sp 0x7ffdcdca6740 T0)
==1984==The signal is caused by a READ memory access.
==1984==Hint: address points to the zero page.
    #0 0x5b0416  (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x5b0416)
    #1 0x50440a  (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x50440a)
    #2 0x507594  (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x507594)
    #3 0x50bbf8  (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x50bbf8)
    #4 0x4d115b  (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x4d115b)
    #5 0x7f021bb570b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #6 0x41d56d  (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x41d56d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x5b0416)
==1984==ABORTING
Aborted

(gdb) bt
#0  mobi_trie_insert_infl (root=<optimized out>, indx=<optimized out>, i=<optimized out>) at index.c:1076
#1  0x000000000050440b in mobi_reconstruct_orth (rawml=<optimized out>, first=<optimized out>,
    new_size=<optimized out>) at parse_rawml.c:1537
#2  0x0000000000507595 in mobi_reconstruct_links_kf7 (rawml=<optimized out>) at parse_rawml.c:1805
#3  0x000000000050bbf9 in mobi_reconstruct_links (rawml=0x6080000000a0) at parse_rawml.c:1854
#4  mobi_parse_rawml_opt (rawml=<optimized out>, m=<optimized out>, parse_toc=<optimized out>,
    parse_dict=<optimized out>, reconstruct=<optimized out>) at parse_rawml.c:2158
#5  0x000000000050a203 in mobi_parse_rawml (rawml=0x8, m=0x608000000720) at parse_rawml.c:2014
#6  0x00000000004d115c in loadfilename (
    fullpath=0x7fffffffcfa0 "bba38746-3855-4bf5-ad06-a7bef4d406a3/master/crashes/id:000002,sig:11,src:000786+000699,time:82592580,execs:8346508,op:splice,rep:8") at mobitool.c:852
#7  main (argc=<optimized out>, argv=<optimized out>) at mobitool.c:1051

(gdb) list 1076
1071            MOBIIndexTag t = e.tags[j];
1072            if (t.tagid == INDX_TAGARR_INFL_PARTS_V1) {
1073                for (size_t k = 0; k + 1 < t.tagvalues_count; k += 2) {
1074                    uint32_t len = t.tagvalues[k];
1075                    uint32_t offset = t.tagvalues[k + 1];
1076                    char *base = mobi_get_cncx_string_flat(indx->cncx_record, offset, len);
1077                    if (base == NULL) {
1078                        return MOBI_MALLOC_FAILED;
1079                    }
1080                    MOBI_RET ret = mobi_trie_insert_reversed(root, base, inflected);

Impact

can cause a program to crash, use unexpected values, or remote code execution.

References

We are processing your report and will contact the bfabiszewski/libmobi team within 24 hours. a month ago
We have contacted a member of the bfabiszewski/libmobi team and are waiting to hear back a month ago
Bartek
a month ago

Maintainer


Hi, thanks for the report! There really seems to be bug here but I am getting different results than yours. Could you tell me which exact variable is null in your test?

Han0nly
a month ago

Researcher


Hi, I have a quick investigation and it seems "indx->cncx_record" is 0 and then causes the null pointer dereference at line 933.

Bartek
a month ago

Maintainer


OK. Thanks! That's correct. I just wondered why your sanitizer shows problem on line 1076. I thought that maybe in your case indx is null.

Bartek Fabiszewski modified the Severity from High to Low a month ago
Bartek
a month ago

Maintainer


I lowered severity, as I don't see a possibility to use this vulnerability for remote code execution or using unexpected values. The only scenario is segmentation fault and denial of service. Also attacker must deceive user to load crafted data.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Bartek Fabiszewski validated this vulnerability a month ago
Han0nly has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bartek Fabiszewski confirmed that a fix has been merged on 1e4924 a month ago
Bartek Fabiszewski has been awarded the fix bounty
to join this conversation