Null pointer dereference in index.c in bfabiszewski/libmobi
Reported on
May 25th 2022
Description
Null pointer dereference in bfabiszewski/libmobi at index.c:1076.
Build
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./autogen.sh
./configure --disable-shared
make
POC
./mobitool -e -o /tmp/mobi POC
Asan
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1984==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0000005b0416 bp 0x000000000032 sp 0x7ffdcdca6740 T0)
==1984==The signal is caused by a READ memory access.
==1984==Hint: address points to the zero page.
#0 0x5b0416 (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x5b0416)
#1 0x50440a (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x50440a)
#2 0x507594 (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x507594)
#3 0x50bbf8 (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x50bbf8)
#4 0x4d115b (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x4d115b)
#5 0x7f021bb570b2 (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#6 0x41d56d (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x41d56d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x5b0416)
==1984==ABORTING
Aborted
(gdb) bt
#0 mobi_trie_insert_infl (root=<optimized out>, indx=<optimized out>, i=<optimized out>) at index.c:1076
#1 0x000000000050440b in mobi_reconstruct_orth (rawml=<optimized out>, first=<optimized out>,
new_size=<optimized out>) at parse_rawml.c:1537
#2 0x0000000000507595 in mobi_reconstruct_links_kf7 (rawml=<optimized out>) at parse_rawml.c:1805
#3 0x000000000050bbf9 in mobi_reconstruct_links (rawml=0x6080000000a0) at parse_rawml.c:1854
#4 mobi_parse_rawml_opt (rawml=<optimized out>, m=<optimized out>, parse_toc=<optimized out>,
parse_dict=<optimized out>, reconstruct=<optimized out>) at parse_rawml.c:2158
#5 0x000000000050a203 in mobi_parse_rawml (rawml=0x8, m=0x608000000720) at parse_rawml.c:2014
#6 0x00000000004d115c in loadfilename (
fullpath=0x7fffffffcfa0 "bba38746-3855-4bf5-ad06-a7bef4d406a3/master/crashes/id:000002,sig:11,src:000786+000699,time:82592580,execs:8346508,op:splice,rep:8") at mobitool.c:852
#7 main (argc=<optimized out>, argv=<optimized out>) at mobitool.c:1051
(gdb) list 1076
1071 MOBIIndexTag t = e.tags[j];
1072 if (t.tagid == INDX_TAGARR_INFL_PARTS_V1) {
1073 for (size_t k = 0; k + 1 < t.tagvalues_count; k += 2) {
1074 uint32_t len = t.tagvalues[k];
1075 uint32_t offset = t.tagvalues[k + 1];
1076 char *base = mobi_get_cncx_string_flat(indx->cncx_record, offset, len);
1077 if (base == NULL) {
1078 return MOBI_MALLOC_FAILED;
1079 }
1080 MOBI_RET ret = mobi_trie_insert_reversed(root, base, inflected);
Impact
can cause a program to crash, use unexpected values, or remote code execution.
References
Hi, thanks for the report! There really seems to be bug here but I am getting different results than yours. Could you tell me which exact variable is null in your test?
OK. Thanks! That's correct. I just wondered why your sanitizer shows problem on line 1076. I thought that maybe in your case indx is null.
I lowered severity, as I don't see a possibility to use this vulnerability for remote code execution or using unexpected values. The only scenario is segmentation fault and denial of service. Also attacker must deceive user to load crafted data.