integer overflow in whoopsie 0.2.69
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
whoopsie (Ubuntu) |
Fix Released
|
High
|
Marc Deslauriers | ||
Xenial |
Fix Released
|
High
|
Marc Deslauriers | ||
Bionic |
Fix Released
|
High
|
Marc Deslauriers | ||
Eoan |
Won't Fix
|
High
|
Marc Deslauriers | ||
Focal |
Fix Released
|
High
|
Marc Deslauriers | ||
Groovy |
Fix Released
|
High
|
Marc Deslauriers |
Bug Description
Hi,
I have found a security issue on whoopsie 0.2.69 and earlier.
## Vulnerability in whoopsie
- whoopsie 0.2.69 and earlier have a heap-based buffer overflow vulnerability.
- An attacker can cause a denial of service (memory corruption and application crash) via a crafted .crash file.
## Basic
When a program has been crashed, Linux system tries to create a '.crash' file on '/var/crash/' directory with python script located in '/usr/share/
The file contains a series of system crash information including core dump, syslog, stack trace, memory map info, etc.
After the creation of '.crash' file, whoopsie extracts the above information from the '.crash' file and encodes it into binary json (bson) format.
Lastly, whoopsie forwards the data to a remotely connected Ubuntu Error Report system.
## Vulnerability
Unfortunately, we have found a heap-based buffer overflow vulnerability during the encoding, when whoopsie attempts to bsonify with crafted crash file.
The data in '.crash' file is stored in key-value form and the whoopsie separately measures the length of 'key' and 'value' to allocate memory region during the encoding.
A heap-based buffer overflow can occur when an integer overflow happens on a variable that contains length of 'key'.
FYI, a issue to that raised by 'value' is well covered by performing exception handling.
@[bson.c:663][https:/
const uint32_t len = strlen( name ) + 1;
- Integer overflow occurs when length of ‘name’ exceeds INT32_MAX value.
- Here, ‘name’ indicates the ‘key’ data in ‘.crash’ file.
@[bson.c:627][https:/
b->data = bson_realloc( b->data, new_size );
- Unexpected small memory region is allocated due to above integer overflow.
@[bson.c:680][https:/
bson_append( b, name, len );
- Memory corruption happens when unexpected small memory region is allocated.
## Attack Scenario
1) Create a fake.crash file
- '.crash' file is composed of the following format: 'key : value'.
- To cause the overflow attack, the size of 'key' should be in double amount of INT32_MAX.
- The size of 'value' doesn’t matter, but not zero length.
$ python -c "print('A' * 0xFFFFFFFF + ' : ' + 'B')" > /var/crash/
$ cat fake.crash
AAA … AA : B
2) Trigger the whoopsie to read the fake.crash file
- Just create 'fake.upload' file by touch command.
- Or launch apport-gtk gui or apport-bug cli application.
3) Check out the result
- After a while, the whoopsie has been killed by segmentation fault.
Sincerely,
Related branches
CVE References
summary: |
- heap-based buffer overflow on bson.c + heap-based buffer overflow in bson.c |
information type: | Private Security → Public Security |
summary: |
- heap-based buffer overflow in bson.c + integer overflow in whoopsie 0.2.69 |
Changed in whoopsie (Ubuntu): | |
importance: | Undecided → High |
tags: | added: rls-ff-incoming |
Changed in whoopsie (Ubuntu): | |
status: | New → Confirmed |
Changed in whoopsie (Ubuntu): | |
status: | Confirmed → Incomplete |
Changed in whoopsie (Ubuntu): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
status: | Incomplete → Confirmed |
Changed in whoopsie (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in whoopsie (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in whoopsie (Ubuntu Eoan): | |
status: | New → Confirmed |
Changed in whoopsie (Ubuntu Focal): | |
status: | New → Confirmed |
Changed in whoopsie (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in whoopsie (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in whoopsie (Ubuntu Eoan): | |
importance: | Undecided → High |
Changed in whoopsie (Ubuntu Focal): | |
importance: | Undecided → High |
Changed in whoopsie (Ubuntu Xenial): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in whoopsie (Ubuntu Bionic): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in whoopsie (Ubuntu Eoan): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in whoopsie (Ubuntu Focal): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
tags: | removed: rls-ff-incoming |
Changed in whoopsie (Ubuntu Eoan): | |
status: | Confirmed → Won't Fix |
Changed in whoopsie (Ubuntu Groovy): | |
status: | Confirmed → Fix Committed |
It seems that this vulnerability was originally caused by ‘bytesNeeded’ integer overflow in bson_ensure_ space() . /git.launchpad. net/ubuntu/ +source/ whoopsie/ tree/lib/ bson/bson. c?h=applied/ 0.2.69# n670).
Sum of ‘len’ and ‘dataSize’ that both have a type of ‘uint32_t’ can assigned to ‘byteNeeded’ (see https:/
Even though it was already applied a series of exception handling routine for overflow of 'len' and 'dataSize', the flaw lies in improper exception handling of overflow in 'bytesNeeded'.
I think it would be better to replace data type of 'bytesNeeded'; from 'uint32_t' to 'size_t'.
Please check the attached patch.