Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 05 Nov 2015 17:30:14 +0100
From: gauri@....by
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Cc: "cve-assign@...re.org" <cve-assign@...re.org>
Subject: Re: Re: CVE request: libsndfile 1.0.25 heap overflow

Hello list.

03.11.2015, 21:02, "cve-assign@...re.org" <cve-assign@...re.org>:
>> šUnrelated, but I recently reported an out of bounds triggered by the
>> štest suite of libsndfile and got no reply:
>> šhttp://permalink.gmane.org/gmane.comp.audio.libsndfile.devel/681
>
>> šOut of bounds reads in psf_strlcpy_crlf when running test suite
>
>> šAddressSanitizer: global-buffer-overflow ... READ of size 1
>
> Use CVE-2015-8075.

I have followed up on this to spot the root cause of what has been assigned CVE-2015-8075; as recommended by Hanno, I am sharing my results with the wider audience.

The `test_psf_strlcpy_crlf()` routine, as it is presented [1] in version 1.0.25, is incorrect in that it supplies an invalid argument value to the function `psf_strlcpy_crlf()` being tested: the last argument `srcmax` receives `sizeof(src)`, which is the size of the pointer `src`, and not the source string length it points to, as might have been anticipated by the author. Since the reporter tested a 64-bit build, `srcmax` gets passed 8, but the string is 7 bytes long. This triggers OOB access detected by address sanitizer, just like in the original report.

At this point, it seems CVE-2015-8075 has to be rejected as there is no vulnerability, only a poorly written test case which doesn't see any action except when running `make check`.

Note: Apparently, the vendor has attempted to fix the test [2], but it seems like `srcmax` is getting `sizeof(char)` instead of `sizeof(char *)` now. The test remains invalid, although due to a different reason.

Cheers,
Z.

References:
[1] https://github.com/erikd/libsndfile/blob/f66e21e0b1f1b52b544dabb5ba4fa89fa6f62a30/src/test_strncpy_crlf.c
[2] https://github.com/erikd/libsndfile/blob/495c2877e1c841fbb420383551547d2ca60533c6/src/test_strncpy_crlf.c

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ