| Title | plan9port plan9port commit be7c68f6954f7dcaa53403e0f600716f65a13d32 heap-buffer-overflow |
|---|
| Description | ## Description
[plan9port](https://github.com/9fans/plan9port) has heap-buffer-overflow /src/plan9port/src/libsec/port/x509.c:2524:66 in edump
## version
```shell
commit be7c68f6954f7dcaa53403e0f600716f65a13d32
```
## harnss
From https://github.com/google/oss-fuzz/blob/master/projects/plan9port/fuzz_libsec.c
```c++
#include <stdint.h>
#include <string.h>
#include <stdlib.h>
#include <u.h>
#include <libc.h>
#include <auth.h>
#include <mp.h>
#include <libsec.h>
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size){
char *fuzz_der = (char *)malloc(size+1);
if (fuzz_der == NULL){
return 0;
}
memcpy(fuzz_der, data, size);
fuzz_der[size] = '\0';
asn1dump(fuzz_der, size);
free(fuzz_der);
return 0;
}
```
## Proof of Concept
The poc can be obtained from Google Drive: https://drive.google.com/drive/folders/1kedwNLNDiFQB2OAp7S-ZKYoF7nxfIZGO?usp=sharing
```shell
$ ./fuzz_libsec 5f2997e8-f35b-4ab8-9132-7a7ddd46e452
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2020783506
INFO: Loaded 1 modules (2896 inline 8-bit counters): 2896 [0x64c340, 0x64ce90),
INFO: Loaded 1 PC tables (2896 PCs): 2896 [0x5f3848,0x5fed48),
./fuzz_libsec: Running 1 inputs 1 time(s) each.
Running: 5f2997e8-f35b-4ab8-9132-7a7ddd46e452
SEQUENCE{Seq
class64,num19{=================================================================
==1222638==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000094 at pc 0x000000587432 bp 0x7fffffffd9d0 sp 0x7fffffffd9c8
READ of size 1 at 0x602000000094 thread T0
#0 0x587431 in edump /src/plan9port/src/libsec/port/x509.c:2524:66
#1 0x587034 in edump /src/plan9port/src/libsec/port/x509.c:2538:4
#2 0x586d29 in asn1dump /src/plan9port/src/libsec/port/x509.c:2558:2
#3 0x57cbae in LLVMFuzzerTestOneInput /src/fuzz_libsec.c:29:2
#4 0x44e483 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#5 0x429612 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6
#6 0x4346f1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9
#7 0x468822 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#8 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x41f7dd in _start (/home/zhangwei28/80result/plan9port/fuzz_libsec+0x41f7dd)
0x602000000094 is located 0 bytes to the right of 4-byte region [0x602000000090,0x602000000094)
allocated by thread T0 here:
#0 0x53f6f6 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x57cc69 in p9malloc /src/plan9port/src/lib9/malloc.c:16:9
#2 0x58bbdc in emalloc /src/plan9port/src/libsec/port/x509.c:172:6
#3 0x58bbdc in newbytes /src/plan9port/src/libsec/port/x509.c:1290:16
#4 0x58bbdc in makebytes /src/plan9port/src/libsec/port/x509.c:1303:8
#5 0x58bbdc in octet_decode /src/plan9port/src/libsec/port/x509.c:647:9
#6 0x5897ae in value_decode /src/plan9port/src/libsec/port/x509.c:432:9
#7 0x5897ae in ber_decode /src/plan9port/src/libsec/port/x509.c:269:11
#8 0x58c0a6 in seq_decode /src/plan9port/src/libsec/port/x509.c:724:10
#9 0x58a09a in value_decode /src/plan9port/src/libsec/port/x509.c:504:9
#10 0x589737 in ber_decode /src/plan9port/src/libsec/port/x509.c:267:11
#11 0x586cb9 in decode /src/plan9port/src/libsec/port/x509.c:205:10
#12 0x586cb9 in asn1dump /src/plan9port/src/libsec/port/x509.c:2553:5
#13 0x57cbae in LLVMFuzzerTestOneInput /src/fuzz_libsec.c:29:2
#14 0x44e483 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#15 0x429612 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6
#16 0x4346f1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9
#17 0x468822 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#18 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/plan9port/src/libsec/port/x509.c:2524:66 in edump
Shadow bytes around the buggy address:
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 fa
=>0x0c047fff8010: fa fa[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1222638==ABORTING
``` |
|---|
| Source | ⚠️ https://drive.google.com/drive/folders/1kedwNLNDiFQB2OAp7S-ZKYoF7nxfIZGO?usp=sharing |
|---|
| User | Anonymous User |
|---|
| Submission | 03/26/2024 09:02 AM (2 years ago) |
|---|
| Moderation | 04/02/2024 06:42 PM (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 259053 [9fans plan9port up to 9da5b44 x509.c edump heap-based overflow] |
|---|
| Points | 20 |
|---|