blob: fix OOB access in blob_check_type

Found by fuzzer:

 ERROR: AddressSanitizer: SEGV on unknown address 0x602100000455
 The signal is caused by a READ memory access.
     #0 in blob_check_type blob.c:214:43
     #1 in blob_parse_attr blob.c:234:9
     #2 in blob_parse_untrusted blob.c:272:12
     #3 in fuzz_blob_parse tests/fuzzer/test-blob-parse-fuzzer.c:34:2
     #4 in LLVMFuzzerTestOneInput tests/fuzzer/test-blob-parse-fuzzer.c:39:2

Caused by following line:

	if (type == BLOB_ATTR_STRING && data[len - 1] != 0)

where len was pointing outside of the data buffer.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
This commit is contained in:
Petr Štetiar 2019-12-09 15:27:16 +01:00
parent 325418a7a3
commit 478597b9f9
3 changed files with 20 additions and 5 deletions

23
blob.c
View file

@ -218,20 +218,33 @@ blob_check_type(const void *ptr, unsigned int len, int type)
} }
static int static int
blob_parse_attr(struct blob_attr *attr, struct blob_attr **data, const struct blob_attr_info *info, int max) blob_parse_attr(struct blob_attr *attr, size_t attr_len, struct blob_attr **data, const struct blob_attr_info *info, int max)
{ {
int id;
size_t len;
int found = 0; int found = 0;
int id = blob_id(attr); size_t data_len;
size_t len = blob_len(attr);
if (!attr || attr_len < sizeof(struct blob_attr))
return 0;
id = blob_id(attr);
if (id >= max) if (id >= max)
return 0; return 0;
len = blob_raw_len(attr);
if (len > attr_len || len < sizeof(struct blob_attr))
return 0;
data_len = blob_len(attr);
if (data_len > len)
return 0;
if (info) { if (info) {
int type = info[id].type; int type = info[id].type;
if (type < BLOB_ATTR_LAST) { if (type < BLOB_ATTR_LAST) {
if (!blob_check_type(blob_data(attr), len, type)) if (!blob_check_type(blob_data(attr), data_len, type))
return 0; return 0;
} }
@ -285,7 +298,7 @@ blob_parse(struct blob_attr *attr, struct blob_attr **data, const struct blob_at
memset(data, 0, sizeof(struct blob_attr *) * max); memset(data, 0, sizeof(struct blob_attr *) * max);
blob_for_each_attr(pos, attr, rem) { blob_for_each_attr(pos, attr, rem) {
found += blob_parse_attr(pos, data, info, max); found += blob_parse_attr(pos, rem, data, info, max);
} }
return found; return found;

View file

@ -56,6 +56,8 @@ check that blob_parse is producing expected results:
cannot parse cert c42ac1c46f1d4e211c735cc7dfad4ff8391110e9 cannot parse cert c42ac1c46f1d4e211c735cc7dfad4ff8391110e9
cannot parse cert crash-1b8fb1be45db3aff7699100f497fb74138f3df4f cannot parse cert crash-1b8fb1be45db3aff7699100f497fb74138f3df4f
cannot parse cert crash-1b8fb1be45db3aff7699100f497fb74138f3df4f cannot parse cert crash-1b8fb1be45db3aff7699100f497fb74138f3df4f
cannot parse cert crash-333757b203a44751d3535f24b05f467183a96d09
cannot parse cert crash-333757b203a44751d3535f24b05f467183a96d09
cannot parse cert crash-4c4d2c3c9ade5da9347534e290305c3b9760f627 cannot parse cert crash-4c4d2c3c9ade5da9347534e290305c3b9760f627
cannot parse cert crash-4c4d2c3c9ade5da9347534e290305c3b9760f627 cannot parse cert crash-4c4d2c3c9ade5da9347534e290305c3b9760f627
cannot parse cert crash-5e9937b197c88bf4e7b7ee2612456cad4cb83f5b cannot parse cert crash-5e9937b197c88bf4e7b7ee2612456cad4cb83f5b