DGNum/libubox
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
libubox/tests/fuzz/corpus
History
Juraj Vijtiuk 43a103ff17 blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes 
Fix out of bounds read in blobmsg_parse and blobmsg_check_name. The
out of bounds read happens because blob_attr and blobmsg_hdr have
flexible array members, whose size is 0 in the corresponding sizeofs.
For example the __blob_for_each_attr macro checks whether rem >=
sizeof(struct blob_attr). However, what LibFuzzer discovered was,
if the input data was only 4 bytes, the data would be casted to blob_attr,
and later on blob_data(attr) would be called even though attr->data was empty.
The same issue could appear with data larger than 4 bytes, where data
wasn't empty, but contained only the start of the blobmsg_hdr struct,
and blobmsg_hdr name was empty. The bugs were discovered by fuzzing
blobmsg_parse and blobmsg_array_parse with LibFuzzer.

CC: Luka Perkov <luka.perkov@sartura.hr>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
[refactored some checks, added fuzz inputs, adjusted unit test results]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-20 16:54:10 +01:00
..
71520a5c4b5ca73903216857abbad54a8002d44a tests: add libFuzzer based tests 2019-12-25 10:31:58 +01:00
c1dfd96eea8cc2b62785275bca38ac261256e278 tests: add libFuzzer based tests 2019-12-25 10:31:58 +01:00
c42ac1c46f1d4e211c735cc7dfad4ff8391110e9 tests: add libFuzzer based tests 2019-12-25 10:31:58 +01:00
crash-1b8fb1be45db3aff7699100f497fb74138f3df4f test: fuzz: add blob_parse crashes 2019-12-25 10:31:58 +01:00
crash-4c4d2c3c9ade5da9347534e290305c3b9760f627 test: fuzz: add blobmsg_check_attr crashes 2019-12-25 10:31:58 +01:00
crash-5e9937b197c88bf4e7b7ee2612456cad4cb83f5b test: fuzz: add blobmsg_check_attr crashes 2019-12-25 10:31:58 +01:00
crash-75b146c4e6fac64d3e62236b27c64b50657bab2a test: fuzz: add blobmsg_check_attr crashes 2019-12-25 10:31:58 +01:00
crash-813f3e68661da09c26d4a87dbb9d5099e92be50f test: fuzz: add blobmsg_check_attr crashes 2019-12-25 10:31:58 +01:00
crash-98595faa58ba01d85ba4fd0b109cd3d490b45795 test: fuzz: add blob_parse crashes 2019-12-25 10:31:58 +01:00
crash-333757b203a44751d3535f24b05f467183a96d09 blob: fix OOB access in blob_check_type 2019-12-25 10:31:58 +01:00
crash-a3585b70f1c7ffbdec10f6dadc964336118485c4 blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes 2020-01-20 16:54:10 +01:00
crash-b3585b70f1c7ffbdec10f6dadc964336118485c4 blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes 2020-01-20 16:54:10 +01:00
crash-d0f3aa7d60a094b021f635d4edb7807c055a4ea1 test: fuzz: add blob_parse crashes 2019-12-25 10:31:58 +01:00
crash-df9d1243057b27bbad6211e5a23d1cb699028aa2 test: fuzz: add blob_parse crashes 2019-12-25 10:31:58 +01:00
crash-e2fd5ecb3b37926743256f1083f47a07c39e10c2 test: fuzz: add blobmsg_check_attr crashes 2019-12-25 10:31:58 +01:00
valid-blobmsg.bin tests: add libFuzzer based tests 2019-12-25 10:31:58 +01:00