The blast-dbf's discuss from eaglebh

Stack overflow causes out-of-bounds write through malformed input file

Malformed input DBC file (attached below) causes out-of-bounds write due to missing check.

Run: (File crash01 zipped and attached below.)
./blast-dbf crash01 /dev/null
File crash01 zipped and attached below.

Gives the output:

blast-dbf.c:66:19: runtime error: variable length array bound evaluates to non-positive value 0
=================================================================
==3684929==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffd8ed60e9f at pc 0x5633cca583c5 bp 0x7ffd8ed60e60 sp 0x7ffd8ed60e50
WRITE of size 1 at 0x7ffd8ed60e9f thread T0
    #0 0x5633cca583c4 in dbc2dbf /home/ub/blast-dbf/blast-dbf.c:70
    #1 0x5633cca48f4e in main /home/ub/blast-dbf/blast-dbf.c:118
    #2 0x7f7765e75d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #3 0x7f7765e75e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #4 0x5633cca49314 in _start (/home/ub/blast-dbf/blast-dbf+0xc314)

Address 0x7ffd8ed60e9f is located in stack of thread T0
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /home/ub/blast-dbf/blast-dbf.c:70 in dbc2dbf
Shadow bytes around the buggy address:
  0x100031da4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031da4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031da41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031da41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031da41c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100031da41d0: ca ca ca[ca]cb cb cb cb 00 00 00 00 00 00 00 00
  0x100031da41e0: 00 00 00 00 f1 f1 f1 f1 02 f3 f3 f3 00 00 00 00
  0x100031da41f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031da4200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031da4210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100031da4220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3684929==ABORTING

Crash analysis:
The issue is on blast-dbf.c:70:

buf[header-1] = 0x0D;

With a specially crafted DBC file, I can force the header to evaluate to 0, causing 0x0D to be written to buf[-1] which is an out-of-bounds write. This crashes the program and may lead to denial of service for downstream services. I will raise a PR to fix this and a CVE to account for this bug as there are multiple downstream projects in multiple languages (Python, R from what I've seen) that make use of this code.

crash01.zip

License

Hi everyone!

I would like to know what's the license of this project? I'm planing to create a conda-package for this project and I need this information.

Thanks.

Can i run blast-dbf in windows?

Hi,
Is there any way to run blast-dbf directly from a Windows machine?
tks

eaglebh / blast-dbf Goto Github PK

blast-dbf's Issues

Stack overflow causes out-of-bounds write through malformed input file

License

Can i run blast-dbf in windows?

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent