oss-sec mailing list archives
Re: Heap based buffer overflow in wolfSSL
From: Alexander Potapenko <glider () google com>
Date: Wed, 16 Jan 2019 16:00:49 +0100
On Wed, Jan 16, 2019 at 12:44 PM Dhiraj Mishra <mishra.dhiraj95 () gmail com> wrote:
Hi List,
Hello, I cannot judge whether this is a real problem or not, but the report below is definitely missing critical information, like symbols, filenames and line numbers. Without those it's even impossible to tell a bug in wolfSSL code from a bug in the benchmark itself. You can refer to https://clang.llvm.org/docs/AddressSanitizer.html#symbolizing-the-reports for the instructions on how to get symbol information. HTH, Alex
## Summary: wolfSSL is an C-language-based SSL/TLS library targeted at IoT, embedded, and RTOS environments a heap-based-buffer overflow was observed in tls_bench.c which is a benchmark tool in wolfSSL. ## ASAN ==4088==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000480 at pc 0x00000050ff16 bp 0x7fef206fdbf0 sp 0x7fef206fdbe8 WRITE of size 1 at 0x619000000480 thread T2 #0 0x50ff15 (/wolfssl/examples/benchmark/tls_bench+0x50ff15) #1 0x4dfa52 (/wolfssl/examples/benchmark/tls_bench+0x4dfa52) #2 0x7fef243ac6da (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da) #3 0x7fef23ab188e (/lib/x86_64-linux-gnu/libc.so.6+0x12188e) 0x619000000480 is located 0 bytes to the right of 1024-byte region [0x619000000080,0x619000000480) allocated by thread T2 here: #0 0x4d1fa0 (/wolfssl/examples/benchmark/tls_bench+0x4d1fa0) #1 0x50f277 (/wolfssl/examples/benchmark/tls_bench+0x50f277) #2 0x4dfa52 (/wolfssl/examples/benchmark/tls_bench+0x4dfa52) Thread T2 created by T0 here: #0 0x435490 (/wolfssl/examples/benchmark/tls_bench+0x435490) #1 0x50cbf5 (/wolfssl/examples/benchmark/tls_bench+0x50cbf5) #2 0x5101d0 (/wolfssl/examples/benchmark/tls_bench+0x5101d0) #3 0x7fef239b1b96 (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) SUMMARY: AddressSanitizer: heap-buffer-overflow (/wolfssl/examples/benchmark/tls_bench+0x50ff15) Shadow bytes around the buggy address: 0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff8090:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==4088==ABORTING References: https://github.com/wolfSSL/wolfssl https://github.com/wolfSSL/wolfssl/issues/2032 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6439 Thank you @mishradhiraj_
-- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Straße, 33 80636 München Geschäftsführer: Paul Manicle, Halimah DeLaine Prado Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg
Current thread:
- Heap based buffer overflow in wolfSSL Dhiraj Mishra (Jan 16)
- Re: Heap based buffer overflow in wolfSSL Alexander Potapenko (Jan 16)