oss-sec mailing list archives
Re: Heap based buffer overflow in wolfSSL
From: Alexander Potapenko <glider () google com>
Date: Wed, 16 Jan 2019 16:00:49 +0100
On Wed, Jan 16, 2019 at 12:44 PM Dhiraj Mishra <mishra.dhiraj95 () gmail com> wrote:
Hi List,
Hello, I cannot judge whether this is a real problem or not, but the report below is definitely missing critical information, like symbols, filenames and line numbers. Without those it's even impossible to tell a bug in wolfSSL code from a bug in the benchmark itself. You can refer to https://clang.llvm.org/docs/AddressSanitizer.html#symbolizing-the-reports for the instructions on how to get symbol information. HTH, Alex
## Summary:
wolfSSL is an C-language-based SSL/TLS library targeted at IoT, embedded,
and RTOS environments a heap-based-buffer overflow was observed in
tls_bench.c which is a benchmark tool in wolfSSL.
## ASAN
==4088==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x619000000480 at pc 0x00000050ff16 bp 0x7fef206fdbf0 sp 0x7fef206fdbe8
WRITE of size 1 at 0x619000000480 thread T2
#0 0x50ff15 (/wolfssl/examples/benchmark/tls_bench+0x50ff15)
#1 0x4dfa52 (/wolfssl/examples/benchmark/tls_bench+0x4dfa52)
#2 0x7fef243ac6da (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#3 0x7fef23ab188e (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
0x619000000480 is located 0 bytes to the right of 1024-byte region
[0x619000000080,0x619000000480)
allocated by thread T2 here:
#0 0x4d1fa0 (/wolfssl/examples/benchmark/tls_bench+0x4d1fa0)
#1 0x50f277 (/wolfssl/examples/benchmark/tls_bench+0x50f277)
#2 0x4dfa52 (/wolfssl/examples/benchmark/tls_bench+0x4dfa52)
Thread T2 created by T0 here:
#0 0x435490 (/wolfssl/examples/benchmark/tls_bench+0x435490)
#1 0x50cbf5 (/wolfssl/examples/benchmark/tls_bench+0x50cbf5)
#2 0x5101d0 (/wolfssl/examples/benchmark/tls_bench+0x5101d0)
#3 0x7fef239b1b96 (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/wolfssl/examples/benchmark/tls_bench+0x50ff15)
Shadow bytes around the buggy address:
0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8090:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4088==ABORTING
References:
https://github.com/wolfSSL/wolfssl
https://github.com/wolfSSL/wolfssl/issues/2032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6439
Thank you
@mishradhiraj_
-- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Straße, 33 80636 München Geschäftsführer: Paul Manicle, Halimah DeLaine Prado Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg
Current thread:
- Heap based buffer overflow in wolfSSL Dhiraj Mishra (Jan 16)
- Re: Heap based buffer overflow in wolfSSL Alexander Potapenko (Jan 16)