Re: Bug Report

[Zander]

Dear Jose,

Thanks for your email.

The bug report is as follows:

Reporter: Huang Wenjie
Email: wenjiezander@gmail.com
Library Name: Recutils
Version: 1.8
Component: csv2rec
Operating System: Ubuntu 20.04.2 LTS
Download link for crash seed: https://drive.google.com/file/d/1zEzaZt-JKqAncYNcnQ6ivJGaNvzmCxEa/view?usp=sharing
Bug found (Fig. 1):
Deference of a high value address.

Detailed output:

afl++]root@85986c413f46:/src/recutils-1.8# ./install/bin/csv2rec output/slave4_fuzzer/crashes/id\:000006\,sig\:11\,src\:000008\,time\:18042\,op\:havoc\,rep\:2
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4289==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f150315e6a7 bp 0x7ffe4e13dfb0 sp 0x7ffe4e13d768 T0)
==4289==The signal is caused by a READ memory access.
==4289==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x7f150315e6a7  (/lib/x86_64-linux-gnu/libc.so.6+0x18b6a7)
    #1 0x484022 in strdup (/src/recutils-1.8/install/bin/csv2rec+0x484022)
    #2 0x5f1884 in rec_field_set_name /src/recutils-1.8/src/rec-field.c:78:17
    #3 0x5f1884 in rec_field_new /src/recutils-1.8/src/rec-field.c:109:12
    #4 0x4d0052 in field_cb /src/recutils-1.8/utils/csv2rec.c:264:19
    #5 0x6f5d1c in csv_parse /src/recutils-1.8/libcsv/libcsv.c
    #6 0x4cea2c in process_csv /src/recutils-1.8/utils/csv2rec.c:374:11
    #7 0x4cea2c in main /src/recutils-1.8/utils/csv2rec.c:395:8
    #8 0x7f1502ffa0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #9 0x41d68d in _start (/src/recutils-1.8/install/bin/csv2rec+0x41d68d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18b6a7)
==4289==ABORTING

GDB output:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007f273f9e76a7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007f273f9e76a7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x0000000000484023 in strdup ()
#2  0x00000000005f1885 in rec_field_set_name (field=0x6060000006e0, name=0xbebebebebebebebe <error: Cannot access memory at address 0xbebebebebebebebe>) at rec-field.c:78
#3  rec_field_new (name=<optimized out>, value=<optimized out>) at rec-field.c:109
#4  0x00000000004d0053 in field_cb (s=<optimized out>, len=<optimized out>, data="" out>) at csv2rec.c:264
#5  0x00000000006f5d1d in csv_parse (p=<optimized out>, s=<optimized out>, len=<optimized out>, cb1=<optimized out>, cb2=<optimized out>, data="" out>) at libcsv.c:412
#6  0x00000000004cea2d in process_csv () at csv2rec.c:374
#7  main (argc=<optimized out>, argv=<optimized out>) at csv2rec.c:395


Steps to reproduce the bug:

In recutils-1.8, compile csv2rec into a binary executable
./configure
make
make install
Run the executable with the crash_seed (A download link for the crash seed is provided above)
./csv2rec crash_seed

Observation:
The variable “name” with an invalid address is passed  in to the function “rec_field_set_name” in “recutils-1.8/src/rec-field.c:109” and the function “strdup” in “rec_field_set_name” tries to read from the invalid address which results in a deference of a high value address. A proof of the invalid address is shown in Fig. 2.

Further investigation is required to examine why this invalid address is produced. 

Look forward to hearing from you.

Best regards,

Wen Jie

On Mon, Sep 20, 2021 at 6:38 PM Jose E. Marchesi <jemarch@gnu.org> wrote:

> Dear Development Team,
>
> I have tried to reach you in June over a potential vulnerability but have
> not heard back from you.
> Any feedback on your side will be appreciated, thanks.

I would appreciate if you would re-send the details on the potential
vulnerability, inlined in an email and not as a docx document.

Thanks.