Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#4535 closed defect (fixed)

buffer overflow WKB parser

Reported by: komzpa Owned by: pramsey
Priority: medium Milestone: PostGIS 3.0.0
Component: postgis Version: 2.5.x -- EOL
Keywords: Cc:

Description

https://oss-fuzz.com/testcase-detail/5760493611909120 

	+----------------------------------------Release Build Stacktrace----------------------------------------+
Command:
Bot: oss-fuzz-linux-zone2-host-t2dp-7
Time ran: 0.0286400318146
INFO: Seed: 3532246483
INFO: Loaded 1 modules   (6940 inline 8-bit counters): 6940 [0x925a80, 0x92759c),
INFO: Loaded 1 PC tables (6940 PCs): 6940 [0x9275a0,0x942760),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_postgis_e19bef733edf89095a9ecb61d62f7c8cdbe5dad1/revisions/wkb_import_fuzzer: Running 1 inputs 100 time(s) each.
Running: /crash-d6bf73963fa5477e12879b836d42b6baba03049b
=================================================================
==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000b9 at pc 0x0000006100bc bp 0x7ffe6de51f30 sp 0x7ffe6de51f28
READ of size 4 at 0x6020000000b9 thread T0
SCARINESS: 17 (4-byte-read-heap-buffer-overflow)
    #0 0x6100bb in integer_from_wkb_state /src/postgis/liblwgeom/lwin_wkb.c:277:2
    #1 0x612443 in ptarray_from_wkb_state /src/postgis/liblwgeom/lwin_wkb.c:342:12
    #2 0x6113f7 in lwpoly_from_wkb_state /src/postgis/liblwgeom/lwin_wkb.c:521:20
    #3 0x611eda in lwgeom_from_wkb /src/postgis/liblwgeom/lwin_wkb.c:783:9
    #4 0x4c9d2d in LLVMFuzzerTestOneInput /src/postgis/fuzzers/wkb_import_fuzzer.cpp:116:22
    #5 0x51a546 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:556:15
    #6 0x4cb08f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:292:6
    #7 0x4d8cf2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:774:9
    #8 0x4ca6d7 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #9 0x7f91e2a9e82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
    #10 0x41e4e9 in _start
0x6020000000b9 is located 0 bytes to the right of 9-byte region [0x6020000000b0,0x6020000000b9)
allocated by thread T0 here:
    #0 0x4c647d in operator new[](unsigned long) /src/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102:3
    #1 0x51a2f2 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:541:23
    #2 0x4cb08f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:292:6
    #3 0x4d8cf2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:774:9
    #4 0x4ca6d7 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #5 0x7f91e2a9e82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_postgis_e19bef733edf89095a9ecb61d62f7c8cdbe5dad1/revisions/wkb_import_fuzzer+0x6100bb)
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 fa
=>0x0c047fff8010: fa fa 00 01 fa fa 00[01]fa fa 00 fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1==ABORTING

Attachments (1)

clusterfuzz-testcase-minimized-wkb_import_fuzzer-5760493611909120 (9 bytes ) - added by komzpa 5 years ago.

Download all attachments as: .zip

Change History (5)

by komzpa, 5 years ago

Attachment: clusterfuzz-testcase-minimized-wkb_import_fuzzer-5760493611909120 added

comment:1 by Algunenano, 5 years ago

This issue doesn't affect postgis as extension, just liblwgeom as the error happens after a lwerror call. I'm trying to find the most appropriate way to handle it without cluttering the WKB code.

comment:3 by algunenano, 5 years ago

Resolution: fixed
Status: newclosed

In 17904:

WKB: Avoid buffer overflow

This only happens when not running under PG context, as
lwerror continues execution and that means that even after
detecting there isn't enough bytes still try to read from the buffer

Closes #4535
Closes https://github.com/postgis/postgis/pull/495

comment:4 by algunenano, 5 years ago

In 17906:

Memory leak in lwpoly_from_wkb_state

References #4535

Note: See TracTickets for help on using tickets.