View Issue Details

IDProjectCategoryView StatusLast Update
0000006fileGeneralpublic2018-08-01 09:05
Reportertobias Assigned Tochristos  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
Platformi686OSLinuxOS Version4.17.2
Summary0000006: out of boundary read in DER parser
DescriptionIt is possible to trigger an out of boundary read in DER parser if a custom magic file is used.

Parsing the length of a tag allows UINT32_MAX which will overflow the check if enough memory is available.

It is therefore needed to check for an UINT32_MAX overflow before checking the available amount of data.
Steps To Reproduce$ mkdir ~/magic
$ cp der-magic ~/magic
$ file -m ~/magic poc.der
Segmentation fault (core dumped)
$ _
TagsNo tags attached.

Activities

tobias

2018-06-22 14:55

reporter  

file-5.33-der.patch (326 bytes)   
--- file-5.33/src/der.c~	2018-06-17 13:03:38.680169477 +0200
+++ file-5.33/src/der.c	2018-06-17 13:03:42.128607756 +0200
@@ -199,7 +199,7 @@
 	for (i = 0; i < digits; i++)
 		len = (len << 8) | c[(*p)++];
 
-	if (*p + len >= l)
+	if (len > UINT32_MAX - *p || *p + len >= l)
 		return DER_BAD;
 	return CAST(uint32_t, len);
 }
file-5.33-der.patch (326 bytes)   
poc.der (28 bytes)
der-magic (30 bytes)   
0	der	bool=x	Proof of Concept
der-magic (30 bytes)   

christos

2018-06-23 15:15

manager   ~0000003

Patch applied thanks!

christos

2018-08-01 09:05

manager   ~0000029

feedback timeout

Issue History

Date Modified Username Field Change
2018-06-22 14:55 tobias New Issue
2018-06-22 14:55 tobias File Added: file-5.33-der.patch
2018-06-22 14:55 tobias File Added: poc.der
2018-06-22 14:55 tobias File Added: der-magic
2018-06-23 15:15 christos Assigned To => christos
2018-06-23 15:15 christos Status new => assigned
2018-06-23 15:15 christos Status assigned => feedback
2018-06-23 15:15 christos Note Added: 0000003
2018-08-01 09:05 christos Status feedback => resolved
2018-08-01 09:05 christos Resolution open => fixed
2018-08-01 09:05 christos Note Added: 0000029