0000006: out of boundary read in DER parser

ID	Project	Category	View Status	Date Submitted	Last Update

0000006	file	General	public	2018-06-22 14:55	2018-08-01 09:05

Reporter	tobias	Assigned To	christos
Priority	normal	Severity	crash	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	i686	OS	Linux	OS Version	4.17.2

Summary	0000006: out of boundary read in DER parser
Description	It is possible to trigger an out of boundary read in DER parser if a custom magic file is used. Parsing the length of a tag allows UINT32_MAX which will overflow the check if enough memory is available. It is therefore needed to check for an UINT32_MAX overflow before checking the available amount of data.
Steps To Reproduce	$ mkdir ~/magic $ cp der-magic ~/magic $ file -m ~/magic poc.der Segmentation fault (core dumped) $ _
Tags	No tags attached.

tobias 2018-06-22 14:55 reporter	file-5.33-der.patch (326 bytes) --- file-5.33/src/der.c~ 2018-06-17 13:03:38.680169477 +0200 +++ file-5.33/src/der.c 2018-06-17 13:03:42.128607756 +0200 @@ -199,7 +199,7 @@ for (i = 0; i < digits; i++) len = (len << 8) \| c[(p)++]; - if (p + len >= l) + if (len > UINT32_MAX - p \|\| p + len >= l) return DER_BAD; return CAST(uint32_t, len); } file-5.33-der.patch (326 bytes) poc.der (28 bytes) der-magic (30 bytes) 0 der bool=x Proof of Concept der-magic (30 bytes)

christos 2018-06-23 15:15 manager ~0000003	Patch applied thanks!

christos 2018-08-01 09:05 manager ~0000029	feedback timeout

Date Modified	Username	Field	Change
2018-06-22 14:55	tobias	New Issue
2018-06-22 14:55	tobias	File Added: file-5.33-der.patch
2018-06-22 14:55	tobias	File Added: poc.der
2018-06-22 14:55	tobias	File Added: der-magic
2018-06-23 15:15	christos	Assigned To	=> christos
2018-06-23 15:15	christos	Status	new => assigned
2018-06-23 15:15	christos	Status	assigned => feedback
2018-06-23 15:15	christos	Note Added: 0000003
2018-08-01 09:05	christos	Status	feedback => resolved
2018-08-01 09:05	christos	Resolution	open => fixed
2018-08-01 09:05	christos	Note Added: 0000029