Global Buffer Overflow in IDLC #1886
Comments
|
Thanks for reporting this, and also for this:
I've just added one, simply pointing to the Eclipse Foundation's vulnerability reporting information. So that was easy. I think it is fortunate that the issue you had to report in the open happens to be in the IDL compiler: it is a difficult attack vector to exploit because most people using a DDS implementation don't take random files from the internet and feed it to the IDL compiler. Finally, I can reproduce it and will look it into it. |
|
Fixed by #1900. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Details
A global buffer overflow exists in idlc 0.11.0 and previous versions when parsing malcrafted idl input files. The issue occurs in cyclonedds/src/tools/idlpp/src/main.c put_a_line() function. When decreasing out_p pointer inside the while loop, there are no checks on the minimum allowed value. As a result, the pointer points outside the correct memory area.
Impact
Availability of IDLC tool is impacted (crash) or other undefined behavior could take place, depending on the input and skills of an attacker. No exploitation of this issue is known at this point.
PoC
Run: $ idlc asan-global-bof.idl
Input: https://github.com/CarlosAndresRamirez/PoCs/blob/main/CycloneDDS-idlc_2023-11-24/asan-global-bof.idl
ASAN Output
...
=================================================================
==6054==ERROR: AddressSanitizer: global-buffer-overflow on address 0x560b5d677e1f at pc 0x560b5ca80315 bp 0x7ffd4d214230 sp 0x7ffd4d214228
READ of size 1 at 0x560b5d677e1f thread T0
#0 0x560b5ca80314 in put_a_line /home/andres/misc/framework/repos/cyclonedds/src/tools/idlpp/src/main.c:975:23
#1 0x560b5ca80314 in putout /home/andres/misc/framework/repos/cyclonedds/src/tools/idlpp/src/main.c:895:9
#2 0x560b5ca7bb4a in mcpp_main /home/andres/misc/framework/repos/cyclonedds/src/tools/idlpp/src/main.c:753:9
#3 0x560b5ca7bb4a in mcpp_lib_main /home/andres/misc/framework/repos/cyclonedds/src/tools/idlpp/src/main.c:430:5
#4 0x560b5ca737f7 in idlc_parse /home/andres/misc/framework/repos/cyclonedds/src/tools/idlc/src/idlc/idlc.c:375:9
#5 0x560b5ca7289a in main /home/andres/misc/framework/repos/cyclonedds/src/tools/idlc/src/idlc/idlc.c:772:16
#6 0x7fe0bef666c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#7 0x7fe0bef66784 in __libc_start_main csu/../csu/libc-start.c:360:3
#8 0x560b5c996a70 in _start (/home/andres/misc/framework/repos/cyclonedds/build/bin/idlc+0x75a70) (BuildId: 8d2b5b808e574981)
0x560b5d677e1f is located 1 bytes before global variable 'output' defined in '/home/andres/misc/framework/repos/cyclonedds/src/tools/idlpp/src/main.c:597' (0x560b5d677e20) of size 262144
0x560b5d677e1f is located 23 bytes after global variable 'src_col' defined in '/home/andres/misc/framework/repos/cyclonedds/src/tools/idlpp/src/main.c:264' (0x560b5d677e00) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow /home/andres/misc/framework/repos/cyclonedds/src/tools/idlpp/src/main.c:975:23 in put_a_line
...
==ABORTING
Credits
Carlos Andres Ramirez
https://carlos.engineer
Goktug Serez
https://github.com/g0ku704
Xin Huang
https://github.com/xinhuang
Note: Posted here as no Security Policy is set for the project.
The text was updated successfully, but these errors were encountered: