Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Uninitialized GFF line info causes out-of-bounds-read, possible out-of-bounds-write. #11

Open
carter-yagemann opened this issue Oct 4, 2021 · 1 comment
Open

Uninitialized GFF line info causes out-of-bounds-read, possible out-of-bounds-write. #11

carter-yagemann opened this issue Oct 4, 2021 · 1 comment

Comments

@carter-yagemann
Copy link

Reproduce

PoC Input: min.gz

Steps to Reproduce:

  1. Compile GffRead v0.12.7 (will fetch GCLib v0.12.7)
  2. Decompress PoC input: gzip -d min.gz
  3. Run: ./gffread -E min -o out

Output:

Command line was:
./gffread -E min -o out
Segmentation fault

Root Cause

gclib/gff.cpp

Lines 413 to 432 in 8aee376

while (line[i]!=0) {
if (line[i]=='\t') {
line[i]=0;
t[tidx]=line+i+1;
tidx++;
//if (tidx>8) break;
}
i++;
}
if (tidx<8) { // ignore non-GFF lines
return;
}
if (tidx>9) {
GMessage("Warning: unexpected tab character in last column, line truncated:\n\%s\n",l);
}
gffWarnings=reader->gff_warns;
gseqname=t[0];
track=t[1];
ftype=t[2];
info=t[8];

When GCLib reads a GFF line with no info segment, the char * at t[8] will not be set, causing it to take on whatever stale value happens to be in that location of the stack. Triggered accidentally, this can cause a segfault due to reading an invalid address here:

gclib/gff.cpp

Line 118 in 8aee376

while (notfound && *pos) {

However, a maliciously crafted input may be able to place a valid pointer at this location, causing a more severe vulnerability.

Proposed Patch

At a minimum, t should be zeroed during initialization:

*** v0.12.7/gclib/gff.cpp     2021-07-23 10:31:39.000000000 -0400
--- new/gclib/gff.cpp       2021-10-04 10:54:52.989309121 -0400
*************** GffLine::GffLine(GffReader* reader, cons
*** 405,411 ****
   GMALLOC(dupline, llen+1);
   memcpy(dupline, l, llen+1);
   skipLine=true; //clear only if we make it to the end of this function
!  char* t[9];
   int i=0;
   int tidx=1;
   t[0]=line;
--- 405,411 ----
   GMALLOC(dupline, llen+1);
   memcpy(dupline, l, llen+1);
   skipLine=true; //clear only if we make it to the end of this function
!  char* t[9] = {0};
   int i=0;
   int tidx=1;
   t[0]=line;

Ideally, the library should gracefully handle no info being found (this only works if t is zero initialized):

*** v0.12.7/gclib/gff.cpp     2021-07-23 10:31:39.000000000 -0400
--- new/gclib/gff.cpp       2021-10-04 10:54:52.989309121 -0400
*************** GffLine::GffLine(GffReader* reader, cons
*** 430,435 ****
--- 430,439 ----
   track=t[1];
   ftype=t[2];
   info=t[8];
+  if (!info) {
+    GMessage("Warning: missing info:\n%s\n",l);
+    return;
+  }
   char* p=t[3];
   if (!parseUInt(p,fstart)) {
     //chromosome_band entries in Flybase

Credit

This bug was detected using AFL and localized using ARCUS.
@carnil
Copy link

carnil commented Oct 11, 2021

This issue seems to have CVE-2021-42006 assigned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carnil @carter-yagemann