[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Heap based buffer overflow in wolfSSL
From: Alexander Potapenko <glider () google ! com>
Date: 2019-01-16 15:00:49
Message-ID: CAG_fn=XwtjiiqtRveFpvbpg_gE9McZbNUOckS0ox4ZdDvu4tHA () mail ! gmail ! com
[Download RAW message or body]
On Wed, Jan 16, 2019 at 12:44 PM Dhiraj Mishra
<mishra.dhiraj95@gmail.com> wrote:
>
> Hi List,
Hello,
I cannot judge whether this is a real problem or not, but the report
below is definitely missing critical information, like symbols,
filenames and line numbers.
Without those it's even impossible to tell a bug in wolfSSL code from
a bug in the benchmark itself.
You can refer to
https://clang.llvm.org/docs/AddressSanitizer.html#symbolizing-the-reports
for the instructions on how to get symbol information.
HTH,
Alex
> ## Summary:
> wolfSSL is an C-language-based SSL/TLS library targeted at IoT, embedded,
> and RTOS environments a heap-based-buffer overflow was observed in
> tls_bench.c which is a benchmark tool in wolfSSL.
>
> ## ASAN
> ==4088==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x619000000480 at pc 0x00000050ff16 bp 0x7fef206fdbf0 sp 0x7fef206fdbe8
> WRITE of size 1 at 0x619000000480 thread T2
> #0 0x50ff15 (/wolfssl/examples/benchmark/tls_bench+0x50ff15)
> #1 0x4dfa52 (/wolfssl/examples/benchmark/tls_bench+0x4dfa52)
> #2 0x7fef243ac6da (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
> #3 0x7fef23ab188e (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
>
> 0x619000000480 is located 0 bytes to the right of 1024-byte region
> [0x619000000080,0x619000000480)
> allocated by thread T2 here:
> #0 0x4d1fa0 (/wolfssl/examples/benchmark/tls_bench+0x4d1fa0)
> #1 0x50f277 (/wolfssl/examples/benchmark/tls_bench+0x50f277)
> #2 0x4dfa52 (/wolfssl/examples/benchmark/tls_bench+0x4dfa52)
>
> Thread T2 created by T0 here:
> #0 0x435490 (/wolfssl/examples/benchmark/tls_bench+0x435490)
> #1 0x50cbf5 (/wolfssl/examples/benchmark/tls_bench+0x50cbf5)
> #2 0x5101d0 (/wolfssl/examples/benchmark/tls_bench+0x5101d0)
> #3 0x7fef239b1b96 (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> (/wolfssl/examples/benchmark/tls_bench+0x50ff15)
> Shadow bytes around the buggy address:
> 0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c327fff8090:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==4088==ABORTING
>
> References:
> https://github.com/wolfSSL/wolfssl
> https://github.com/wolfSSL/wolfssl/issues/2032
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6439
>
>
> Thank you
> @mishradhiraj_
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic