Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix vuln OSV-2024-947 #1699

Open
wants to merge 6 commits into
base: dev
Choose a base branch
from
Open

Fix vuln OSV-2024-947 #1699

wants to merge 6 commits into from
+5 −0

Conversation

aled-ua
Copy link
Contributor

@aled-ua aled-ua commented Jan 23, 2025

[Warning] This PR is generated by AI

  1. PR Title: Fix for Heap-Buffer-Overflow Vulnerability in PcapPlusPlus - OSV-2024-947

  2. PR Description:

    • Bug Type: Heap-Buffer-Overflow
    • Summary: A heap-buffer-overflow vulnerability was discovered in PcapPlusPlus. The issue arises in the function pcpp::SomeIpSdLayer::getEntries() when attempting to create new SomeIpSdEntry objects without properly checking if sufficient memory is available in the buffer. This leads to access beyond the allocated memory, causing a heap-buffer-overflow.
    • Fix Summary: The patch introduces a bounds check in the getEntries function to ensure the remaining buffer length is adequate before creating a new SomeIpSdEntry object. If the length is insufficient, the loop terminates, preventing out-of-bounds access. This fix enhances the program's security and stability by preventing invalid memory access.

  3. Sanitizer Report Summary: The AddressSanitizer report identified a heap-buffer-overflow when the program attempted to access 1 byte beyond a 66-byte allocated buffer. The issue occurs in pcpp::SomeIpSdEntry::SomeIpSdEntry and is triggered via the pcpp::SomeIpSdLayer::getEntries() function. The root cause is the lack of a bounds check before creating a new SomeIpSdEntry object.

  4. Full Sanitizer Report:

    ==19259==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5070000000d4 at pc 0x563b691eb8e4 bp 0x7ffc2be6b2a0 sp 0x7ffc2be6b298
READ of size 1 at 0x5070000000d4 thread T0
    #0 0x563b691eb8e3 in pcpp::SomeIpSdEntry::SomeIpSdEntry(pcpp::SomeIpSdLayer const*, unsigned long) /root/Packet++/src/SomeIpSdLayer.cpp:243:62
    #1 0x563b691ecf17 in pcpp::SomeIpSdLayer::getEntries() const /root/Packet++/src/SomeIpSdLayer.cpp:501:16
    #2 0x563b6911ab41 in readParsedPacket(pcpp::Packet, pcpp::Layer*) /root/Tests/Fuzzers/ReadParsedPacket.h:66:32
    #3 0x563b69118e82 in LLVMFuzzerTestOneInput /root/Tests/Fuzzers/FuzzTarget.cpp:66:5
    #4 0x563b690236d4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/out/FuzzTarget+0xd66d4) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #5 0x563b6900c806 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/out/FuzzTarget+0xbf806) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #6 0x563b690122ba in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/out/FuzzTarget+0xc52ba) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #7 0x563b6903ca76 in main (/root/out/FuzzTarget+0xefa76) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #8 0x7f56d55321c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f56d553228a in __libc_start_main csu/../csu/libc-start.c:360:3
    #10 0x563b690073d4 in _start (/root/out/FuzzTarget+0xba3d4) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)

0x5070000000d4 is located 2 bytes after 66-byte region [0x507000000090,0x5070000000d2)
allocated by thread T0 here:
    #0 0x563b69115f21 in operator new[](unsigned long) (/root/out/FuzzTarget+0x1c8f21) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #1 0x563b691338c6 in pcpp::PcapFileReaderDevice::getNextPacket(pcpp::RawPacket&) /root/Pcap++/src/PcapFileDevice.cpp:338:28
    #2 0x563b69130e3f in pcpp::IFileReaderDevice::getNextPackets(pcpp::PointerVector<pcpp::RawPacket>&, int) /root/Pcap++/src/PcapFileDevice.cpp:117:22
    #3 0x563b69118bf4 in LLVMFuzzerTestOneInput /root/Tests/Fuzzers/FuzzTarget.cpp:46:14
    #4 0x563b690236d4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/out/FuzzTarget+0xd66d4) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #5 0x563b6900c806 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/out/FuzzTarget+0xbf806) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #6 0x563b690122ba in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/out/FuzzTarget+0xc52ba) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #7 0x563b6903ca76 in main (/root/out/FuzzTarget+0xefa76) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #8 0x7f56d55321c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f56d553228a in __libc_start_main csu/../csu/libc-start.c:360:3
    #10 0x563b690073d4 in _start (/root/out/FuzzTarget+0xba3d4) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)

SUMMARY: AddressSanitizer

  5. Files Modified:

    • Packet++/src/SomeIpSdLayer.cpp
    --- a/Packet++/src/SomeIpSdLayer.cpp
+++ b/Packet++/src/SomeIpSdLayer.cpp
@@ -499,6 +499,10 @@
 
		while (remainingLen > 0)
		{
+            // Ensure there is enough remaining length for a new entry
+            if (remainingLen < sizeof(SomeIpSdEntry::someipsdhdrentry)) {
+                break;
+            }
			entry = new SomeIpSdEntry(this, offset);
 
			size_t entryLen = entry->getLength();

  6. Patch Validation: The patch has been validated using the provided PoC, and the heap-buffer-overflow vulnerability has been resolved. No new issues have been introduced.

  7. Links:

@aled-ua aled-ua requested a review from seladb as a code owner January 23, 2025 09:46
@codecov Codecov
Copy link

codecov bot commented Jan 23, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 50.00000% with 1 line in your changes missing coverage. Please review.

Project coverage is 83.10%. Comparing base (2d0fc5a) to head (cd11aca).

Files with missing lines Patch % Lines
Packet++/src/SomeIpSdLayer.cpp 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##              dev    #1699      +/-   ##
==========================================
- Coverage   83.10%   83.10%   -0.01%     
==========================================
  Files         277      277              
  Lines       48201    48203       +2     
  Branches     9955     9974      +19     
==========================================
  Hits        40058    40058              
+ Misses       7264     7262       -2     
- Partials      879      883       +4
Flag Coverage Δ
alpine320 75.07% <0.00%> (-0.01%) ⬇️
fedora40 75.14% <0.00%> (+0.02%) ⬆️
macos-13 80.61% <0.00%> (-0.01%) ⬇️
macos-14 80.61% <0.00%> (-0.01%) ⬇️
macos-15 80.58% <0.00%> (+<0.01%) ⬆️
mingw32 70.81% <0.00%> (-0.03%) ⬇️
mingw64 70.77% <0.00%> (-0.05%) ⬇️
npcap 85.23% <50.00%> (-0.02%) ⬇️
rhel94 75.00% <0.00%> (+0.03%) ⬆️
ubuntu2004 58.57% <0.00%> (+0.02%) ⬆️
ubuntu2004-zstd 58.67% <0.00%> (-0.01%) ⬇️
ubuntu2204 74.88% <0.00%> (-0.01%) ⬇️
ubuntu2204-icpx 61.44% <0.00%> (-0.01%) ⬇️
ubuntu2404 75.12% <0.00%> (-0.04%) ⬇️
unittest 83.10% <50.00%> (-0.01%) ⬇️
windows-2019 85.26% <50.00%> (-0.02%) ⬇️
windows-2022 85.29% <50.00%> (-0.02%) ⬇️
winpcap 85.26% <50.00%> (-0.01%) ⬇️
xdp 50.53% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@tigercosmos
Copy link
Collaborator

@aled-ua could you check why the CI failed?

@aled-ua
Copy link
Contributor Author

aled-ua commented Jan 24, 2025

emmm, I'm not sure. Looks like the download failed?

Chocolatey v2.4.1
Installing the following packages:
OpenCppCoverage
By installing, you accept licenses for the packages.
Downloading package from source 'https://community.chocolatey.org/api/v2/'
[NuGet] Error downloading 'opencppcoverage.0.9.9' from 'https://community.chocolatey.org/api/v2/package/opencppcoverage/0.9.9.0'.
[NuGet] Response status code does not indicate success: 503 (Service Unavailable: Back-end server is at capacity).
[NuGet] Error downloading 'opencppcoverage.0.9.9' from 'https://community.chocolatey.org/api/v2/package/opencppcoverage/0.9.9.0'.
[NuGet] Response status code does not indicate success: 503 (Service Unavailable: Back-end server is at capacity).
opencppcoverage not installed. An error occurred during installation:
 Error downloading 'opencppcoverage.0.9.9' from 'https://community.chocolatey.org/api/v2/package/opencppcoverage/0.9.9.0'.
opencppcoverage package files install failed with exit code 1. Performing other installation steps.
The install of opencppcoverage was NOT successful.
opencppcoverage not installed. An error occurred during installation:
 Error downloading 'opencppcoverage.0.9.9' from 'https://community.chocolatey.org/api/v2/package/opencppcoverage/0.9.9.0'.

Chocolatey installed 0/1 packages. 1 packages failed.
 See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seladb seladb Awaiting requested review from seladb seladb is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aled-ua @tigercosmos