OpenWrt Unified Configuration Interface https://git-03.infra.openwrt.org/project/uci/atom?h=master 2020-10-06T06:33:57Z 2020-10-06T06:33:57Z Hauke Mehrtens 2020-10-04T15:14:49Z urn:sha1:eae126f66663e5c73e5d290b8e3134449489340f This fixes a heap overflow in the parsing of the uci line. The line which is parsed and put into pctx->buf is null terminated and stored on the heap. In the uci_parse_line() function we use strtok() to split this string in multiple parts after divided by a space or tab. strtok() replaces these characters with a NULL byte. If the next byte is NULL we assume that this NULL byte was added by strtok() and try to parse the string after this NULL byte. If this NULL byte was not added by strtok(), but by fgets() to mark the end of the string we would read over this end of the string in uninitialized memory and later over the allocated buffer. Fix this problem by storing how long the line we read was and check if we would read over the end of the string here. This also adds the input which detected this crash to the corpus of the fuzzer. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> [fixed merge conflict in tests] Signed-off-by: Petr Štetiar <ynezz@true.cz> 2020-10-03T07:20:48Z Petr Štetiar 2020-10-02T23:29:21Z urn:sha1:a3e650911f5e6f67dcff09974df3775dfd615da6 Fixes following issue which is caused by usage of pointer which pointed to a reallocated address: ERROR: AddressSanitizer: heap-use-after-free on address 0x619000000087 at pc 0x000000509aa7 bp 0x7ffd6b9c3c40 sp 0x7ffd6b9c3400 READ of size 2 at 0x619000000087 thread T0 #0 0x509aa6 in strdup (test-fuzz+0x509aa6) #1 0x7fc36d2a1636 in uci_strdup util.c:60:8 #2 0x7fc36d29e1ac in uci_alloc_generic list.c:55:13 #3 0x7fc36d29e241 in uci_alloc_package list.c:253:6 #4 0x7fc36d2a0ba3 in uci_switch_config file.c:375:18 #5 0x7fc36d2a09b8 in uci_parse_package file.c:397:2 #6 0x7fc36d2a09b8 in uci_parse_line file.c:513:6 #7 0x7fc36d2a09b8 in uci_import file.c:681:4 0x619000000087 is located 7 bytes inside of 1024-byte region [0x619000000080,0x619000000480) freed by thread T0 here: #0 0x51daa9 in realloc (test-fuzz+0x51daa9) #1 0x7fc36d2a1612 in uci_realloc util.c:49:8 previously allocated by thread T0 here: #0 0x51daa9 in realloc (test-fuzz+0x51daa9) #1 0x7fc36d2a1612 in uci_realloc util.c:49:8 Reported-by: Jeremy Galindo <jgalindo@datto.com> Signed-off-by: Petr Štetiar <ynezz@true.cz> 2020-10-03T07:20:48Z Petr Štetiar 2020-10-02T23:53:53Z urn:sha1:9bd361ca323637b047ecfdf5de3c8cfbf64698d6 LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka "target function"); the fuzzer then tracks which areas of the code are reached, and generates mutations on the corpus of input data in order to maximize the code coverage. So lets use libFuzzer to fuzz uci_import for the start. Ref: https://llvm.org/docs/LibFuzzer.html Signed-off-by: Petr Štetiar <ynezz@true.cz>