Denial of Service in Gerbv

[iosifache]

Summary

Error or warning while processing an included image may result in a crash of Gerbv.

CWEs

• CWE-824: Access of uninitialized pointer

Details

The Gerber RS-274X format defines the IF command (INCLUDE FILE, for referencing an external file) in its User's Guide (page 28). A valid line using this command respects the format below:

%IF<filename>.<extension>*%

The implementation of this functionality leverages two utilities:

• A gerb_file_t structure wrapping up details about an opened file, such as the file descriptor, filename, and data to be read; and
• A gerb_fopen function (from gerb_file.c) that takes a filename and returns a (partially-initialized) gerb_fopen structure;

The relevant execution flow in the context of this issue is as follows:

1. A gerbv_open_image function (from gerbv.c) is initially called in main.c through a proxy function called main_open_project_from_filename.
2. The gerbv_open_image internally calls gerb_fopen and stores the filename as a structural member in fd->filename = g_strdup(filename).
3. In a call to gerber_is_rs274x_p, the file is checked to respect the RS-274X format.
4. If it respects the format, parse_gerb is called.
5. parse_gerb calls gerber_parse_file_segment.
6. If any command having a % is detected, parse_rs274x is called.
7. If the command is detected to be IF, then the file is read with gerb_fopen.
8. gerber_parse_file_segment is called again, this time having as argument a filename stored inside the initially-read file.

The issue resides in the fact that, compared to the second step, the eighth one does not set the filename. When the latter is accessed in further processing, an invalid address is dereferenced, which results in a crash of the program.

A code path achieving this is when the included files contain an invalid M-code (for example, M09*). Usually, despite the invalid code, the execution should continue without processing the erroneous information, but Gerbv executes the following in its parse_M_code:

gerbv_stats_printf(stats->error_list, GERBV_MESSAGE_ERROR, -1,
		_("Encountered unknown M%02d code at line %ld in file \"%s\""),
		op_int, *line_num_p, fd->filename);

As it can be observed, the fd->filename is accessed in a logging call, so the execution will crash instead of raising a warning and continuing. This will not happen if the random value found on heap and implicitly assigned to fd->filename is NULL. Most compilers have a check against this scenario, and will only print (null).

Affected Releases

The functionality of processing IF commands was introduced in a5b8484, which corresponds to v2.4.0.

PoC

For reproducing this, Cisco's parse_aperture_strtok.1.poc from CVE-2021-40401 was used as the file provided as an input parameter. The content of parse_aperture_strtok.2.poc was replaced with M09*.

As the issue depends on the random value of the unitialized fd->filename, it was reproduced by launching gdb, setting a breakpoint on gerb_fopen, and setting fd->filename to the value 0x0101010101 (a random value that could be found on the heap). Gerbv will generate a crash as follows:

$ gdb ./gerbv
[...]
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0000fffff7376590 in ?? () from /lib/aarch64-linux-gnu/libc.so.6
(gdb) bt
#0  0x0000fffff7376590 in  () at /lib/aarch64-linux-gnu/libc.so.6
#1  0x0000fffff734b848 in  () at /lib/aarch64-linux-gnu/libc.so.6
#2  0x0000fffff735cd78 in  () at /lib/aarch64-linux-gnu/libc.so.6
#3  0x0000fffff73cfa3c in __vasprintf_chk () at /lib/aarch64-linux-gnu/libc.so.6
#4  0x0000fffff7648064 in g_vasprintf () at /usr/lib/aarch64-linux-gnu/libglib-2.0.so.0
#5  0x0000fffff761da88 in g_strdup_vprintf () at /usr/lib/aarch64-linux-gnu/libglib-2.0.so.0
#6  0x0000fffff7fa3d04 in gerbv_stats_printf (list=0xaaaaaab2ab20, type=GERBV_MESSAGE_ERROR, layer=-1, text=0xfffff7fb5830 "Encountered unknown M%02d code at line %ld in file \"%s\"") at gerb_stats.c:242
#7  0x0000fffff7fa7088 in parse_M_code (fd=0xaaaaaab2ced0, image=0xaaaaaab16fc0, line_num_p=0xffffffffe0f0) at gerber.c:1183
#8  0x0000fffff7fa487c in gerber_parse_file_segment
    (levelOfRecursion=2, image=0xaaaaaab16fc0, state=0xaaaaaab16f60, curr_net=0xaaaaaab2af60, stats=0xaaaaaab2aa70, fd=0xaaaaaab2ced0, directoryPath=0xaaaaaab14a60 "/home/gerbv/triggers")
    at gerber.c:172
#9  0x0000fffff7fa7f40 in parse_rs274x
    (levelOfRecursion=1, fd=0xaaaaaab149a0, image=0xaaaaaab16fc0, state=0xaaaaaab16f60, curr_net=0xaaaaaab2af60, stats=0xaaaaaab2aa70, directoryPath=0xaaaaaab14a60 "/home/gerbv/triggers", line_num_p=0xffffffffe350) at gerber.c:1459
#10 0x0000fffff7fa4bec in gerber_parse_file_segment
    (levelOfRecursion=1, image=0xaaaaaab16fc0, state=0xaaaaaab16f60, curr_net=0xaaaaaab2af60, stats=0xaaaaaab2aa70, fd=0xaaaaaab149a0, directoryPath=0xaaaaaab14a60 "/home/gerbv/triggers")
    at gerber.c:245
#11 0x0000fffff7fa60a8 in parse_gerb (fd=0xaaaaaab149a0, directoryPath=0xaaaaaab14a60 "/home/gerbv/triggers") at gerber.c:770
#12 0x0000fffff7facca0 in gerbv_open_image
    (gerbvProject=0xaaaaaab14940, filename=0xffffffffed6e "/home/gerbv/triggers/CVE-2021-40401.1.poc", idx=0, reload=0, fattr=0x0, n_fattr=0, forceLoadFile=1) at gerbv.c:527
#13 0x0000fffff7fabf44 in gerbv_open_layer_from_filename_with_color
    (gerbvProject=0xaaaaaab14940, filename=0xffffffffed6e "/home/gerbv/triggers/CVE-2021-40401.1.poc", red=29555, green=29555, blue=57054, alpha=45489) at gerbv.c:249
#14 0x0000aaaaaaacb334 in main (argc=6, argv=0xffffffffe8e8) at main.c:937

Impact

Gerbv can be crashed when processing files.

Suggestions for Patching

The filename can be attached to the gerb_file_t structure in gerb_fopen to avoid invalid dereferencing.

[eyal0]

We have Valgrind testing working with gerbv and this is the kind of error that Valgrind can often find. If you're able to generate a sample file that demonstrates this issue, I can run it through gerbv with valgrind and see if it gets caught. And if so, then we can work on fixing the code until valgrind no longer reports an error. And the sample file will be added to our unit testing so that the bug never returns.

Can you generate the problematic file?

[iosifache]

Hi Eyal,

As the crash depends on the heap's layout (implicitly on heap's usage in Gerv), I preferred another approach that is simpler and more deterministic. I consider that it could be integrated into the existent test suite. It hooks the malloc function, checks the requested size of the memory block to be 40 (the size of a gerb_file_t structure), and sets each byte from the block to a constant value (0x01).

The build_malloc_so label compiles the shared library hooking malloc, run_gerbv_normal runs Gerbv as usual (no error as NULL is used in printf), and run_gerbv_hooked runs Gerbv with hooking (SIGSERV is generated as 0x0101010101 is used in printf).

All files (source code for the shared library, Makefile, and reproducers) are zipped in hooking.zip.

[eyal0]

Valgrind does something more comprehensive than the hooking by monitoring all memory for accesses to uninitialized memory. So there's no need with valgrind to foul up any memory because it is already keeping track what was set and what wasn't. And it propagates that notion of memory being set or unset through all registers and copies. It's quite advanced! Of course, it does all the malloc stuff that you are doing, too.

I will create a PR.

[eyal0]

Running the file that you sent with valgrind, I see this error:

==124002== Conditional jump or move depends on uninitialised value(s)
==124002==    at 0x544147E: __vfprintf_internal (vfprintf-internal.c:1647)
==124002==    by 0x5453270: __vasprintf_internal (vasprintf.c:57)
==124002==    by 0x50BCA1E: g_vasprintf (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.8)
==124002==    by 0x508FBFC: g_strdup_vprintf (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.8)
==124002==    by 0x48634FF: gerbv_stats_printf (gerb_stats.c:242)
==124002==    by 0x4864557: parse_M_code (gerber.c:1188)
==124002==    by 0x4864557: gerber_parse_file_segment (gerber.c:172)
==124002==    by 0x486699F: parse_rs274x (gerber.c:1464)
==124002==    by 0x4865012: gerber_parse_file_segment (gerber.c:245)
==124002==    by 0x4868EE3: parse_gerb (gerber.c:770)
==124002==    by 0x4869AA4: gerbv_open_image (gerbv.c:571)
==124002==    by 0x4869EC7: gerbv_open_layer_from_filename_with_color (gerbv.c:249)
==124002==    by 0x119386: main (main.c:941)

It's the same as what you are seeing, right?

[eyal0]

If you load the CI page, you can see the error: https://github.com/gerbv/gerbv/actions/runs/5535310770/jobs/10101427503

[iosifache]

As you wish! The hooking method has the advantage of crashing the program, which can be detected with or without a memory inspection tool. On the other side, by using Valgrind in this manner, you avoid an information dependency present in the hooking library I sent, namely the length of gerb_file_t.

Yes, that is the intended error. As a side note, I want to make it clear that the root cause is not strtok (stated in the PR's title), but the use of an uninitialized variable in a pointer dereferencing in printf("%s").

[eyal0]

I'll have a solution soon, I think.

[eyal0]

It's done. Thanks for all the help, everyone!

[iosifache]

@eyal0, thanks for collaborating with @ooxi to patch this! Before wrapping up, do you think assigning a CVE ID would be useful for this issue?

[ooxi]

@iosifache thanks for the excellent report! We'll release a version with this patch soon. Issuing a CVE might be useful, if it's not too much work on your site.

[iosifache]

@ooxi, the task will be light because we already have the details in the report. Could you please let me know when you have the versions ready and when we can start issuing the CVE?

[ooxi]

Could you please let me know when you have the versions ready and when we can start issuing the CVE?

@iosifache RC will be released this week, full release will be available week 30 at the latest.