Insecure pattern in object.c

[dcleblanc]

There is lots of code like the following:
ret = snprintf(aux_buffer, aux_buffer_size, """);
aux_buffer = aux_buffer + ret;
aux_buffer_size = aux_buffer_size - ret;

However, according to http://www.cplusplus.com/reference/cstdio/snprintf/, the return from snprintf is:

The number of characters that would have been written if n had been sufficiently large, not counting the terminating null character.
If an encoding error occurs, a negative number is returned.
Notice that only when this returned value is non-negative and less than n, the string has been completely written.

Emphasis (***) mine -

So there is failure to properly validate the return from snprintf, which has two failure modes:

1. -1 - the code will now back up aux_buffer to the prior byte, and then increase the remaining size by 1. This is obviously potentially exploitable.

2. ret > aux_buffer_size - now, we increment the aux_buffer pointer beyond the end of the buffer, and aux_buffer_size - ret results in an overflow, which now ends up with aux_buffer_size effectively infinite.

I haven't exhaustively reviewed this code, or even this function, but this seems like a serious error.

[redboltz]

It seems that the code in introduced the following commit:

4fa661a#diff-4e46418a61e5218dad7d5eb9c7729ffa
by @smititelu .

I didn't notice about that at that time.

@dcleblanc , I agree with you. This should be fixed.

[redboltz]

I think that insert ret checking code is a possible fix.

For example:

msgpack-c/src/objectc.c

Lines 362 to 374 in ce088e7

	case MSGPACK_OBJECT_BIN:
	ret = snprintf(aux_buffer, aux_buffer_size, "\"");
	aux_buffer = aux_buffer + ret;
	aux_buffer_size = aux_buffer_size - ret;
	ret = msgpack_object_bin_print_buffer(aux_buffer, aux_buffer_size, o.via.bin.ptr, o.via.bin.size);
	aux_buffer = aux_buffer + ret;
	aux_buffer_size = aux_buffer_size - ret;
	ret = snprintf(aux_buffer, aux_buffer_size, "\"");
	aux_buffer = aux_buffer + ret;
	aux_buffer_size = aux_buffer_size - ret;
	break;

    case MSGPACK_OBJECT_BIN:
        ret = snprintf(aux_buffer, aux_buffer_size, "\"");
        if (ret == 0 || ret > aus_buffer_size) return 0; /* insert this line */
        aux_buffer = aux_buffer + ret;
        aux_buffer_size = aux_buffer_size - ret;

        ret = msgpack_object_bin_print_buffer(aux_buffer, aux_buffer_size, o.via.bin.ptr, o.via.bin.size);
        if (ret == 0 || ret > aus_buffer_size) return 0; /* insert this line */
        aux_buffer = aux_buffer + ret;
        aux_buffer_size = aux_buffer_size - ret;

        ret = snprintf(aux_buffer, aux_buffer_size, "\"");
        if (ret == 0 || ret > aus_buffer_size) return 0; /* insert this line */
        aux_buffer = aux_buffer + ret;
        aux_buffer_size = aux_buffer_size - ret;
        break;

[dcleblanc]

Yes, that would be better, but some snprintf implementations return -1 on failure, so I think you want:
if (ret <= 0 || ret > aux_buffer_size) return 0; /* insert this line */

And to not clutter the code, I think I'd make a wrapper inline function.

[setharnold]

Has this issue received a CVE number yet?

[redboltz]

@setharnold , AFAIK, no it haven't. Your comment is the first one about CVE in msgpack-c.

[redboltz]

https://github.com/msgpack/msgpack-c/search?q=CVE&unscoped_q=CVE

[dcleblanc]

I never verified that this was exploitable, just that there is a potentially exploitable code flaw. Whether to issue a CVE is up to you to decide. Get Outlook for Android<https://aka.ms/ghei36>

…

________________________________ From: Takatoshi Kondo <notifications@github.com> Sent: Tuesday, February 4, 2020 3:41:07 PM To: msgpack/msgpack-c <msgpack-c@noreply.github.com> Cc: David LeBlanc <dleblanc@exchange.microsoft.com>; Mention <mention@noreply.github.com> Subject: Re: [msgpack/msgpack-c] Insecure pattern in object.c (#774) https://github.com/msgpack/msgpack-c/search?q=CVE&unscoped_q=CVE<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmsgpack%2Fmsgpack-c%2Fsearch%3Fq%3DCVE%26unscoped_q%3DCVE&data=02%7C01%7Cdleblanc%40exchange.microsoft.com%7Cf0eb5a0dd9de4c84b62608d7a9cbb5b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637164564707921803&sdata=CAmHm462%2BYnpUhBxYdLsBcPYGP0HTM67XIMw4W6jAzM%3D&reserved=0> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmsgpack%2Fmsgpack-c%2Fissues%2F774%3Femail_source%3Dnotifications%26email_token%3DAHX6YL2NNRSBCRQIKTEFZODRBH4JHA5CNFSM4HFAQNF2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKZTLEQ%23issuecomment-582170002&data=02%7C01%7Cdleblanc%40exchange.microsoft.com%7Cf0eb5a0dd9de4c84b62608d7a9cbb5b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637164564707931801&sdata=dBEIkrgnF85Blv0WdYrMCQNYuXWjir7TMmrveDk4JYc%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAHX6YL544XLYLEJXB2RAPOTRBH4JHANCNFSM4HFAQNFQ&data=02%7C01%7Cdleblanc%40exchange.microsoft.com%7Cf0eb5a0dd9de4c84b62608d7a9cbb5b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637164564707941786&sdata=%2FJHeFxTtdAntwNTp0yyDEIGegSAanjL%2Byv9fBRU%2BuzQ%3D&reserved=0>.

[setharnold]

I'm no expert on msgpack-c, so please take my assessment with that caveat in mind.

This issue was reported to Ubuntu with a proof of concept that suggests to me that this is more along the lines of reliability improvements rather than a security fix: the programmer supplies both a buffer and an object, and wants the object written into the buffer.

Perhaps the floating point formats can be surprising: eg -DBL_MAX is 317 characters long when serialized with printf("%d");. If a program needs to emit -DBL_MAX that it reads from a file or another socket, it might then try to serialize this into 32 bytes and be wrong by more than 200.

I'm inclined to say this does not need a CVE without further information. Thoughts?

Thanks

https://bugs.launchpad.net/ubuntu/+source/msgpack-c/+bug/1861448

[dcleblanc]

No, that one could cause a buffer overrun. I did not bother to test whether I could exploit this memory corruption, so there’s possibly some mitigating factor, right thing to do was just fix it. From: Seth Arnold <notifications@github.com> Sent: Tuesday, February 4, 2020 4:34 PM To: msgpack/msgpack-c <msgpack-c@noreply.github.com> Cc: David LeBlanc <dleblanc@exchange.microsoft.com>; Mention <mention@noreply.github.com> Subject: Re: [msgpack/msgpack-c] Insecure pattern in object.c (#774) I'm no expert on msgpack-c, so please take my assessment with that caveat in mind. This issue was reported to Ubuntu with a proof of concept that suggests to me that this is more along the lines of reliability improvements rather than a security fix: the programmer supplies both a buffer and an object, and wants the object written into the buffer. Perhaps the floating point formats can be surprising: eg -DBL_MAX is 317 characters long when serialized with printf("%d");. If a program needs to emit -DBL_MAX that it reads from a file or another socket, it might then try to serialize this into 32 bytes and be wrong by more than 200. I'm inclined to say this does not need a CVE without further information. Thoughts? Thanks https://bugs.launchpad.net/ubuntu/+source/msgpack-c/+bug/1861448<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.launchpad.net%2Fubuntu%2F%2Bsource%2Fmsgpack-c%2F%2Bbug%2F1861448&data=02%7C01%7Cdleblanc%40exchange.microsoft.com%7C2ee06333ed8245d66cdc08d7a9d30b60%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637164596203148824&sdata=Pu9dBcVGPnzfQGrDQZ%2FSELXiKzQdYtphZpaBk3tULbQ%3D&reserved=0> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmsgpack%2Fmsgpack-c%2Fissues%2F774%3Femail_source%3Dnotifications%26email_token%3DAHX6YL65OORCWF5NCCUGRJDRBICOFA5CNFSM4HFAQNF2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKZW6DQ%23issuecomment-582184718&data=02%7C01%7Cdleblanc%40exchange.microsoft.com%7C2ee06333ed8245d66cdc08d7a9d30b60%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637164596203158815&sdata=2dyVq9r7Q3VB9ZuCpb73b4fay5jXeAXWp6Al3ROe7JA%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAHX6YL7NMBGJ2JQBBFFCSJLRBICOFANCNFSM4HFAQNFQ&data=02%7C01%7Cdleblanc%40exchange.microsoft.com%7C2ee06333ed8245d66cdc08d7a9d30b60%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637164596203158815&sdata=nmY1fSCfb0yg8oN27D7jjCvRhddEp1sEuC5y877uq%2Fk%3D&reserved=0>.

[0xddaa]

Greeting,
I noticed this issue and reported it to Ubuntu bug tracker a few days ago. I am sure this issue is exploitable when receiving untrusted data that packed as a msgpack object.
The return value of snprintf can be used to control the index of the buffer, and the attacker can overwrite any memory data behind the buffer.
Some applications which called msgpack_object_bin_print_buffer will be affected.
This issue should be assigned a CVE number to notice all user fixed the problem.