OOB in opencv_test_ml

[c0d3xpl0it]

We found OOB in opencv_test_ml binary and OpenCV is complied with clang enabling ASAN.

Machine Setup

Machine : Ubuntu 16.04.3 LTS
OpenCV version: 4.1.2-pre
OpenCV VCS version: 4.1.1-267-ga74fe2e
Build type: Release
Compiler: /usr/bin/clang++  (ver 3.8.0)

Running the binary

fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$ ./opencv_test_ml
CTEST_FULL_OUTPUT
OpenCV version: 4.1.2-pre
OpenCV VCS version: 4.1.1-267-ga74fe2e
Build type: Release
Compiler: /usr/bin/clang++  (ver 3.8.0)
Parallel framework: pthreads
CPU features: SSE SSE2 SSE3 *SSE4.1 *SSE4.2 *FP16 *AVX *AVX2
Intel(R) IPP version: ippIP AVX2 (l9) 2019.0.0 Gold (-) Jul 24 2018
OpenCL is disabled
TEST: Skip tests with tags: 'mem_6gb', 'verylong'
[==========] Running 44 tests from 16 test cases.
[----------] Global test environment set-up.
[----------] 8 tests from ML_SVMSGD
[ RUN      ] ML_SVMSGD.trainSameScale2
[       OK ] ML_SVMSGD.trainSameScale2 (1560 ms)
[ RUN      ] ML_SVMSGD.trainSameScale5

//SNIPPED//

[  FAILED  ] ML_LR.accuracy (1 ms)
[ RUN      ] ML_LR.save_load
ASAN:DEADLYSIGNAL
=================================================================
==13746==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000598068 bp 0x7ffc395c2670 sp 0x7ffc395c1680 T0)
    #0 0x598067  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x598067)
    #1 0x67cb93  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x67cb93)
    #2 0x59778e  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x59778e)
    #3 0x597552  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x597552)
    #4 0x6105c6  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x6105c6)
    #5 0x610327  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x610327)
    #6 0x613f17  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x613f17)
    #7 0x615af9  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x615af9)
    #8 0x63c8dc  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x63c8dc)
    #9 0x63b5f6  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x63b5f6)
    #10 0x63b0b6  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x63b0b6)
    #11 0x5b6074  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x5b6074)
    #12 0x7fe5f90f082f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x43eeb8  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x43eeb8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_ml+0x598067)
==13746==ABORTING
fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$

[alalek]

Please add required information: #15558 (comment)

[c0d3xpl0it]

Below is the output with and without Testdata.

Build type: Release
OpenCV version: 4.1.2-pre
OS: Linux 4.4.0-87-generic #110-Ubuntu
OpenCV VCS version: 4.1.1-267-ga74fe2e

Without Testdata

fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$./opencv_test_ml
CTEST_FULL_OUTPUT
OpenCV version: 4.1.2-pre
OpenCV VCS version: 4.1.1-267-ga74fe2e
Build type: Release
Compiler: /usr/local/bin/afl-clang-fast++  (ver 3.8.0)
Parallel framework: pthreads
CPU features: SSE SSE2 SSE3 *SSE4.1 *SSE4.2 *FP16 *AVX *AVX2
Intel(R) IPP version: ippIP AVX2 (l9) 2019.0.0 Gold (-) Jul 24 2018
OpenCL is disabled
TEST: Skip tests with tags: 'mem_6gb', 'verylong'
[0;32m[==========] [mRunning 44 tests from 16 test cases.
[0;32m[----------] [mGlobal test environment set-up.
[0;32m[----------] [m8 tests from ML_SVMSGD
[0;32m[ RUN      ] [mML_SVMSGD.trainSameScale2

//SNIPPED //

ASAN:DEADLYSIGNAL
=================================================================
[1m[31m==12564==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005fa8d3 bp 0x7fff447d13b0 sp 0x7fff447d03c0 T0)
[1m[0m    #0 0x5fa8d2 in opencv_test::(anonymous namespace)::CV_LRTest_SaveLoad::run(int) /home/entropy/victim/no-afl/opencv_build/opencv/modules/ml/test/test_lr.cpp:175:22
    #1 0x787865 in cvtest::BaseTest::safe_run(int) /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts.cpp:286:13
    #2 0x5f9db5 in opencv_test::(anonymous namespace)::ML_LR_save_load_Test::Body() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ml/test/test_lr.cpp:226:51
    #3 0x5f99c7 in opencv_test::(anonymous namespace)::ML_LR_save_load_Test::TestBody() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ml/test/test_lr.cpp:226:1
    #4 0x6be7e2 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3917:10
    #5 0x6be7e2 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3953
    #6 0x6be353 in testing::Test::Run() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3991:5
    #7 0x6c5481 in testing::TestInfo::Run() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:4167:5
    #8 0x6c8807 in testing::TestCase::Run() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:4285:5
    #9 0x70fbe4 in testing::internal::UnitTestImpl::RunAllTests() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:6660:11
    #10 0x70d96c in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3917:10
    #11 0x70d96c in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3953
    #12 0x70d0fe in testing::UnitTest::Run() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:6269:10
    #13 0x6283c6 in RUN_ALL_TESTS() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/include/opencv2/ts/ts_gtest.h:22224:10
    #14 0x6283c6 in main /home/entropy/victim/no-afl/opencv_build/opencv/modules/ml/test/test_main.cpp:10
    #15 0x7eff42d5582f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #16 0x449f28 in _start (/home/entropy/victim/no-afl/opencv_build/opencv/build/bin/opencv_test_ml+0x449f28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/entropy/victim/no-afl/opencv_build/opencv/modules/ml/test/test_lr.cpp:175:22 in opencv_test::(anonymous namespace)::CV_LRTest_SaveLoad::run(int)
==12564==ABORTING

With Testdata
All tests are successful and no error is thrown.

[c0d3xpl0it]

@alalek for this issues category: vulnerability is not applicable ?

[alalek]

Tests are malformed here too (without testdata).
I believe it is not exploitable in normal applications.