1. Version Information
samtools 1.21-7-gb6442ac-dirty
htslib 1.21-9-gca920611
2. Environment Details
- OS: Linux 5.15.153.1-microsoft-standard-WSL2
- Architecture: x86_64
- Compiler: afl-clang-fast
3. Description
This report details a heap-buffer-overflow vulnerability encountered in the samtools merge functionality. The issue occurs within the trans_tbl_add_sq function, specifically during the processing of sequence headers when merging files. The buffer overflow is triggered due to an inadequate allocation size for the tid_trans buffer, resulting in out-of-bounds access.
This vulnerability can potentially lead to memory corruption, causing program crashes or, under certain conditions, could be leveraged for further exploits such as Denial of Service (DoS) or Remote Code Execution (RCE). The report includes detailed reproduction steps and example output to aid in reproducing and analyzing the issue.
4. Steps to Reproduce and Command Used
- Steps to Reproduce:
- Compile samtools with AddressSanitizer enabled to detect memory issues.
- Execute the following command to trigger the heap-buffer-overflow with the following
crash (required to zip for GH):
samtools merge -f -u -c -o /dev/null ./merge_crash
=================================================================
==43==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000004d54 at pc 0x563018d74e1f bp 0x7ffc983c5ef0 sp 0x7ffc983c5ee8
WRITE of size 4 at 0x502000004d54 thread T0
#0 0x563018d74e1e in trans_tbl_add_sq /samtools/bam_sort.c:505:27
#1 0x563018d74e1e in trans_tbl_init /samtools/bam_sort.c:816:9
#2 0x563018d703d0 in bam_merge_core2 /samtools/bam_sort.c:1199:13
#3 0x563018d7b98b in bam_merge /samtools/bam_sort.c:1717:9
#4 0x563018dc4a15 in main /samtools/bamtk.c:247:55
#5 0x7f51ae8311c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x7f51ae83128a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x563018c4ace4 in _start (/samtools/samtools+0x6bce4) (BuildId: 9029bcea46985a947a5a8c1057d4e8ee0e426869)
0x502000004d54 is located 0 bytes after 4-byte region [0x502000004d50,0x502000004d54)
allocated by thread T0 here:
#0 0x563018ce5d1d in calloc (/samtools/samtools+0x106d1d) (BuildId: 9029bcea46985a947a5a8c1057d4e8ee0e426869)
#1 0x563018d73f85 in trans_tbl_init /samtools/bam_sort.c:802:28
#2 0x563018d703d0 in bam_merge_core2 /samtools/bam_sort.c:1199:13
#3 0x563018d7b98b in bam_merge /samtools/bam_sort.c:1717:9
#4 0x563018dc4a15 in main /samtools/bamtk.c:247:55
SUMMARY: AddressSanitizer: heap-buffer-overflow /samtools/bam_sort.c:505:27 in trans_tbl_add_sq
Shadow bytes around the buggy address:
0x502000004a80: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x502000004b00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x502000004b80: fa fa fd fa fa fa fd fd fa fa fd fd fa fa 00 fa
0x502000004c00: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x502000004c80: fa fa 00 fa fa fa 00 00 fa fa fd fa fa fa fd fa
=>0x502000004d00: fa fa fd fa fa fa 04 fa fa fa[04]fa fa fa 00 07
0x502000004d80: fa fa 00 00 fa fa 04 fa fa fa 00 00 fa fa 00 00
0x502000004e00: fa fa 04 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
0x502000004e80: fa fa 00 fa fa fa 03 fa fa fa fd fa fa fa fd fa
0x502000004f00: fa fa 00 07 fa fa 00 00 fa fa 04 fa fa fa 00 00
0x502000004f80: fa fa 00 00 fa fa 00 00 fa fa 07 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==43==ABORTING
5. Contents of the Input File
- Hexdump of the crash file:
00000000: 1f8b 0804 0000 0000 00ff 0600 4243 0200 ............BC..
00000010: 5d00 7372 f465 d467 6060 70f0 70e1 0cf3 ].sr.e.g``p.p...
00000020: b332 d433 e00c f6b7 4ace cf2f 4ac9 cc4b .2.3....J../J..K
00000030: 2c49 e572 080e e40c 064a 9873 faf8 5959 ,I.r.....J.s..YY
00000040: 181a 5a9a 1a19 1a70 3102 b530 03b1 a139 ..Z....p1..0...9
00000050: 0000 0400 5800 583f 7adb 4600 0000 1f8b ....X.X?z.F.....
00000060: 0804 0000 0000 00ff 0600 4243 0200 9d00 ..........BC....
00000070: b365 4000 211b 4f21 4686 6406 4620 fb3f .e@.!.O!F.d.F .?
00000080: 1480 c45d 8382 0c0c 8d0d 4d0c f48c 4d8d ...]......M...M.
00000090: 0c4d 8c8d 1804 80a2 02f2 4e81 513a 0c36 .M........N.Q:.6
000000a0: 50cd 8220 8cdb 0023 1363 0343 433d 6373 P.. ...#.c.CC=cs
000000b0: 6303 334b b07e 0590 7e3b 8660 a87e 3124 c.3K.~..~;.`.~1$
000000c0: 0770 61ea 3734 33b2 3037 d5b3 3431 3433 .pa.743.07..4143
000000d0: b534 6558 0014 9510 9110 ec50 5654 d650 .4eX.......PVT.P
000000e0: 5357 53d7 5004 9a66 606a 6664 63ac a963 SWS.P..f`jfdc..c
000000f0: 6dc0 0000 e076 052a d800 0000 1f8b 0804 m....v.*........
00000100: 0000 0000 00ff 0600 4243 0200 1b00 0300 ........BC......
00000110: 0000 0000 0000 0000
6. Impact
- Potential Risk: The heap-buffer-overflow identified here could lead to memory corruption. This kind of vulnerability may result in:
- Denial of Service (DoS): By crashing the program, an attacker could disrupt the normal functionality of
samtools, potentially causing interruptions in workflows that rely on it.
- Remote Code Execution (RCE): Although not demonstrated in this report, the nature of heap-buffer-overflows can sometimes be leveraged to execute arbitrary code under certain conditions, particularly if an attacker can control the corrupted data in the heap.
- Exploitability: While this report does not show a direct path to code execution, it does highlight the program's mishandling of memory, which can sometimes be exploited further. This risk might be heightened if
samtools processes untrusted or externally controlled BAM files in an automated pipeline.
- Security Implications: Users who rely on
samtools to handle sensitive or important genomic data could be affected by this issue. In scenarios where samtools is exposed to potentially untrusted input, this vulnerability could be a critical flaw that might warrant an urgent fix.
1. Version Information
samtools 1.21-7-gb6442ac-dirty
htslib 1.21-9-gca920611
2. Environment Details
3. Description
This report details a heap-buffer-overflow vulnerability encountered in the
samtools mergefunctionality. The issue occurs within thetrans_tbl_add_sqfunction, specifically during the processing of sequence headers when merging files. The buffer overflow is triggered due to an inadequate allocation size for thetid_transbuffer, resulting in out-of-bounds access.This vulnerability can potentially lead to memory corruption, causing program crashes or, under certain conditions, could be leveraged for further exploits such as Denial of Service (DoS) or Remote Code Execution (RCE). The report includes detailed reproduction steps and example output to aid in reproducing and analyzing the issue.
4. Steps to Reproduce and Command Used
crash (required to zip for GH):
5. Contents of the Input File
6. Impact
samtools, potentially causing interruptions in workflows that rely on it.samtoolsprocesses untrusted or externally controlled BAM files in an automated pipeline.samtoolsto handle sensitive or important genomic data could be affected by this issue. In scenarios wheresamtoolsis exposed to potentially untrusted input, this vulnerability could be a critical flaw that might warrant an urgent fix.