Skip to content

Fix vuln OSV-2024-947#1699

Merged
seladb merged 8 commits intoseladb:devfrom
oss-patch:patch-OSV-2024-947
Mar 30, 2025
Merged

Fix vuln OSV-2024-947#1699
seladb merged 8 commits intoseladb:devfrom
oss-patch:patch-OSV-2024-947

Conversation

@oss-patch
Copy link
Contributor

@oss-patch oss-patch commented Jan 23, 2025

[Warning] This PR is generated by AI

  1. PR Title: Fix for Heap-Buffer-Overflow Vulnerability in PcapPlusPlus - OSV-2024-947

  2. PR Description:

    • Bug Type: Heap-Buffer-Overflow
    • Summary: A heap-buffer-overflow vulnerability was discovered in PcapPlusPlus. The issue arises in the function pcpp::SomeIpSdLayer::getEntries() when attempting to create new SomeIpSdEntry objects without properly checking if sufficient memory is available in the buffer. This leads to access beyond the allocated memory, causing a heap-buffer-overflow.
    • Fix Summary: The patch introduces a bounds check in the getEntries function to ensure the remaining buffer length is adequate before creating a new SomeIpSdEntry object. If the length is insufficient, the loop terminates, preventing out-of-bounds access. This fix enhances the program's security and stability by preventing invalid memory access.

  3. Sanitizer Report Summary: The AddressSanitizer report identified a heap-buffer-overflow when the program attempted to access 1 byte beyond a 66-byte allocated buffer. The issue occurs in pcpp::SomeIpSdEntry::SomeIpSdEntry and is triggered via the pcpp::SomeIpSdLayer::getEntries() function. The root cause is the lack of a bounds check before creating a new SomeIpSdEntry object.

  4. Full Sanitizer Report:

    ==19259==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5070000000d4 at pc 0x563b691eb8e4 bp 0x7ffc2be6b2a0 sp 0x7ffc2be6b298
READ of size 1 at 0x5070000000d4 thread T0
    #0 0x563b691eb8e3 in pcpp::SomeIpSdEntry::SomeIpSdEntry(pcpp::SomeIpSdLayer const*, unsigned long) /root/Packet++/src/SomeIpSdLayer.cpp:243:62
    #1 0x563b691ecf17 in pcpp::SomeIpSdLayer::getEntries() const /root/Packet++/src/SomeIpSdLayer.cpp:501:16
    #2 0x563b6911ab41 in readParsedPacket(pcpp::Packet, pcpp::Layer*) /root/Tests/Fuzzers/ReadParsedPacket.h:66:32
    #3 0x563b69118e82 in LLVMFuzzerTestOneInput /root/Tests/Fuzzers/FuzzTarget.cpp:66:5
    #4 0x563b690236d4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/out/FuzzTarget+0xd66d4) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #5 0x563b6900c806 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/out/FuzzTarget+0xbf806) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #6 0x563b690122ba in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/out/FuzzTarget+0xc52ba) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #7 0x563b6903ca76 in main (/root/out/FuzzTarget+0xefa76) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #8 0x7f56d55321c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f56d553228a in __libc_start_main csu/../csu/libc-start.c:360:3
    #10 0x563b690073d4 in _start (/root/out/FuzzTarget+0xba3d4) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)

0x5070000000d4 is located 2 bytes after 66-byte region [0x507000000090,0x5070000000d2)
allocated by thread T0 here:
    #0 0x563b69115f21 in operator new[](unsigned long) (/root/out/FuzzTarget+0x1c8f21) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #1 0x563b691338c6 in pcpp::PcapFileReaderDevice::getNextPacket(pcpp::RawPacket&) /root/Pcap++/src/PcapFileDevice.cpp:338:28
    #2 0x563b69130e3f in pcpp::IFileReaderDevice::getNextPackets(pcpp::PointerVector<pcpp::RawPacket>&, int) /root/Pcap++/src/PcapFileDevice.cpp:117:22
    #3 0x563b69118bf4 in LLVMFuzzerTestOneInput /root/Tests/Fuzzers/FuzzTarget.cpp:46:14
    #4 0x563b690236d4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/out/FuzzTarget+0xd66d4) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #5 0x563b6900c806 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/out/FuzzTarget+0xbf806) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #6 0x563b690122ba in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/out/FuzzTarget+0xc52ba) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #7 0x563b6903ca76 in main (/root/out/FuzzTarget+0xefa76) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
    #8 0x7f56d55321c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f56d553228a in __libc_start_main csu/../csu/libc-start.c:360:3
    #10 0x563b690073d4 in _start (/root/out/FuzzTarget+0xba3d4) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)

SUMMARY: AddressSanitizer

  5. Files Modified:

    • Packet++/src/SomeIpSdLayer.cpp
    --- a/Packet++/src/SomeIpSdLayer.cpp
+++ b/Packet++/src/SomeIpSdLayer.cpp
@@ -499,6 +499,10 @@
 
		while (remainingLen > 0)
		{
+            // Ensure there is enough remaining length for a new entry
+            if (remainingLen < sizeof(SomeIpSdEntry::someipsdhdrentry)) {
+                break;
+            }
			entry = new SomeIpSdEntry(this, offset);
 
			size_t entryLen = entry->getLength();

  6. Patch Validation: The patch has been validated using the provided PoC, and the heap-buffer-overflow vulnerability has been resolved. No new issues have been introduced.

  7. Links:

@oss-patch oss-patch requested a review from seladb as a code owner January 23, 2025 09:46
@codecov
Copy link

codecov bot commented Jan 23, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 50.00000% with 1 line in your changes missing coverage. Please review.

Project coverage is 83.20%. Comparing base (5b6a51c) to head (70c87c3).
Report is 1 commits behind head on dev.

Files with missing lines Patch % Lines
Packet++/src/SomeIpSdLayer.cpp 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##              dev    #1699      +/-   ##
==========================================
- Coverage   83.21%   83.20%   -0.01%     
==========================================
  Files         282      282              
  Lines       48719    48721       +2     
  Branches    10547    10317     -230     
==========================================
- Hits        40540    40539       -1     
+ Misses       7052     7043       -9     
- Partials     1127     1139      +12
Flag Coverage Δ
alpine320 75.21% <0.00%> (+<0.01%) ⬆️
fedora40 75.22% <0.00%> (-0.05%) ⬇️
macos-13 80.71% <0.00%> (-0.01%) ⬇️
macos-14 80.71% <0.00%> (-0.01%) ⬇️
macos-15 80.67% <0.00%> (-0.02%) ⬇️
mingw32 70.85% <0.00%> (-0.05%) ⬇️
mingw64 70.81% <0.00%> (-0.05%) ⬇️
npcap 85.23% <50.00%> (-0.09%) ⬇️
rhel94 75.10% <0.00%> (-0.01%) ⬇️
ubuntu2004 58.61% <0.00%> (-0.01%) ⬇️
ubuntu2004-zstd 58.73% <0.00%> (-0.04%) ⬇️
ubuntu2204 74.99% <0.00%> (-0.03%) ⬇️
ubuntu2204-icpx 61.36% <0.00%> (-0.01%) ⬇️
ubuntu2404 75.23% <0.00%> (-0.05%) ⬇️
unittest 83.20% <50.00%> (-0.01%) ⬇️
windows-2019 85.33% <50.00%> (-0.02%) ⬇️
windows-2022 85.36% <50.00%> (-0.02%) ⬇️
winpcap 85.32% <50.00%> (-0.01%) ⬇️
xdp 50.69% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@tigercosmos
Copy link
Collaborator

tigercosmos commented Jan 24, 2025

@aled-ua could you check why the CI failed?

@oss-patch
Copy link
Contributor Author

oss-patch commented Jan 24, 2025

emmm, I'm not sure. Looks like the download failed?

Chocolatey v2.4.1
Installing the following packages:
OpenCppCoverage
By installing, you accept licenses for the packages.
Downloading package from source 'https://community.chocolatey.org/api/v2/'
[NuGet] Error downloading 'opencppcoverage.0.9.9' from 'https://community.chocolatey.org/api/v2/package/opencppcoverage/0.9.9.0'.
[NuGet] Response status code does not indicate success: 503 (Service Unavailable: Back-end server is at capacity).
[NuGet] Error downloading 'opencppcoverage.0.9.9' from 'https://community.chocolatey.org/api/v2/package/opencppcoverage/0.9.9.0'.
[NuGet] Response status code does not indicate success: 503 (Service Unavailable: Back-end server is at capacity).
opencppcoverage not installed. An error occurred during installation:
 Error downloading 'opencppcoverage.0.9.9' from 'https://community.chocolatey.org/api/v2/package/opencppcoverage/0.9.9.0'.
opencppcoverage package files install failed with exit code 1. Performing other installation steps.
The install of opencppcoverage was NOT successful.
opencppcoverage not installed. An error occurred during installation:
 Error downloading 'opencppcoverage.0.9.9' from 'https://community.chocolatey.org/api/v2/package/opencppcoverage/0.9.9.0'.

Chocolatey installed 0/1 packages. 1 packages failed.
 See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

seladb
seladb reviewed Mar 20, 2025
View reviewed changes
@seladb seladb merged commit 132c9cf into seladb:dev Mar 30, 2025
41 checks passed
@seladb
Copy link
Owner

seladb commented Mar 30, 2025

Thank you @oss-patch for making this fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seladb seladb seladb approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@oss-patch @tigercosmos @seladb