From patchwork Sun Oct  4 15:14:49 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hauke Mehrtens <hauke@hauke-m.de>
X-Patchwork-Id: 1376437
X-Patchwork-Delegate: ynezz@true.cz
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org
 (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=hauke-m.de
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=merlin.20170209 header.b=HOltQOJL;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=hauke-m.de header.i=@hauke-m.de header.a=rsa-sha256
 header.s=MBO0001 header.b=oe0P+E6w;
	dkim-atps=neutral
Received: from merlin.infradead.org (merlin.infradead.org
 [IPv6:2001:8b0:10b:1231::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4C46lR5jHhz9sSG
	for <incoming@patchwork.ozlabs.org>; Mon,  5 Oct 2020 02:16:51 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding:
	Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date:
	Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	 bh=OB7O+AHerMiaJxAtZxCpnNR+12BUxem5LOq9zRi+nLI=; b=HOltQOJL2Vae6dj34YaGiqVtZ
	Nn+bcHX1qTtSsAV6LxR7Fkdnzs+Vh3zPtzYjA7R7wEI+nIQ8ozJ7ELKPXfZ6LAz7sqy5LGxpwM+w0
	tZjfasZKNAVxVCOiLMiy6Decve9kkHvDRwQow7LjpFUu+dq6OYJbYHT22HbZufrVJdtxQPFWVgMj+
	gTrg28a2iC18idYi6HJUoB8R6va0Lf5QSndeOe92YnssoNtNzbGzkbo/eBGo/Q8jWm2N2G3wdQC2I
	DQYcAbdgDSmEUtzDptsBKeJwJa0ddlozfZqMBL6gAkj24T0pzW9jwZqrnzaEt/GLYmHMNdCGXB7gG
	kFq0g0NdQ==;
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
	id 1kP5jf-0006Nd-UF; Sun, 04 Oct 2020 15:15:39 +0000
Received: from mout-p-101.mailbox.org ([2001:67c:2050::465:101])
 by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux))
 id 1kP5jX-0006KH-FE
 for openwrt-devel@lists.openwrt.org; Sun, 04 Oct 2020 15:15:33 +0000
Received: from smtp1.mailbox.org (smtp1.mailbox.org
 [IPv6:2001:67c:2050:105:465:1:1:0])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4C46jq40TqzKmj1;
 Sun,  4 Oct 2020 17:15:27 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hauke-m.de; s=MBO0001;
 t=1601824525;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=Vybxq5xVNHBok+cPi0gx1jwroi1FUKlllHapbO4wZMo=;
 b=oe0P+E6wHAR2FsMwcFX/VYs9ERw0io2AXTG3B5CMNiK/nxNZkTndjwaH41myhAFW6629bN
 g7bqivHEvu72rXHW4wlvSb4cBQCEMIke/H+MkatdXlKm/5+1CSXJmDLLqJBjHJ7adRqnp8
 UsScHFznGHyCpc2cf903W2874MiFj0axS7K0+5TRv9TXVGuYavuBrsB88AVXb7+Sg8TD28
 +2k6d80nS96D4A3YOuWSp7Qf10AVxCDIZd2sjjxuLwc6lS4doIo8o1efwGYc3jx2pSwR9R
 e0+Y9OFEzMS6Tq7gp37IsgRO/uU1BTQTYL/3PqML3H7x2vesunA0VqQ4T2LzqA==
Received: from smtp1.mailbox.org ([80.241.60.240])
 by gerste.heinlein-support.de (gerste.heinlein-support.de [91.198.250.173])
 (amavisd-new, port 10030)
 with ESMTP id US4eqtqL95nE; Sun,  4 Oct 2020 17:15:24 +0200 (CEST)
From: Hauke Mehrtens <hauke@hauke-m.de>
To: openwrt-devel@lists.openwrt.org
Subject: [PATCH uci v2 2/4] file: Check buffer size after strtok()
Date: Sun,  4 Oct 2020 17:14:49 +0200
Message-Id: <20201004151451.16015-3-hauke@hauke-m.de>
In-Reply-To: <20201004151451.16015-1-hauke@hauke-m.de>
References: <20201004151451.16015-1-hauke@hauke-m.de>
MIME-Version: 1.0
X-MBO-SPAM-Probability: 
X-Rspamd-Score: -4.80 / 15.00 / 15.00
X-Rspamd-Queue-Id: AC46017E3
X-Rspamd-UID: 583152
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20201004_111531_631039_AFBF9FE0 
X-CRM114-Status: GOOD (  23.71  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary:
 Content analysis details:   (-0.2 points)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [2001:67c:2050:0:0:0:465:101 listed in]
 [list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Cc: Hauke Mehrtens <hauke@hauke-m.de>, ynezz@true.cz
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

This fixes a heap overflow in the parsing of the uci line.

The line which is parsed and put into pctx->buf is null terminated and
stored on the heap. In the uci_parse_line() function we use strtok() to
split this string in multiple parts after divided by a space or tab.
strtok() replaces these characters with a NULL byte. If the next byte is
NULL we assume that this NULL byte was added by strtok() and try to
parse the string after this NULL byte. If this NULL byte was not added
by strtok(), but by fgets() to mark the end of the string we would read
over this end of the string in uninitialized memory and later over the
allocated buffer.

Fix this problem by storing how long the line we read was and check if
we would read over the end of the string here.

This also adds the input which detected this crash to the corpus of the
fuzzer.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---

Changelog:
v1:
 - Add missing 2e18ecc3a759dedc9357b1298e9269eccc5c5a6b file
 - Adapt tests for new fuzzer file
 - Fix strlen() arguments
 - Call uci_parse_error() instead of return in case of an error

 file.c                                        | 19 ++++++++++++++++---
 tests/cram/test-san_uci_import.t              |  1 +
 tests/cram/test_uci_import.t                  |  1 +
 .../2e18ecc3a759dedc9357b1298e9269eccc5c5a6b  |  1 +
 uci_internal.h                                |  1 +
 5 files changed, 20 insertions(+), 3 deletions(-)
 create mode 100644 tests/fuzz/corpus/2e18ecc3a759dedc9357b1298e9269eccc5c5a6b

diff --git a/file.c b/file.c
index 003f6c6..0946490 100644
--- a/file.c
+++ b/file.c
@@ -68,6 +68,7 @@ __private void uci_getln(struct uci_context *ctx, size_t offset)
 			return;
 
 		ofs += strlen(p);
+		pctx->buf_filled = ofs;
 		if (pctx->buf[ofs - 1] == '\n') {
 			pctx->line++;
 			return;
@@ -125,6 +126,15 @@ static inline void addc(struct uci_context *ctx, size_t *pos_dest, size_t *pos_s
 	*pos_src += 1;
 }
 
+static int uci_increase_pos(struct uci_parse_context *pctx, size_t add)
+{
+	if (pctx->pos + add > pctx->buf_filled)
+		return -EINVAL;
+
+	pctx->pos += add;
+	return 0;
+}
+
 /*
  * parse a double quoted string argument from the command line
  */
@@ -389,7 +399,8 @@ static void uci_parse_package(struct uci_context *ctx, bool single)
 	char *name;
 
 	/* command string null-terminated by strtok */
-	pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
+	if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx)) + 1))
+		uci_parse_error(ctx, "package without name");
 
 	ofs_name = next_arg(ctx, true, true, true);
 	assert_eol(ctx);
@@ -421,7 +432,8 @@ static void uci_parse_config(struct uci_context *ctx)
 	}
 
 	/* command string null-terminated by strtok */
-	pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
+	if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx)) + 1))
+		uci_parse_error(ctx, "config without name");
 
 	ofs_type = next_arg(ctx, true, false, false);
 	type = pctx_str(pctx, ofs_type);
@@ -471,7 +483,8 @@ static void uci_parse_option(struct uci_context *ctx, bool list)
 		uci_parse_error(ctx, "option/list command found before the first section");
 
 	/* command string null-terminated by strtok */
-	pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
+	if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx)) + 1))
+		uci_parse_error(ctx, "option without name");
 
 	ofs_name = next_arg(ctx, true, true, false);
 	ofs_value = next_arg(ctx, false, false, false);
diff --git a/tests/cram/test-san_uci_import.t b/tests/cram/test-san_uci_import.t
index da0e3f2..9259f5e 100644
--- a/tests/cram/test-san_uci_import.t
+++ b/tests/cram/test-san_uci_import.t
@@ -7,6 +7,7 @@ check that uci import is producing expected results:
   $ for file in $(LC_ALL=C find $FUZZ_CORPUS -type f | sort ); do
   >   uci-san import -f $file; \
   > done
+  uci-san: Parse error (package without name) at line 0, byte 68
   uci-san: I/O error
   uci-san: Parse error (invalid command) at line 0, byte 0
   uci-san: I/O error
diff --git a/tests/cram/test_uci_import.t b/tests/cram/test_uci_import.t
index c080eed..e851780 100644
--- a/tests/cram/test_uci_import.t
+++ b/tests/cram/test_uci_import.t
@@ -7,6 +7,7 @@ check that uci import is producing expected results:
   $ for file in $(LC_ALL=C find $FUZZ_CORPUS -type f | sort ); do
   >   valgrind --quiet --leak-check=full uci import -f $file; \
   > done
+  uci: Parse error (package without name) at line 0, byte 68
   uci: I/O error
   uci: Parse error (invalid command) at line 0, byte 0
   uci: I/O error
diff --git a/tests/fuzz/corpus/2e18ecc3a759dedc9357b1298e9269eccc5c5a6b b/tests/fuzz/corpus/2e18ecc3a759dedc9357b1298e9269eccc5c5a6b
new file mode 100644
index 0000000..e14a79f
--- /dev/null
+++ b/tests/fuzz/corpus/2e18ecc3a759dedc9357b1298e9269eccc5c5a6b
@@ -0,0 +1 @@
+                                                                    p
\ No newline at end of file
diff --git a/uci_internal.h b/uci_internal.h
index 3a94dbb..34528f0 100644
--- a/uci_internal.h
+++ b/uci_internal.h
@@ -33,6 +33,7 @@ struct uci_parse_context
 	const char *name;
 	char *buf;
 	size_t bufsz;
+	size_t buf_filled;
 	size_t pos;
 };
 #define pctx_pos(pctx)		((pctx)->pos)