srsran/srsRAN_Project

srsGNB stack-buffer-overflow when parsing a fuzzed UL-DCCH message

lbm98 opened this issue · 1 comments

lbm98 commented

Issue Description

srsGNB accesses unallocated memory when parsing a fuzzed UL-DCCH message

Setup Details

Can be reproduced by sending the fuzzed message from the srsRAN_4G UE over ZeroMQ to the srsGNB,
but it is much simpler to add the following unittest in this directory

#include "srsran/asn1/rrc_nr/rrc_nr.h"
#include "srsran/asn1/rrc_nr/ul_dcch_msg.h"

int main() {
    srsran::byte_buffer pdu = srsran::byte_buffer::create({0x24,0x32,0xfe,0x00,0x80,0x9f}).value();
    asn1::cbit_ref cbref(pdu);
    asn1::rrc_nr::ul_dcch_msg_s msg;
    msg.unpack(cbref);
    return 0;
}

and edit the CMake file to include the new unittest

add_executable(ul_dcch_vulnerability ul_dcch_vulnerability.cpp)
target_link_libraries(ul_dcch_vulnerability rrc_nr_asn1)

Make sure to compile with AddressSanitizer enabled

cmake \
    -B build-asan \
    -G Ninja \
    -DCMAKE_CXX_COMPILER=clang++ \
    -DCMAKE_CXX_FLAGS="-fsanitize=address"

Expected Behavior

The parser avoids unallocated accesses.

Actual Behaviour

AddressSanitizer generates the following error

==13==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x745692000f50 at pc 0x5ed61d61d258 bp 0x7fff29d02810 sp 0x7fff29d02808
READ of size 1 at 0x745692000f50 thread T0
    #0 0x5ed61d61d257 in asn1::ext_groups_unpacker_guard::~ext_groups_unpacker_guard() (/srs/srsRAN_Project/build-asan/tests/unittests/asn1/ul_dcch_vulnerability+0x8d7257) (BuildId: 929d5ebd2f6df0a78e637572fffdaf24c23d012e)
    #1 0x5ed61d1ca93b in asn1::rrc_nr::ul_tx_direct_current_cell_s::unpack(asn1::cbit_ref&) (/srs/srsRAN_Project/build-asan/tests/unittests/asn1/ul_dcch_vulnerability+0x48493b) (BuildId: 929d5ebd2f6df0a78e637572fffdaf24c23d012e)
    #2 0x5ed61d229b50 in asn1::SRSASN_CODE asn1::unpack_dyn_seq_of<asn1::dyn_array<asn1::rrc_nr::ul_tx_direct_current_cell_s>>(asn1::dyn_array<asn1::rrc_nr::ul_tx_direct_current_cell_s>&, asn1::cbit_ref&, unsigned int, unsigned int, bool) (/srs/srsRAN_Project/build-asan/tests/unittests/asn1/ul_dcch_vulnerability+0x4e3b50) (BuildId: 929d5ebd2f6df0a78e637572fffdaf24c23d012e)
    #3 0x5ed61d202b55 in asn1::rrc_nr::rrc_resume_complete_ies_s::unpack(asn1::cbit_ref&) (/srs/srsRAN_Project/build-asan/tests/unittests/asn1/ul_dcch_vulnerability+0x4bcb55) (BuildId: 929d5ebd2f6df0a78e637572fffdaf24c23d012e)
    #4 0x5ed61d212bd5 in asn1::rrc_nr::rrc_resume_complete_s::crit_exts_c_::unpack(asn1::cbit_ref&) (/srs/srsRAN_Project/build-asan/tests/unittests/asn1/ul_dcch_vulnerability+0x4ccbd5) (BuildId: 929d5ebd2f6df0a78e637572fffdaf24c23d012e)
    #5 0x5ed61d212b61 in asn1::rrc_nr::rrc_resume_complete_s::unpack(asn1::cbit_ref&) (/srs/srsRAN_Project/build-asan/tests/unittests/asn1/ul_dcch_vulnerability+0x4ccb61) (BuildId: 929d5ebd2f6df0a78e637572fffdaf24c23d012e)
    #6 0x5ed61cf860ab in asn1::rrc_nr::ul_dcch_msg_type_c::c1_c_::unpack(asn1::cbit_ref&) (/srs/srsRAN_Project/build-asan/tests/unittests/asn1/ul_dcch_vulnerability+0x2400ab) (BuildId: 929d5ebd2f6df0a78e637572fffdaf24c23d012e)
    #7 0x5ed61cf85f28 in asn1::rrc_nr::ul_dcch_msg_type_c::unpack(asn1::cbit_ref&) (/srs/srsRAN_Project/build-asan/tests/unittests/asn1/ul_dcch_vulnerability+0x23ff28) (BuildId: 929d5ebd2f6df0a78e637572fffdaf24c23d012e)
    #8 0x5ed61cf88d43 in asn1::rrc_nr::ul_dcch_msg_s::unpack(asn1::cbit_ref&) (/srs/srsRAN_Project/build-asan/tests/unittests/asn1/ul_dcch_vulnerability+0x242d43) (BuildId: 929d5ebd2f6df0a78e637572fffdaf24c23d012e)
    #9 0x5ed61cf84222 in main (/srs/srsRAN_Project/build-asan/tests/unittests/asn1/ul_dcch_vulnerability+0x23e222) (BuildId: 929d5ebd2f6df0a78e637572fffdaf24c23d012e)
    #10 0x745693c0cd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #11 0x745693c0ce3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #12 0x5ed61ceaa794 in _start (/srs/srsRAN_Project/build-asan/tests/unittests/asn1/ul_dcch_vulnerability+0x164794) (BuildId: 929d5ebd2f6df0a78e637572fffdaf24c23d012e)

Address 0x745692000f50 is located in stack of thread T0 at offset 80 in frame
    #0 0x5ed61d1ca62f in asn1::rrc_nr::ul_tx_direct_current_cell_s::unpack(asn1::cbit_ref&) (/srs/srsRAN_Project/build-asan/tests/unittests/asn1/ul_dcch_vulnerability+0x48462f) (BuildId: 929d5ebd2f6df0a78e637572fffdaf24c23d012e)

  This frame has 2 object(s):
    [32, 80) 'group_flags' <== Memory access at offset 80 overflows this variable
    [112, 184) 'varlen_scope'

Steps to reproduce the problem

Covered in setup details.

Additional Information

Accessing unallocated memory is undefined behavior and can lead to a security vulnerability.

herlesupreeth commented

@lbm98 Thank you raising this issue. The fix will be rolled in the next release.