Improperly controlled sequential memory allocation in function ReadNextStructField() in mat.c
chibataiki opened this issue · 2 comments
chibataiki commented
Hi,
A memory exhaustion vulnerability was found in the function ReadNextStructField() in mat.c , which allows attackers to cause a denial of service.
env
version 1.5.21 : commit 8e18058
ubuntu 20.04 x86_64
gcc version 9.3.0
MATIO Configuration Summary
==============================================================
C Compiler: gcc
CFLAGS: -g -O2
Shared Libraries: yes
Static Libraries: yes
default MAT version: MAT_FT_MAT5
Features --------------------------------------------
MAT v7.3 file support: no
Extended sparse support: yes
Packages --------------------------------------------
zlib: -lz
hdf5:
MATLAB:
reproduce
./configure
make
./matdump poc
poc zipped
debug info
In this for loop, the Mat_VarCalloc() will run 0x3030303 times and exhaust all memory(In my machine ,8G) , and then terminated with signal SIGKILL
─ source:mat5.c+1474 ────
1469 }
1470
1471 fields = (matvar_t **)matvar->data;
1472 for ( i = 0; i < nelems; i++ ) {
1473 size_t k;
→ 1474 for ( k = 0; k < nfields; k++ ) {
1475 fields[i * nfields + k] = Mat_VarCalloc();
1476 }
1477 }
1478 if ( NULL != matvar->internal->fieldnames ) {
1479 for ( i = 0; i < nelems; i++ ) {
───────────────────
[#2] 0x7ffff7fb81b0 → Mat_VarCalloc()
[#3] 0x7ffff7fb2555 → ReadNextStructField(mat=0x55555555e480, matvar=0x55555555f5e0)
[#4] 0x7ffff7fb5910 → Mat_VarReadNextInfo5(mat=0x55555555e480)
[#5] 0x555555556fac → main(argc=0x2, argv=0x7fffffffe3a8)
gef➤ p len
$4 = 0x27272727
gef➤ p fieldname_size
$5 = 0xd
gef➤ p len / fieldname_size
$6 = 0x3030303
tbeu commented
Thanks for the report. It basically is an "out-of-memory" issue. I am not sure what I can do to prevent it.
chibataiki commented
I'm not sure if set upper limit on the size of some variable will work or is suitable, I will analysis this later.