Crash when parsing malformed FDB #23
Description
Hi folks,
An interesting crash was found while fuzz testing of the forestdb_dump binary which can be triggered via a malformed database file. Although this malformed file only crashes the program as-is, it could potentially be crafted further and create a security issue where these kinds of files would be able compromise the process's memory through taking advantage of affordances given by memory corruption. It's recommend to harden the code to prevent these kinds of bugs as it could greatly mitigate such this issue and even future bugs.
(renamed to .txt for github)
$ forestdb_dump crash.fdb
Segmentation fault (core dumped)
$ gdb -q forestdb_dump
Reading symbols from forestdb_dump...
(gdb) r crash.fdb
Starting program: forestdb_dump crash.fdb
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff79f2700 (LWP 1245583)]
[New Thread 0x7ffff71f1700 (LWP 1245584)]
[New Thread 0x7ffff69f0700 (LWP 1245585)]
[New Thread 0x7ffff61ef700 (LWP 1245586)]
Thread 1 "forestdb_dump" received signal SIGSEGV, Segmentation fault.
_sb_read_given_no (file=0x5555555df630, sb_no=<optimized out>, sb=<optimized out>, log_callback=<optimized out>) at forestdb/src/superblock.cc:1520
1520 sb->bmp_doc_offset[i] = _endian_decode(enc_u64);
(gdb) bt
#0 _sb_read_given_no (file=0x5555555df630, sb_no=<optimized out>, sb=<optimized out>, log_callback=<optimized out>) at forestdb/src/superblock.cc:1520
#1 0x00005555555a7aa7 in sb_read_latest (file=0x5555555df630, sconfig=..., log_callback=<optimized out>) at forestdb/src/superblock.cc:1674
#2 0x000055555557d75e in filemgr_open (filename=filename@entry=0x7fffffffc5c0 "crash.fdb", ops=<optimized out>, config=config@entry=0x7fffffffc270,
log_callback=log_callback@entry=0x5555555db048) at forestdb/src/filemgr.cc:1005
#3 0x0000555555584036 in _fdb_open (handle=handle@entry=0x5555555daee0, filename=filename@entry=0x7fffffffe6b0 "crash.fdb", filename_mode=filename_mode@entry=FDB_VFILENAME,
config=config@entry=0x7fffffffdf10) at forestdb/src/forestdb.cc:1689
#4 0x0000555555585ae1 in fdb_open (ptr_fhandle=0x7fffffffe160, filename=0x7fffffffe6b0 "crash.fdb", fconfig=0x7fffffffe1a0)
at forestdb/src/forestdb.cc:833
#5 0x0000555555563654 in process_file (opt=0x7fffffffe2e0) at forestdb/tools/forestdb_dump.cc:254
#6 0x0000555555561f75 in main (argc=2, argv=0x7fffffffe418) at forestdb/tools/forestdb_dump.cc:390
(gdb) i r
rax 0x68 104
rbx 0x5555555dfc00 93824992803840
rcx 0x5555555e0d30 93824992808240
rdx 0x88f46760570fd337 -8578117726758776009
rsi 0x652e23e27000 111248844943360
rdi 0x0 0
rbp 0x7ffffffd4b20 0x7ffffffd4b20
rsp 0x7ffffffd4850 0x7ffffffd4850
r8 0x0 0
r9 0x0 0
r10 0x5555555ea000 93824992845824
r11 0xfffffffffffff000 -4096
r12 0xe744e44a068 15892692115560
r13 0x5555555df630 93824992802352
r14 0x7ffffffd48b8 140737488177336
r15 0xdeadcafebeefc002 -2401039830844719102
rip 0x5555555a7783 0x5555555a7783 <_sb_read_given_no(filemgr*, size_t, superblock*, err_log_callback*)+883>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/i $rip
=> 0x5555555a7783 <_sb_read_given_no(filemgr*, size_t, superblock*, err_log_callback*)+883>: mov %rdx,-0x68(%r8,%rax,1)
(gdb) exploitable
Description: Access violation near NULL on destination operand
Short description: DestAvNearNull (15/22)
Hash: d6199a1b37a756f3d37f258a8faaa290.ecc8eda54691748cb17fcce5cae118bb
Exploitability Classification: PROBABLY_EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.
Other tags: AccessViolation (21/22)