Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dex fixes #1728

Merged
merged 2 commits into from
Jun 15, 2022
Merged

Dex fixes #1728

merged 2 commits into from
Jun 15, 2022

Conversation

wxsBSD
Copy link
Collaborator

@wxsBSD wxsBSD commented Jun 15, 2022

This fixes the crashes reported on huntr.dev. While there were 5 test cases reported there were only three distinct bugs triggered.

I'll take a look at #950 and #951 tomorrow night but there's a good chance they are already fixed.

@wxsBSD
Fix compiler warnings with dex debug mode.
734ab31
@wxsBSD
Fix crashes in dex module.
0436f2d 
This commit fixes a few crashes in the dex module. There are actually three of
them:

The first is incorrect usage of "struct_fits_in_dex" caused by passing
"sizeof(code_item_t)" instead of just "code_item_t" as the third argument. In
the test case the pointer for code_item started in the bounds of the dex but
only the first 8 bytes were within bounds, and since
"sizeof(sizeof(code_item_t))" is less than 8 the check was passing. The fix here
is to pass just the struct type as the third argument.

The second crash was an off-by-one error when parsing a string. The check
ensured the string fits in the dex but was not including an extra byte which was
copied in the call to set_sized_string. Just like before, this was a case of a
string falling right on the end of a dex file.

The third crash was due to a missing "struct_fits_in_dex" check. We ended up
with a pointer to a map_item_t which was off the ends of the dex bounds.

With this commit all the test cases provided in the report are now passing. I
did a quick sweep of the module to make sure there were no other cases where we
were incorrectly using "struct_fits_in_dex" and didn't find any.

These were all documented at a private report via huntr.dev
(https://huntr.dev/bounties/007a7784-c211-4847-9cc3-aec38e7d5157/)

Found by @sudhackar.

Fixes VirusTotal#1726.
@wxsBSD
Copy link
Collaborator Author

wxsBSD commented Jun 15, 2022

Forgot to mention, I fixed some compiler warnings in a previous commit on this branch. Probably should have sent that as a separate PR, sorry for the noise.

@plusvic plusvic merged commit 599481b into VirusTotal:master Jun 15, 2022
@JamieSlome
Copy link

@wxsBSD - thanks for your diligence!

When you are ready, are you able to confirm the fix against the report?

@wxsBSD
Copy link
Collaborator Author

wxsBSD commented Jun 15, 2022

I confirmed that all the provided test cases in the report are no longer causing crashes under asan.

@wxsBSD wxsBSD deleted the dex_fixes branch June 15, 2022 13:15
@JamieSlome
Copy link

@wxsBSD - great, thank you 🙏

Could you update the report accordingly?

@plusvic
Copy link
Member

plusvic commented Jun 16, 2022

@JamieSlome I've updated the report. We'll wait for the reporter's confirmation that he doesn't reproduce the issues anymore with the latest changes.

@JamieSlome
Copy link

@plusvic - thank you ❤️

@wxsBSD wxsBSD mentioned this pull request Jun 16, 2022
Open
plusvic pushed a commit that referenced this pull request Jun 30, 2022
@wxsBSD @plusvic
Dex fixes (#1728)
da831c2 
* Fix compiler warnings with dex debug mode.

* Fix crashes in dex module.

This commit fixes a few crashes in the dex module. There are actually three of
them:

The first is incorrect usage of "struct_fits_in_dex" caused by passing
"sizeof(code_item_t)" instead of just "code_item_t" as the third argument. In
the test case the pointer for code_item started in the bounds of the dex but
only the first 8 bytes were within bounds, and since
"sizeof(sizeof(code_item_t))" is less than 8 the check was passing. The fix here
is to pass just the struct type as the third argument.

The second crash was an off-by-one error when parsing a string. The check
ensured the string fits in the dex but was not including an extra byte which was
copied in the call to set_sized_string. Just like before, this was a case of a
string falling right on the end of a dex file.

The third crash was due to a missing "struct_fits_in_dex" check. We ended up
with a pointer to a map_item_t which was off the ends of the dex bounds.

With this commit all the test cases provided in the report are now passing. I
did a quick sweep of the module to make sure there were no other cases where we
were incorrectly using "struct_fits_in_dex" and didn't find any.

These were all documented at a private report via huntr.dev
(https://huntr.dev/bounties/007a7784-c211-4847-9cc3-aec38e7d5157/)

Found by @sudhackar.

Fixes #1726.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@plusvic plusvic plusvic approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wxsBSD @JamieSlome @plusvic