Out-of-Bound Write in BerEncoder_encodeBitString /src/libiec61850/src/mms/asn1/ber_encoder.c:147:26

[gnbon]

Summary

An Out-of-Bound Write vulnerability was discovered in the BerEncoder_encodeBitString function of the ber_encoder.c file in the libiec61850 library through fuzzing. This vulnerability is triggered when encoding the MMS_BIT_STRING type MmsData.

Details

The vulnerability occurs in the BerEncoder_encodeBitString function when processing the bit string data. When the bufPos index used to write to the output buffer is not properly validated, it leads to an out-of-bounds write.
Let's consider the following code:

libiec61850/src/mms/asn1/ber_encoder.c

Lines 128 to 148 in 7afa403

	int
	BerEncoder_encodeBitString(uint8_t tag, int bitStringSize, uint8_t* bitString, uint8_t* buffer, int bufPos)
	{
	buffer[bufPos++] = tag;
	int byteSize = bitStringSize / 8;
	if (bitStringSize % 8)
	byteSize++;
	int padding = (byteSize * 8) - bitStringSize;
	bufPos = BerEncoder_encodeLength(byteSize + 1, buffer, bufPos);
	buffer[bufPos++] = padding;
	int i;
	for (i = 0; i < byteSize; i++) {
	buffer[bufPos++] = bitString[i];
	}

The function writes the encoded bit string data to the buffer starting at the bufPos index. However, there is no proper boundary check to ensure that bufPos does not exceed the valid range of the buffer. As a result, if the bitStringSize is large enough or if the bufPos is already close to the end of the buffer, an out-of-bounds write can occur.

Impact:

An attacker can exploit this vulnerability by crafting malicious input data that triggers the out-of-bounds write. This can lead to memory corruption, or potentially execute arbitrary code.

Recommendation:

To mitigate this vulnerability, it is crucial to perform proper boundary checks in the BerEncoder_encodeBitString function. The code should ensure that bufPos never exceeds the valid range of the buffer. Additionally, input validation should be implemented to reject invalid or malformed bit string data.

PoC

A proof-of-concept exploit has been provided in the attached file. This PoC demonstrates how the vulnerability can be triggered by sending specially crafted input data to the affected functions.
poc.zip

Address Sanitizer

==29419==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50d0000000c2 at pc 0x55a5b9d8a490 bp 0x7ffc2dfc9ad0 sp 0x7ffc2dfc9ac8
WRITE of size 1 at 0x50d0000000c2 thread T0
    #0 0x55a5b9d8a48f in BerEncoder_encodeBitString /src/libiec61850/src/mms/asn1/ber_encoder.c:147:26
    #1 0x55a5b9d85dd3 in MmsValue_encodeMmsData /src/libiec61850/src/mms/iso_mms/server/mms_access_result.c:568:22
    #2 0x55a5b9d6ce39 in LLVMFuzzerTestOneInput /src/libiec61850/build/../fuzz/fuzz_mms_encode.c:26:5
    #3 0x55a5b9d6ccb9 in ExecuteFilesOnyByOne /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
    #4 0x55a5b9d6cab5 in LLVMFuzzerRunDriver /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c
    #5 0x55a5b9d6c66d in main /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:311:10
    #6 0x7efe3a8f4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7efe3a8f4e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x55a5b9c9445d in _start (/home/user/oss-fuzz/build/out/libiec61850/fuzz_mms_encode+0x2d45d)

0x50d0000000c2 is located 0 bytes after 130-byte region [0x50d000000040,0x50d0000000c2)
allocated by thread T0 here:
    #0 0x55a5b9d2f82e in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55a5b9d9cff9 in Memory_malloc /src/libiec61850/hal/memory/lib_memory.c:33:20
    #2 0x55a5b9d6cdeb in LLVMFuzzerTestOneInput /src/libiec61850/build/../fuzz/fuzz_mms_encode.c:21:37
    #3 0x55a5b9d6ccb9 in ExecuteFilesOnyByOne /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:255:7

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libiec61850/src/mms/asn1/ber_encoder.c:147:26 in BerEncoder_encodeBitString
Shadow bytes around the buggy address:
  0x50cffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x50cffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x50cfffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x50cfffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x50d000000000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x50d000000080: 00 00 00 00 00 00 00 00[02]fa fa fa fa fa fa fa
  0x50d000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50d000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50d000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50d000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50d000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29419==ABORTING

CVE Assignment Request:

I kindly request the assignment of a Common Vulnerabilities and Exposures (CVE) identifier for the Out-of-Bound Read vulnerability.