Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsigned integer wraparound in pcap-usb-linux-common.c:85:35 #1134

Closed
kobrineli opened this issue Nov 3, 2022 · 0 comments
Closed

Unsigned integer wraparound in pcap-usb-linux-common.c:85:35 #1134

kobrineli opened this issue Nov 3, 2022 · 0 comments

Comments

@kobrineli
Copy link

Hi! We've been fuzzing libpcap using sydr-fuzz and targets added to https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/libpcap by @koltiradw. We've found unsigned integer wraparound error in pcap-usb-linux-common.c:85:35, but we don't know whether this is a real bug or a normal situation that is not worth to be reported.

Work environment

OS: Ubuntu 20.04
lipcap version: 53e9577

Bug description

Unsigned integer wraparound in pcap-usb-linux-common.c:85:35.

Steps to reproduce

  1. Build docker container from https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/libpcap:

     sudo docker build -t oss-sydr-fuzz-libpcap .

  2. Run docker container:

     sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-libpcap /bin/bash

  3. Run sanitizer built target with the input leading to error (sydr_e669b5e526a19e08cb046f3f24413e3d13dc6860_int_overflow_0_unsigned.txt
    ):

     /libpcap/libfuzzer/fuzz_pcap sydr_e669b5e526a19e08cb046f3f24413e3d13dc6860_int_overflow_0_unsigned.txt

  4. You will see the following output:

     INFO: Running with entropic power schedule (0xFF, 100).
 INFO: Seed: 2928156220
 INFO: Loaded 1 modules   (35773 inline 8-bit counters): 35773 [0x8c29e0, 0x8cb59d), 
 INFO: Loaded 1 PC tables (35773 PCs): 35773 [0x8cb5a0,0x957170), 
 /libpcap/libfuzzer/fuzz_pcap: Running 1 inputs 1 time(s) each.
 Running: /fuzz/pcap-out/security-unique/sydr_e669b5e526a19e08cb046f3f24413e3d13dc6860_int_overflow_0_unsigned
 ../pcap-usb-linux-common.c:85:35: runtime error: unsigned integer overflow: 1 + 4294967295 cannot be represented in type 'unsigned int'
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../pcap-usb-linux-common.c:85:35 in 
 ../pcap-usb-linux-common.c:95:24: runtime error: implicit conversion from type 'unsigned long' of value 8573157659 (64-bit, unsigned) to type 'u_int' (aka 'unsigned int') changed the value to 4278190363 (32-bit, unsigned)
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../pcap-usb-linux-common.c:95:24 in 
 Executed /fuzz/pcap-out/security-unique/sydr_e669b5e526a19e08cb046f3f24413e3d13dc6860_int_overflow_0_unsigned in 1 ms
 ***
 *** NOTE: fuzzing was not performed, you have only
 ***       executed the target code on a fixed set of inputs.
 ***
guyharris added a commit that referenced this issue Oct 9, 2023
@guyharris
Linux USB: avoid 32-bit unsigned integer wraparound.
86bc196 
When adding values whose sum might overflow an unsigned integer, first
check whether the sum *would* overflow an unsigned integer and, if so,
clamp the sum at UINT_MAX.

Do the same for a multiplication.

This should fix #1134, as well as the issue in #1205.

(cherry picked from commit df1d38e)
tenarchits pushed a commit to tenarchits/libpcap that referenced this issue Jan 22, 2024
@guyharris @tenarchits
Linux USB: avoid 32-bit unsigned integer wraparound.
a37287f 
When adding values whose sum might overflow an unsigned integer, first
check whether the sum *would* overflow an unsigned integer and, if so,
clamp the sum at UINT_MAX.

Do the same for a multiplication.

This should fix the-tcpdump-group#1134, as well as the issue in the-tcpdump-group#1205.
tenarchits pushed a commit to tenarchits/libpcap that referenced this issue Jan 26, 2024
@guyharris @tenarchits
Linux USB: avoid 32-bit unsigned integer wraparound.
fe86a19 
When adding values whose sum might overflow an unsigned integer, first
check whether the sum *would* overflow an unsigned integer and, if so,
clamp the sum at UINT_MAX.

Do the same for a multiplication.

This should fix the-tcpdump-group#1134, as well as the issue in the-tcpdump-group#1205.
tenarchits pushed a commit to tenarchits/libpcap that referenced this issue Jan 26, 2024
@guyharris @tenarchits
Linux USB: avoid 32-bit unsigned integer wraparound.
b25870a 
When adding values whose sum might overflow an unsigned integer, first
check whether the sum *would* overflow an unsigned integer and, if so,
clamp the sum at UINT_MAX.

Do the same for a multiplication.

This should fix the-tcpdump-group#1134, as well as the issue in the-tcpdump-group#1205.
tenarchits pushed a commit to tenarchits/libpcap that referenced this issue Jan 26, 2024
@guyharris @tenarchits
Linux USB: avoid 32-bit unsigned integer wraparound.
28ca5a0 
When adding values whose sum might overflow an unsigned integer, first
check whether the sum *would* overflow an unsigned integer and, if so,
clamp the sum at UINT_MAX.

Do the same for a multiplication.

This should fix the-tcpdump-group#1134, as well as the issue in the-tcpdump-group#1205.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kobrineli