[Bug 1830865] Re: Integer overflow in bson_ensure_space (bson.c:613)

Francis Ginther francis.ginther at canonical.com
Wed Oct 30 12:54:28 UTC 2019 

** Tags added: id-5d6412d0de485863a95da846

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to whoopsie in Ubuntu.
https://bugs.launchpad.net/bugs/1830865

Title:
  Integer overflow in bson_ensure_space (bson.c:613)

Status in whoopsie package in Ubuntu:
  Fix Released

Bug description:
  Dear Ubuntu Security Team,

  I would like to report an integer overflow vulnerability in whoopsie.
  In combination with issue 1830858, this vulnerability may enable an
  local attacker to read arbitrary files on the system.

  I have attached a proof-of-concept which triggers the vulnerability. I
  have tested it on an up-to-date Ubuntu 18.04. Run it as follows:

  bunzip2 PoC.tar.bz2
  tar -xf PoC.tar
  cd PoC
  make
  ./killwhoopsie2

  The PoC works by creating a file named
  `/var/crash/killwhoopsie.crash`, just over 2GB in size. It then
  creates a file named `/var/crash/killwhoopsie.upload`, which prompts
  whoopsie to start processing the .crash file.

  This is the source location of the integer overflow bug:

  http://bazaar.launchpad.net/~daisy-
  pluckers/whoopsie/trunk/view/698/lib/bson/bson.c#L613

  The problem is that the types of pos, bytesNeeded, and b->dataSize are
  all int. My PoC triggers an integer overflow in the calculation of pos
  + bytesNeeded, which causes bson_ensure_space to return immediately on
  line 614 without allocating more space. This leads subsequently to a
  heap buffer overflow on line 738:

  http://bazaar.launchpad.net/~daisy-
  pluckers/whoopsie/trunk/view/698/lib/bson/bson.c#L738

  Please let me know when you have fixed the vulnerability, so that I
  can coordinate my disclosure with yours. For reference, here is a link
  to Semmle's vulnerability disclosure policy:
  https://lgtm.com/security#disclosure_policy

  Thank you,

  Kevin Backhouse

  Semmle Security Research Team

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830865/+subscriptions

More information about the foundations-bugs mailing list