An exploitable command execution vulnerability exists in the ASN1 certificate writing functionality of Openweave-core version 4.0.2. A specially crafted weave certificate can trigger a heap-based buffer overflow, resulting in code execution. An attacker can craft a weave certificate to trigger this vulnerability.

**Summary**

An exploitable command execution vulnerability exists in the ASN1 certificate writing functionality of Openweave-core version 4.0.2. A specially crafted weave certificate can trigger a heap-based buffer overflow, resulting in code execution. An attacker can craft a weave certificate to trigger this vulnerability.

**Tested Versions**

Nest Labs Openweave-core 4.0.2

**Product URLs**

https://openweave.io/

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-122: Heap-based Buffer Overflow

**Details**

Openweave is the opensource implementation of the Weave protocol, which was initially developed by Nest Labs in order to provide a Session-Layer agnostic method of communication between their IoT devices. The weave binary is a utility tool that helps with various aspects of interacting with Weave, such as key conversion, cert conversion, and most relevantly, printing out weave TLV’s. The weave binary can also be found on Nest devices such as the Nest Cam IQ Indoor.

The weave resign-command command takes an input certificate of either weave or X509 format and will resign it with another given certificate chain. To do this, the ReadCert function is used:

    bool ReadCert(const char *fileName, X509 *& cert, CertFormat& origCertFmt)
    {
        bool res = true;
        WEAVE_ERROR err;
        uint8_t *certBuf = NULL;
        const uint8_t *p;
        uint32_t certLen;
        CertFormat curCertFmt;
    
        cert = NULL;
    
        if (!ReadFileIntoMem(fileName, certBuf, certLen)) // reads/ftells/mallocs/freads.
        ExitNow(res = false);                        //  len returned into certLen, buf returned into certBuf
    
        curCertFmt = origCertFmt = DetectCertFormat(certBuf, certLen);
    
        [...]
    
        if (curCertFmt == kCertFormat_Weave_Raw)
        {
        uint32_t convertedCertLen = certLen * kMaxWeaveCertInflationFactor;      // [1] 
        uint8_t *convertedCertBuf = (uint8_t *)malloc((size_t)convertedCertLen); // [2] 
    
        err = ConvertWeaveCertToX509Cert(certBuf, certLen, convertedCertBuf, convertedCertLen, convertedCertLen); // [3]
    

Already there is a glaring issue in that convertedCertLen is a uint32_t and there’s no restriction on the input certificate’s size. Thus, when we multiply the certLen by the kMaxWeaveCertInflationFactor (which is 0x5), we can trigger an integer overflow if the size of the input certificate is greater than or equal to 0x3333334. This results in the convertedCertBuf allocation being less than the size of the actual certLen input \[2\]. Interestingly, this integer overflow doesn’t really matter that much in the grand scheme of things, as it’s not really exploitable aside from the vector that will be discussed in this advisory (which is also triggerable without the integer overflow).

The ConvertWeaveCertToX509Cert inside of WeaveToX509.cpp is now given:

    NL_DLL_EXPORT WEAVE_ERROR ConvertWeaveCertToX509Cert(const uint8_t *weaveCert, uint32_t weaveCertLen, uint8_t *x509CertBuf, uint32_t x509CertBufSize, uint32_t& x509CertLen)
    {
        WEAVE_ERROR err; 
        TLVReader reader;
        ASN1Writer writer;
        WeaveCertificateData certData;                
    
        reader.Init(weaveCert, weaveCertLen);        //[1]
        writer.Init(x509CertBuf, x509CertBufSize);   //[2]
    
        memset(&certData, 0, sizeof(certData));
    
        err = ConvertCert(reader, writer, certData); //[3]
        SuccessOrExit(err);
        err = writer.Finalize();
        SuccessOrExit(err);
    
        x509CertLen = writer.GetLengthWritten();
    
        exit:
        return err;
    }
    

At \[1\], a WeaveTLVReader is appropriately initialized to the size of our input certificate, and likewise, we have an ASN1Writer object appropriately initialized to the size of the output buffer at \[2\]. As mentioned before it doesn’t really matter if we trigger our integer overflow from before, but it is worth noting that this size is arbitrary and under user control. Moving on, let us examine the ConvertCert function:

    static WEAVE_ERROR ConvertCert(TLVReader& reader, ASN1Writer& writer, WeaveCertificateData& certData){
        WEAVE_ERROR err;
        uint64_t tag;
        TLVType containerType;
    
        if (reader.GetType() == kTLVType_NotSpecified) {
            err = reader.Next();
            SuccessOrExit(err);
        }
        VerifyOrExit(reader.GetType() == kTLVType_Structure, err = WEAVE_ERROR_WRONG_TLV_TYPE);  
        tag = reader.GetTag();              
        VerifyOrExit(tag == ProfileTag(kWeaveProfile_Security, kTag_WeaveCertificate) || tag == AnonymousTag,  err = WEAVE_ERROR_UNEXPECTED_TLV_ELEMENT); 
        err = reader.EnterContainer(containerType); // [1]
        SuccessOrExit(err);
    
        // Certificate ::= SEQUENCE
        ASN1_START_SEQUENCE {
    
        // tbsCertificate TBSCertificate,
        err = ConvertTBSCertificate(reader, writer, certData); //[2]
    

To summarize, the above is just reading assorted TLV fields from our TLVReader for validation purposes and then the actual processing occurs in ConvertTBSCertificate. It’s also worth noting specifically that in order to pass the check at \[1\], our TLVReader must have processed a minimum of three bytes. Continuing into ConvertTBSCertificate:

    WEAVE_ERROR ConvertTBSCertificate(TLVReader& reader, ASN1Writer& writer, WeaveCertificateData& certData) // certificate data => 0xC0 Struct.
    {
        WEAVE_ERROR err;
        uint64_t tag;
        uint32_t weaveSigAlgo;
        OID sigAlgoOID;
    
        // tbsCertificate TBSCertificate,
        // TBSCertificate ::= SEQUENCE
        ASN1_START_SEQUENCE {
    
        // version [0] EXPLICIT Version DEFAULT v1
        ASN1_START_CONSTRUCTED(kASN1TagClass_ContextSpecific, 0) {
    
        // Version ::= INTEGER { v1(0), v2(1), v3(2) }
        ASN1_ENCODE_INTEGER(2);
    
        } ASN1_END_CONSTRUCTED; 
    
        err = reader.Next(kTLVType_ByteString, ContextTag(kTag_SerialNumber));  // [1]
        SuccessOrExit(err); 
    
        // CertificateSerialNumber ::= INTEGER
        err = writer.PutValue(kASN1TagClass_Universal, kASN1UniversalTag_Integer, false, reader);  //[2] 
        SuccessOrExit(err);
    

At \[1\], we read a few more bytes to find a TLV ByteString inside of our buffer, and then at \[2\], we end up writing it into the output buffer, nothing out of the ordinary. Continuing on into ASN1Writer::PutValue:

    ASN1_ERROR ASN1Writer::PutValue(uint8_t cls, uint32_t tag, bool isConstructed, nl::Weave::TLV::TLVReader& val)
    {
        ASN1_ERROR err;
        uint32_t valLen = val.GetLength();  
    
        err = EncodeHead(cls, tag, isConstructed, valLen); //[1]
        SuccessOrExit(err);       
    
        val.GetBytes(mWritePoint, valLen);  //[2] 
        mWritePoint += valLen;             
    
        exit: 
            return err;
    }
    

The EncodeHead function at \[1\] is entrusted with validating the input TLVElement and encoding the necessary ASN1 headers, after which, at \[2\], the bytes are actually written into the output buffer. Finally, we get to the crux of the matter:

    ASN1_ERROR ASN1Writer::EncodeHead(uint8_t cls, uint32_t tag, bool isConstructed, int32_t len)
    {
        // Only tags <= 31 supported. The implication of this is that encoded tags are exactly 1 byte long.
        if (tag >= 0x1F)
        return ASN1_ERROR_UNSUPPORTED_ENCODING;
    
        // Compute the number of bytes required to encode the length.
        uint8_t lenOfLen = GetLengthOfLength(len);
        // If the element length is unknown, allocate a new entry in the deferred-length list.
        //
        // The deferred-length list is a list of "pointers" (represented as offsets into mBuf)
        // to length fields for which the length of the element was unknown at the time the element
        // head was written. Examples include constructed types such as SEQUENCE and SET, as well
        // non-constructed types that encapsulate other ASN.1 types (e.g. OCTET STRINGS that contain
        // BER/DER encodings). The final lengths are filled in later, at the time the encoding is
        // complete (e.g. when EndConstructed() is called).
        //
        if (len == kUnkownLength) // What if length is 0? => total Len == 2
        mDeferredLengthList--;
    
        // Make sure there's enough space to encode the entire value without bumping into the deferred length
        // list at the end of the buffer. 
        uint16_t totalLen = 1 + lenOfLen + (len != kUnkownLength ? len : 0);  //[1]
        if ((mWritePoint + totalLen) > (uint8_t *)mDeferredLengthList)        //[2] 
            return ASN1_ERROR_OVERFLOW;   
    

At \[1\], we can see that the size of our TLV input is added to 1 and then the actual byte length of the size of our element (1-5). This is then stored in the uint16_t totalLen and validated against mWritePoint and the mDeferredLengthList. Unfortunately, since there’s no bounds on our input ByteString TLV, we can easily overflow the uint16_t and bypass this check, which then allows us to get an arbitrary sized write on the heap after we return from Encode via val.GetBytes(mWritePoint, valLen);.

It should be noted that this ASN1Writer code path can be also hit from the CASE authentication functionality, more specifically the BeginCASESessionRequest. However, due to the limitation of the size of PacketBuffer input (~0x62F), and also the bytes read before getting to this overflow, we cannot have enough bytes left over in the TLVReader to say our bytestring is >0xFFFF in size, as the TLVReader will check the length of each element against the maximum length that it was initialized with, which for a BeginCASESessionRequest certInfo field would be normally limited to the size of the PacketBuffer.

**Timeline**

2019-04-18 - Vendor Disclosure  
2019-05-20 - Vendor completed analysis  
2019-06-18 - Follow up with vendor  
2019-07-02 - 90 day notice; Vendor advised updates scheduled for release mid-July  
2019-07-18 - Vendor advised fix will release end of July and be tested in the field  
2019-07-26 - Extended disclosure date to 2019-08-15 2019-08-19 - Public Release

Discovered by Lilith (>\_>) And Claudio Bozzato of Cisco Talos.

CVE-2019-5039: TALOS-2019-0802 || Cisco Talos Intelligence Group

An exploitable command execution vulnerability exists in the print-tlv command of Weave tool. A specially crafted weave TLV can trigger a stack-based buffer overflow, resulting in code execution. An attacker can trigger this vulnerability by convincing the user to open a specially crafted Weave command.

**Summary**

An exploitable command execution vulnerability exists in the print-tlv command of Weave tool. A specially crafted weave TLV can trigger a stack-based buffer overflow, resulting in code execution. An attacker can trigger this vulnerability by convincing the user to open a specially crafted Weave command.

**Tested Versions**

Nest Labs Openweave-core 4.0.2

**Product URLs**

https://openweave.io/

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-121: Stack-based Buffer Overflow

**Details**

Openweave is the open-source implementation of the Weave protocol, which was initially developed by Nest Labs in order to provide a Session-Layer agnostic method of communication between their internet-of-things devices. The weave binary is a utility tool that helps with various aspects of interacting with Weave, such as key conversion, cert conversion, and most relevantly, printing out weave TLV’s. The weave binary can also be found on Nest devices such as the Nest Cam IQ Indoor camera.

The weave print-tlv command takes an input file and will output a detailed description of the inner TLV as such:

    0 0x7f1127b7a007, tag[Fully Qualified (6 Bytes)]: 0x0::0xf::0x1, type: Structure (0x15), container:                                        
    1       0x7f1127b7a009, tag[Context Specific]: 0x1, type: Array (0x16), container:                                                         
    2               0x7f1127b7a00a, tag[Anonymous]: 0xffffffff, type: Structure (0x15), container:                                             
    3                       0x7f1127b7a00d, tag[Context Specific]: 0x1, type: Data (0x10), length: 9, value: 0x7f1127b7a00d                    
    3                       0x7f1127b7a019, tag[Context Specific]: 0x2, type: Unsigned Fixed Point (0x04), value: 4                            
    3                       0x7f1127b7a01b, tag[Context Specific]: 0x3, type: Path (0x17), container:                                          
    4                               0x7f1127b7a025, tag[Context Specific]: 0x13, type: Unsigned Fixed Point (0x04), value: 1780101555471515649 
    3                       0x7f1127b7a02c, tag[Context Specific]: 0x4, type: Unsigned Fixed Point (0x04), value: 430515093
    3                       0x7f1127b7a032, tag[Context Specific]: 0x5, type: Unsigned Fixed Point (0x04), value: 752009493
    3                       0x7f1127b7a034, tag[Context Specific]: 0x6, type: Path (0x17), container:
    4                               0x7f1127b7a03e, tag[Context Specific]: 0x13, type: Unsigned Fixed Point (0x04), value: 1780101555471515649
    3                       0x7f1127b7a042, tag[Context Specific]: 0x7, type: Unsigned Fixed Point (0x04), value: 2
    3                       0x7f1127b7a048, tag[Context Specific]: 0x8, type: Unsigned Fixed Point (0x04), value: 593100821
    3                       0x7f1127b7a04b, tag[Context Specific]: 0xa, type: Data (0x10), length: 49, value: 0x7f1127b7a04b
    

Due to the nature of WeaveTLVs, one can enter a ‘structure’ with a “\\x15” byte and exit it with a “\\x18” byte. As seen on the left side of the above output, there is an indicator of how nested the TLV is (i.e. how many containers we have currently entered). The function that handles this nesting is the following:

    static WEAVE_ERROR Iterate(TLVReader &aReader, size_t aDepth, IterateHandler aHandler, void *aContext, bool aRecurse)
    {
        WEAVE_ERROR retval = WEAVE_NO_ERROR;
    
        if (aReader.GetType() == kTLVType_NotSpecified)
        {
            retval = aReader.Next();
            SuccessOrExit(retval);
        }
    
        do
        {
            const TLVType theType = aReader.GetType();
    
            retval = (aHandler)(aReader, aDepth, aContext); //[1]
            SuccessOrExit(retval);
    
            if (aRecurse && TLVTypeIsContainer(theType))
            {
                TLVType containerType;
    
                retval = aReader.EnterContainer(containerType);
                SuccessOrExit(retval);
    
                retval = Iterate(aReader, aDepth + 1, aHandler, aContext, aRecurse); //[2]
                if (retval != WEAVE_END_OF_TLV)
                    SuccessOrExit(retval);
    
                retval = aReader.ExitContainer(containerType);
                SuccessOrExit(retval);
            }
        } while ((retval = aReader.Next()) == WEAVE_NO_ERROR);
    
    exit:
        return retval;
    }
    

At \[1\], we can see that the iterator function callback is called, and at \[2\], we see the Iterate function can actually recurse to itself if we end up entering another container. It’s also worth noting that there’s not really a limit to how big the aDepth variable can get here. Regardless, for the weave print-tlv binary, the Iterator handler is given as such:

    WEAVE_ERROR DumpHandler(const TLVReader &aReader, size_t aDepth, void *aContext)
    {
        static const char   tabs[] = "                                                   ";
        char                tabbuf[48]; //[3]
        WEAVE_ERROR         retval = WEAVE_NO_ERROR;
        DumpContext *       context;
    
        VerifyOrExit(aContext != NULL, retval = WEAVE_ERROR_INVALID_ARGUMENT);
    
        context = static_cast<DumpContext *>(aContext);
    
        VerifyOrExit(context->mWriter != NULL, retval = WEAVE_ERROR_INVALID_ARGUMENT);
    
        strncpy(tabbuf, tabs, aDepth); //[4]
    
        tabbuf[aDepth] = 0;
    
        DumpHandler(context->mWriter,
                    tabbuf,
                    aReader,
                    aDepth);
    
     exit:
        return retval;
    }
    

At \[3\], we see that that a length 48 buffer for ‘\\t’ chars will be written to in order to generate the nested output given before, and at \[4\], we can see the line responsible for actually writing these tabs. As one might guess, since there’s no limit to the aDepth variable, the tab strncpy will quickly start to run out of bounds.

While the source of the strncpy is not user controlled, since the length of the tabs variable is only 0x14 tab chars long, the tabbuf stack variable will get written with 0x14 tabs and then the rest is filled with null bytes, resulting in a stack based buffer overflow of null bytes.

**Crash Information**

    ==119438==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc78f294b0 at pc 0x000000546dff bp 0x7ffc78f29450 sp 0x7ffc78f29448
    WRITE of size 1 at 0x7ffc78f294b0 thread T0
        #0 0x546dfe in nl::Weave::TLV::Debug::DumpHandler(nl::Weave::TLV::TLVReader const&, unsigned long, void*) /src/lib/core/WeaveTLVDebug.cpp:349:20
        #1 0x551b86 in nl::Weave::TLV::Utilities::Iterate(nl::Weave::TLV::TLVReader&, unsigned long, int (*)(nl::Weave::TLV::TLVReader const&, unsigned long, void*), void*, bool) src/lib/core/WeaveTLVUtilities.cpp:77:18
        #2 0x551da3 in nl::Weave::TLV::Utilities::Iterate(nl::Weave::TLV::TLVReader&, unsigned long, int (*)(nl::Weave::TLV::TLVReader const&, unsigned long, void*), void*, bool) /src/lib/core/WeaveTLVUtilities.cpp:87:22
        #3 0x551da3 in nl::Weave::TLV::Utilities::Iterate(nl::Weave::TLV::TLVReader&, unsigned long, int (*)(nl::Weave::TLV::TLVReader const&, unsigned long, void*), void*, bool) /src/lib/core/WeaveTLVUtilities.cpp:87:22
        #4 0x551da3 in nl::Weave::TLV::Utilities::Iterate(nl::Weave::TLV::TLVReader&, unsigned long, int (*)(nl::Weave::TLV::TLVReader const&, unsigned long, void*), void*, bool) /src/lib/core/WeaveTLVUtilities.cpp:87:22
    [..]
    $rax   : 0x0000000000000000
    $rbx   : 0x00007ffc248f5200  →  0x0000000000000000
    $rcx   : 0x0000000000545517  →  <nl::Weave::TLV::Utilities::Iterate(nl::Weave::TLV::TLVReader+0> add rsp, 0x58
    $rdx   : 0x00000000ffffffeb  →  0x0000000000000000
    $rsp   : 0x00007ffc248f3c60  →  0x00007ffc248f52c0  →  0x0000000000537280  →  <_DumpWriter(char+0> jmp 0x537288 <_DumpWriter(char const*,  ...)+8>
    $rbp   : 0x00007ffc248f5200  →  0x0000000000000000
    $rsi   : 0x0000000000000fc1
    $rdi   : 0x00007ffc248f5200  →  0x0000000000000000
    $rip   : 0x0000000000544eb7  →  <nl::Weave::TLV::TLVReader::ReadElement()+55> movzx eax, BYTE PTR [rax]
    $r8    : 0x00007f339cdc8f00  →  0x00007f339cdc8f00  →  [loop detected]
    $r9    : 0x0000000000000001
    $r10   : 0x0000000000000000
    $r11   : 0x0000000000000001
    $r12   : 0x00000000005441b0  →  0x00000fcfb8d28548  →  0x0000000000000000
    $r13   : 0x00007ffc248f52c0  →  0x0000000000537280  →  <_DumpWriter(char+0> jmp 0x537288 <_DumpWriter(char const*,  ...)+8>
    $r14   : 0x0000000000000038
    $r15   : 0x0000000000000001
    $eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
    ───[ stack ]────
    0x00007ffc248f3c60│+0x00: 0x00007ffc248f52c0  →  0x0000000000537280  →  <_DumpWriter(char+0> jmp 0x537288 <_DumpWriter(char const*,  ...)+8>     ← $rsp
    0x00007ffc248f3c68│+0x08: 0x0000000000000038 ("8"?)
    0x00007ffc248f3c70│+0x10: 0x0000000000000001
    0x00007ffc248f3c78│+0x18: 0x0000000000544d69  →  <nl::Weave::TLV::TLVReader::SkipData()+9> sub eax, 0xc
    0x00007ffc248f3c80│+0x20: 0x00007ffc248f5200  →  0x0000000000000000
    0x00007ffc248f3c88│+0x28: 0x00000000005451f8  →  <nl::Weave::TLV::TLVReader::Skip()+88> mov eax, DWORD PTR [rsp+0xc]
    0x00007ffc248f3c90│+0x30: 0x0000000009090909
    0x00007ffc248f3c98│+0x38: 0x0000000000000000
    ───[ code:i386:x86-64 ]────
         0x544ea3 <nl::Weave::TLV::TLVReader::ReadElement()+35> pop    r13
         0x544ea5 <nl::Weave::TLV::TLVReader::ReadElement()+37> ret    
         0x544ea6 <nl::Weave::TLV::TLVReader::ReadElement()+38> nop    WORD PTR cs:[rax+rax*1+0x0]
         0x544eb0 <nl::Weave::TLV::TLVReader::ReadElement()+48> mov    rax, QWORD PTR [rbx+0x30]
         0x544eb4 <nl::Weave::TLV::TLVReader::ReadElement()+52> mov    rdi, rbx
     →   0x544eb7 <nl::Weave::TLV::TLVReader::ReadElement()+55> movzx  eax, BYTE PTR [rax]
         0x544eba <nl::Weave::TLV::TLVReader::ReadElement()+58> mov    WORD PTR [rbx+0x4c], ax
         0x544ebe <nl::Weave::TLV::TLVReader::ReadElement()+62> call   0x544750 <nl::Weave::TLV::TLVReader::ElementType() const>
         0x544ec3 <nl::Weave::TLV::TLVReader::ReadElement()+67> movzx  esi, al
         0x544ec6 <nl::Weave::TLV::TLVReader::ReadElement()+70> mov    ecx, eax
         0x544ec8 <nl::Weave::TLV::TLVReader::ReadElement()+72> mov    eax, 0xfc3
    ─────[ source:../../src/lib/core/WeaveTLVReader.cpp+1297 ]────
       1293      if (err != WEAVE_NO_ERROR)
       1294          return err;
       1295  
       1296      // Get the element's control byte.
     → 1297      mControlByte = *mReadPoint;
       1298
       1299      // Extract the element type from the control byte. Fail if it's invalid.
       1300      elemType = ElementType();
       1301      if (!IsValidTLVType(elemType))
    ─────[ trace ]────
    [#0] 0x544eb7 → Name: nl::Weave::TLV::TLVReader::ReadElement(this=0x7ffc248f5200)...
    [#1] 0x545250 → Name: nl::Weave::TLV::TLVReader::Next(this=0x7ffc248f5200)...
    [#2] 0x54544a → Name: nl::Weave::TLV::Utilities::Iterate(aReader=@0x7ffc248f5200, aDepth=0x38, aHandler=0x5...
    [#3] 0x545427 → Name: nl::Weave::TLV::Utilities::Iterate(aReader=@0x7ffc248f5240, aDepth=0x37, aHandler=0x5...
    [#4] 0x545427 → Name: nl::Weave::TLV::Utilities::Iterate(aReader=@0x7ffc248f5240, aDepth=0x36, aHandler=0x5...
    [#5] 0x545427 → Name: nl::Weave::TLV::Utilities::Iterate(aReader=@0x7ffc248f5240, aDepth=0x35, aHandler=0x5...
    [#6] 0x545427 → Name: nl::Weave::TLV::Utilities::Iterate(aReader=@0x7ffc248f5240, aDepth=0x34, aHandler=0x5...
    [#7] 0x545427 → Name: nl::Weave::TLV::Utilities::Iterate(aReader=@0x7ffc248f5240, aDepth=0x33, aHandler=0x5...
    ───────
    nl::Weave::TLV::TLVReader::ReadElement (this=0x7ffc248f5200) at ../../src/lib/core/WeaveTLVReader.cpp:1297
    1297        mControlByte = *mReadPoint;
    

**Timeline**

2019-04-18 - Vendor Disclosure  
2019-05-20 - Vendor completed analysis  
2019-06-18 - Follow up with vendor  
2019-07-02 - 90 day notice; Vendor advised updates scheduled for release mid-July  
2019-07-18 - Vendor advised fix will release end of July and be tested in the field  
2019-07-26 - Extended disclosure date to 2019-08-15  
2019-08-19 - Public Release

Discovered by Lilith (>\_>) of Cisco Talos.

CVE-2019-5038: TALOS-2019-0801 || Cisco Talos Intelligence Group

IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a local privileged Informix user to load a malicious shared library and gain root access privileges. IBM X-Force ID: 159941.

  

**Summary**

IBM Informix Dynamic Server has addressed the following vulnerabilities.

**Vulnerability Details**

**CVEID:** CVE-2018-1630  
**DESCRIPTION:** IBM Informix Dynamic Server v12.10 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in onmode.  
CVSS Base Score: 8.2  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144430 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

**CVEID:** CVE-2018-1631  
**DESCRIPTION:** IBM Informix Dynamic Server v12.10 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in oninit mongohash.  
CVSS Base Score: 8.2  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144431 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

**CVEID:** CVE-2018-1632  
**DESCRIPTION:** IBM Informix Dynamic Server v12.10 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in IDS .infxdirs.  
CVSS Base Score: 8.2  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144432 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

**CVEID:** CVE-2018-1633  
**DESCRIPTION:** IBM Informix Dynamic Server v12.10 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in onsrvapd.  
CVSS Base Score: 8.2  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144434 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

**CVEID:** CVE-2018-1634  
**DESCRIPTION:** IBM Informix Dynamic Server v12.10 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in infos.DBSERVERNAME.  
CVSS Base Score: 8.2  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144437 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

**CVEID:** CVE-2018-1635  
**DESCRIPTION:** Stack-based buffer overflow in oninit in IBM Informix Dynamic Server 12.10 allows an authenticated user to execute predefined code with root privileges, such as escalating to a root shell.  
CVSS Base Score: 8.2  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144439 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

**CVEID:** CVE-2018-1636  
**DESCRIPTION:** Stack-based buffer overflow in oninit in IBM Informix Dynamic Server 12.10 allows an authenticated user to execute predefined code with root privileges, such as escalating to a root shell.  
CVSS Base Score: 8.2  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144441 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

**CVEID:** CVE-2018-1796  
**DESCRIPTION:** IBM Informix Dynamic Server could allow a local user to load malicious libraries and gain root privileges.  
CVSS Base Score: 7.8  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/149426 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

****CVEID:** CVE-2019-4253  
**DESCRIPTION:** IBM Informix Dynamic Server could allow a local privileged Informix user to load a malicious shared library and gain root access privileges.  
CVSS Base Score: 7.8  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159941 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)**

**Affected Products and Versions**

**Affected IBM Informix Dynamic Server**

**Affected Versions**

IBM Informix Dynamic Server on Linux platforms

12.10.FC1 through 12.10.FC12

**Remediation/Fixes**

Upgrade Informix to 12.10.

**Product**

**VRMF**

**Remediation / First Fix**

IBM Informix Dynamic Server

12.10.FC13

**References**

Off

**Acknowledgement**

Vulnerabilities were reported to IBM by Eddie Zhu, Ruhai Zhang, Sicheng Liu, Dijing Wang, Guanglu Yu at BEIJING DBSEC TECHNOLOGY CO., LTD.

**Change History**

7 August 2019: Original version published

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSB2ML","label":"Informix Dynamic Server"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"12.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2019-4253: Security Bulletin: IBM Informix Dynamic Server is affected by privilege escalation vulnerabilities

Stack-based buffer overflow in oninit in IBM Informix Dynamic Server Enterprise Edition 12.1 allows an authenticated user to execute predefined code with root privileges, such as escalating to a root shell. IBM X-Force ID: 144439.

CVE-2018-1635: IBM Informix Dynamic Server Enterprise Edition buffer overflow CVE-2018-1635 Vulnerability Report

Stack-based buffer overflow in oninit in IBM Informix Dynamic Server Enterprise Edition 12.1 allows an authenticated user to execute predefined code with root privileges, such as escalating to a root shell. IBM X-Force ID: 144441.

CVE-2018-1636: IBM Informix Dynamic Server Enterprise Edition buffer overflow CVE-2018-1636 Vulnerability Report

Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.

CVE-2019-15232

An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.

CVE-2019-15218

Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data while reading a crafted ext4 filesystem, which results in a stack buffer overflow and likely code execution.

**Commits on Feb 28, 2023**

1.  board: rock5b-rk3588: add memory gaps into kernel's DTB
    
    RK3588 has two memory gaps when using 16 GiB DRAM size:
    \[0x3fc000000 , 0x3fc500000\]
    and
    \[0x3fff00000 , 0x3ffffffff\]
    
    If the kernel is agnostic to these gaps, accessing the area causes
    a SError panic.
    
    Hence, add reserved memory areas in kernel's DTB before booting.
    
    Signed-off-by: Eugen Hristev <eugen.hristev@collabora.com>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
2.  board: rockchip: add Radxa ROCK5B Rk3588 board
    
    ROCK 5B is a Rockchip RK3588 based SBC (Single Board Computer) by Radxa.
    
    There are tree variants depending on the DRAM size : 4G, 8G and 16G.
    
    Specification:
    
        Rockchip Rk3588 SoC
        4x ARM Cortex-A76, 4x ARM Cortex-A55
        4/8/16GB memory LPDDR4x
        Mali G610MC4 GPU
        MIPI CSI 2 multiple lanes connector
        eMMC module connector
        uSD slot (up to 128GB)
        2x USB 2.0, 2x USB 3.0
        2x HDMI output, 1x HDMI input
        Ethernet port
        40-pin IO header including UART, SPI, I2C and 5V DC power in
        USB PD over USB Type-C
        Size: 85mm x 54mm
    
    Kernel commits:
    a1d3281450ab ("arm64: dts: rockchip: Add rock-5b board")
    6fb13f888f2a ("arm64: dts: rockchip: Update sdhci alias for rock-5b")
    
    Signed-off-by: Eugen Hristev <eugen.hristev@collabora.com>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
3.  clk: rockchip: rk3568: add more supported clk rates for sdmmc and emmc
    
    SDHCI driver may attempt to set 26MHz clock, but clk\_rk3568
    will return error in this case. Apparently, SDHCI silently ignores the
    error and as a result eMMC initialization fails.
    
    Add 25 MHz and 26 MHz clk rates for sdmmc and emmc on rk3568 to fix that.
    
    Signed-off-by: Vasily Khoruzhick <anarsoul@gmail.com>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    

5.  rockchip: rk3568: Read cpuid from otp
    
    The cpuid on RK3568 is located at 0xa instead of 0x7 as all other SoCs.
    Add and use a CFG\_CPUID\_OFFSET to define this offset.
    
    Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
6.  rockchip: misc: Set eth1addr mac address
    
    Set eth1addr in addition to ethaddr.
    
    Also allow fdt fixup of ethernet mac addresses when CMD\_NET is disabled.
    Set ethaddr and eth1addr based on HASH and SHA256 options.
    
    Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    

11.  rockchip: efuse: Refactor to use driver data and ops
    
    Refactor the driver to use driver data and ops to simplify handling
    of SoCs that require a unique read op.
    
    Move handling of the aligned bounce buffer to main read op in order to
    keep the SoC unique read op simple.
    
    Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    

13.  rockchip: otp: Add support for RK3588
    
    Add support for rk3588 compatible.
    
    Adjust offset using driver data in main read op.
    
    Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
14.  rockchip: otp: Add support for RK3568
    
    Add support for rk3568 compatible.
    
    Handle allocation of an aligned bounce buffer in main read op in order
    to keep the SoC unique read op simple.
    
    Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
15.  rockchip: otp: Refactor to use driver data and ops
    
    Refactor the driver to use driver data and ops to simplify handling
    of SoCs that require a unique read op.
    
    Use readl\_poll\_sleep\_timeout instead of a custom poll loop, and add
    validation of input parameter to main read op.
    
    Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
16.  board: rockchip: Add Edgeble Neural Compute Module 6
    
    Neural Compute Module 6(Neu2) is a 96boards SoM-CB compute module
    based on Rockchip RK3588 from Edgeble AI.
    
    General features:
    - Rockchip RK3588
    - up to 32GB LPDDR4x
    - up to 128GB eMMC
    - 2x MIPI CSI2 FPC
    
    On module WiFi6/BT5 is available in the following Neu6 variants.
    
    Neural Compute Module 6(Neu6) IO board is an industrial form factor
    ready-to-use IO board from Edgeble AI.
    
    IO board offers plenty of peripherals and connectivity options and
    this patch enables basic eMMC and UART which is enough to successfully
    boot Linux.
    
    Neu6 needs to mount on top of this IO board in order to create a
    complete Edgeble Neural Compute Module 6(Neu6) IO platform.
    
    Boot log for the record,
    
    DDR Version V1.08 20220617
    LPDDR4X, 2112MHz
    channel\[0\] BW=16 Col=10 Bk=8 CS0 Row=16 CS1 Row=16 CS=2 Die BW=16 Size=2048MB
    channel\[1\] BW=16 Col=10 Bk=8 CS0 Row=16 CS1 Row=16 CS=2 Die BW=16 Size=2048MB
    channel\[2\] BW=16 Col=10 Bk=8 CS0 Row=16 CS1 Row=16 CS=2 Die BW=16 Size=2048MB
    channel\[3\] BW=16 Col=10 Bk=8 CS0 Row=16 CS1 Row=16 CS=2 Die BW=16 Size=2048MB
    Manufacturer ID:0x6
    CH0 RX Vref:31.7%, TX Vref:21.8%,21.8%
    CH1 RX Vref:30.7%, TX Vref:22.8%,23.8%
    CH2 RX Vref:30.7%, TX Vref:22.8%,22.8%
    CH3 RX Vref:30.7%, TX Vref:21.8%,21.8%
    change to F1: 528MHz
    change to F2: 1068MHz
    change to F3: 1560MHz
    change to F0: 2112MHz
    out
    
    U-Boot SPL 2023.01-00952-g1d1785a516-dirty (Jan 30 2023 - 19:53:55 +0530)
    Trying to boot from MMC1
    INFO:    Preloader serial: 2
    NOTICE:  BL31: v2.3():v2.3-391-g856309329:derrick.huang
    NOTICE:  BL31: Built : 14:15:50, Jul 18 2022
    INFO:    ext 32k is not valid
    INFO:    GICv3 without legacy support detected.
    INFO:    ARM GICv3 driver initialized in EL3
    INFO:    system boots from cpu-hwid-0
    INFO:    idle\_st=0x21fff, pd\_st=0x11fff9, repair\_st=0xfff70001
    INFO:    dfs DDR fsp\_params\[0\].freq\_mhz= 2112MHz
    INFO:    dfs DDR fsp\_params\[1\].freq\_mhz= 528MHz
    INFO:    dfs DDR fsp\_params\[2\].freq\_mhz= 1068MHz
    INFO:    dfs DDR fsp\_params\[3\].freq\_mhz= 1560MHz
    INFO:    BL31: Initialising Exception Handling Framework
    INFO:    BL31: Initializing runtime services
    WARNING: No OPTEE provided by BL2 boot loader, Booting device without OPTEE initialization. SMC\`s destined for OPTEE will return SMC\_UNK
    ERROR:   Error initializing runtime service opteed\_fast
    INFO:    BL31: Preparing for EL3 exit to normal world
    INFO:    Entry point address = 0xa00000
    INFO:    SPSR = 0x3c9
    
    U-Boot 2023.01-00952-g1d1785a516-dirty (Jan 30 2023 - 19:53:55 +0530)
    
    Model: Edgeble Neu6A IO Board
    DRAM:  7.5 GiB (effective 3.7 GiB)
    Core:  71 devices, 15 uclasses, devicetree: separate
    MMC:   mmc@fe2c0000: 0
    Loading Environment from nowhere... OK
    In:    serial@feb50000
    Out:   serial@feb50000
    Err:   serial@feb50000
    Model: Edgeble Neu6A IO Board
    Net:   No ethernet found.
    Hit any key to stop autoboot:  0
    =>
    
    Add support for Edgeble Neu6 Model A IO Board.
    
    Signed-off-by: Jagan Teki <jagan@edgeble.ai>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
17.  ARM: dts: rockchip: rk3588s-u-boot: Add sdmmc node
    
    Booting from SDMMC is one of the fast and easy booting methods
    for initial support of any SoC to upstream more features. 
    
    This patch is trying to add the sdmmc node for rk3588 and added
    as u-boot specific node in -u-boot.dtsi as upstream Linux is not
    supporting yet.
    
    As soon as Linux supports it, a sync of the Linux device tree
    would eventually drop this node. 
    
    Clock properties as added according to the rockchip mmc driver
    but the actual definition might add scmi clocks into 0 and 1
    indexes. This is due to scmi clock are not supporting in upstream
    U-Boot. Properly addition of scmi clock would eventually follow
    sdmmc clock definition of Linux once they upstreamed.
    
    Signed-off-by: Jagan Teki <jagan@edgeble.ai>
    
     
    
18.  ARM: dts: rockchip: Add rk3588-u-boot.dtsi
    
    Add u-boot,dm-spl and u-boot,dm-pre-reloc related properties
    for Rockchip RK3588 SoC to boot the SPL.
    
    Signed-off-by: Jagan Teki <jagan@edgeble.ai>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
19.  arm: rockchip: Add RK3588 arch core support
    
    The Rockchip RK3588 is a ARM-based SoC with quad-core Cortex-A76
    and quad-core Cortex-A55 including NEON and GPU, 6TOPS NPU,
    Mali-G610 MP4, HDMI Out, HDMI In, DP, eDP, MIPI DSI, MIPI CSI2,
    LPDDR4/4X/5, eMMC5.1, SD3.0/MMC4.5, USB OTG 3.0, Type-C, USB 2.0,
    PCIe 3.0, SATA 3, Ethernet, SDIO3.0 I2C, UART, SPI, GPIO and PWM.
    
    Add arch core support for it.
    
    Signed-off-by: Jagan Teki <jagan@edgeble.ai>
    Signed-off-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
20.  arm64: dts: rockchip: rk3588: Add Edgeble Neu6 Model A IO
    
    Neural Compute Module 6(Neu6) IO board is an industrial form factor
    ready-to-use IO board from Edgeble AI.
    
    IO board offers plenty of peripherals and connectivity options and
    this patch enables basic eMMC and UART which is enough to successfully
    boot Linux.
    
    Neu6 needs to mount on top of this IO board in order to create a
    complete Edgeble Neural Compute Module 6(Neu6) IO platform.
    
    commit <a5079a534554> ("arm64: dts: rockchip: rk3588: Add Edgeble Neu6
    Model A IO")
    
    Add support for Edgeble Neu6 Model A IO Board.
    
    Signed-off-by: Jagan Teki <jagan@edgeble.ai>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
21.  arm64: dts: rockchip: rk3588: Add Edgeble Neu6 Model A SoM
    
    Neural Compute Module 6(Neu2) is a 96boards SoM-CB compute module
    based on Rockchip RK3588 from Edgeble AI.
    
    General features:
    - Rockchip RK3588
    - up to 32GB LPDDR4x
    - up to 128GB eMMC
    - 2x MIPI CSI2 FPC
    
    On module WiFi6/BT5 is available in the following Neu6 variants.
    
    Neu6 needs to mount on top of associated Edgeble IO boards for
    creating complete platform solutions.
    
    Enable eMMC for now to boot Linux successfully.
    
    commit <3d9a2f7e7c5e> ("arm64: dts: rockchip: rk3588: Add Edgeble Neu6
    Model A SoM")
    
    Add support for Edgeble Neu6 Model A SoM.
    
    Signed-off-by: Jagan Teki <jagan@edgeble.ai>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
22.  arm64: dts: rockchip: Add base DT for rk3588 SoC
    
    This initial version supports CPU, dma, interrupts, timers, UART and
    SDHCI (everything necessary to boot Linux on this system on chip) as
    well as Ethernet, I2C, PWM and SPI.
    
    The DT is split into rk3588 and rk3588s, which is a reduced version
    (i.e. with less peripherals) of the former.
    
    commit <9fb232e9911f> (" arm64: dts: rockchip: Add base DT for rk3588
    SoC")
    commit <d68a97d501f8> ("arm64: dts: rockchip: Add rk3588 pinctrl data")
    
    Signed-off-by: Jianqun Xu <jay.xu@rock-chips.com>
    Signed-off-by: Kever Yang <kever.yang@rock-chips.com>
    Signed-off-by: Jagan Teki <jagan@edgeble.ai>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
23.  arm: rockchip: Add ioc header for rk3588
    
    Add IOC unit header include for rk3588.
    
    Signed-off-by: Steven Liu <steven.liu@rock-chips.com>
    Signed-off-by: Joseph Chen <chenjh@rock-chips.com>
    Signed-off-by: Jagan Teki <jagan@edgeble.ai>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
24.  dt-bindings: reset: add rk3588 reset definitions
    
    Add reset ID defines for rk3588.
    
    commit <0a8eb7dae617> ("dt-bindings: reset: add rk3588 reset
    definitions")
    
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Jagan Teki <jagan@edgeble.ai>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
    
     
    
25.  dt-bindings: power: Add power-domain header for rk3588
    
    Add power-domain header for RK3588 SoC from description in TRM.
    
    commit <67944950c2d0> ("dt-bindings: power: add power-domain header for
    rk3588")
    
    Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
    Signed-off-by: Jagan Teki <jagan@edgeble.ai>
    Reviewed-by: Kever Yang <kever.yang@rock-chips.com>

CVE-2019-13106: Commits · u-boot/u-boot

A vulnerability was found in liblouis, versions 2.5.x before 2.5.4. A stack-based buffer overflow was found in findTable() in liblouis. An attacker could create a malicious file that would cause applications that use liblouis (such as Orca) to crash, or potentially execute arbitrary code when opened.

'CVE-2014-8184?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2014-8184: Invalid Bug ID

fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a heap-based buffer overflow.

While fuzzing Schism Tracker with Honggfuzz, I found a heap-based buffer overflow in the fmt\_mtm\_load\_song() function, in mtm.c L139.

    =================================================================
    ==11045==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff6d73debd4 at pc 0x0000004b4ae4 bp 0x7ffea6d192b0 sp 0x7ffea6d18a48
    WRITE of size 1 at 0x7ff6d73debd4 thread T0
        #0 0x4b4ae3 in strcpy /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/asan_interceptors.cc:433:5
        #1 0x5c40f0 in fmt_mtm_load_song /home/fcambus/schismtracker/fmt/mtm.c:139:3
        #2 0x6caa4b in song_create_load /home/fcambus/schismtracker/schism/audio_loadsave.c:224:11
        #3 0x6caf4e in song_load_unchecked /home/fcambus/schismtracker/schism/audio_loadsave.c:282:12
        #4 0x61dd3c in main /home/fcambus/schismtracker/schism/main.c:1132:7
        #5 0x7ff6dbb9ab6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
        #6 0x41eb99 in _start (/home/fcambus/schismtracker/schismtracker+0x41eb99)
    
    0x7ff6d73debd4 is located 140 bytes to the right of 168776-byte region [0x7ff6d73b5800,0x7ff6d73deb48)
    allocated by thread T0 here:
        #0 0x4ca73a in calloc /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:155:3
        #1 0x5fb5dc in mem_calloc /home/fcambus/schismtracker/schism/util.c:113:6
        #2 0x6de326 in csf_allocate /home/fcambus/schismtracker/player/csndfile.c:98:16
        #3 0x6ca557 in song_create_load /home/fcambus/schismtracker/schism/audio_loadsave.c:207:20
        #4 0x6caf4e in song_load_unchecked /home/fcambus/schismtracker/schism/audio_loadsave.c:282:12
        #5 0x61dd3c in main /home/fcambus/schismtracker/schism/main.c:1132:7
        #6 0x7ff6dbb9ab6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/asan_interceptors.cc:433:5 in strcpy
    Shadow bytes around the buggy address:
      0x0fff5ae73d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fff5ae73d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fff5ae73d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fff5ae73d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fff5ae73d60: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
    =>0x0fff5ae73d70: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
      0x0fff5ae73d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fff5ae73d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fff5ae73da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fff5ae73db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0fff5ae73dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==11045==ABORTING

Tag

#buffer_overflow