Bugzilla – Bug 11946
Heap overflow in getchecksum(untar.c)
Last modified: 2021-09-23 16:36:42 EDT
Created attachment 7311 [details] poc, pass is virus There is an Out of bounds read at untar.c:74: ```c 69 getchecksum(const char *header) 70 { 71 char ochecksum[TARCHECKSUMLEN + 1]; 72 int checksum = -1; 73 74 strncpy(ochecksum, header+TARCHECKSUMOFFSET, TARCHECKSUMLEN); 75 ochecksum[TARCHECKSUMLEN] = '\0'; 76 checksum = octal(ochecksum); 77 return checksum; 78 } ``` The PoC is 10 bytes long. It's identifyed as Tar because of a special magic number `[aliases]` that is used to identify a tar CVE: `libclamav/filetypes_int.h` ``` "0:0:5b616c69617365735d:TAR-POSIX-CVE-2012-1419:CL_TYPE_ANY:CL_TYPE_POSIX_TAR" ``` The out of bounds read does not happen when analyzing a file because of the cache used while reading a file. It only happens using directly the function to scan a memory map. Specifically when using the cl_scanmap_callback function. A possible patch: libclamav/untar.c ```c 182 if((ret=cli_checklimits("cli_untar", ctx, 0, 0, 0))!=CL_CLEAN) 183 return ret; +184 if (nread < TARCHECKSUMOFFSET + TARCHECKSUMLEN) +185 return ret; 186 checksum = getchecksum(block); ``` This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Thank you very much for reporting these issues. If possible, we'd like to gather some initial first details from you on these. First, can you tell us what version of ClamAV you are reporting against? I notice that you have our git-repository name in the reports, is this a fresh check out of git?
After analysis, suggested patch applied in commit 292d6878fa3e7fd2ab0f7275a78190639ad116d4.
That was fast Morgan, thanks. Can we please get CVEs assigned for these?
(In reply to Suleman Ali from comment #3) > That was fast Morgan, thanks. Can we please get CVEs assigned for these? You did all the work ;) Joel is going to get your CVEs from Cisco PSIRT.
Cool, thanks. This is the first time we're reporting to Cisco proper so I wasn't sure what the process was. And credits to the whole team, Francisco did most of the work for this one hehe.
Link to commit: https://github.com/vrtadmin/clamav-devel/commit/292d6878fa3e7fd2ab0f7275a78190639ad116d4
@jesler and @stevmorg, I looked at the patch. While it will work for the getchecksum() check (, there is code below that reads further into block. if(posix) { strncpy(magic, block+257, 5); . . . } type = block[TARFILETYPEOFFSET]; TARCHECKSUMOFFSET is 148. I think a safer thing to do would be to ensure that nread >= 512. BLOCKSIZE is 512, and the tar header is padded out to 512 bytes.
Credit to @antchan2 for finding the above.
Created attachment 7313 [details] Improved fix - ensure entire header is read
(In reply to Craig Davison from comment #9) > Created attachment 7313 [details] > Improved fix - ensure entire header is read Thanks Craig, on the list. My link to git is currently broken, will get this committed ASAP.
(In reply to Craig Davison from comment #9) > Created attachment 7313 [details] > Improved fix - ensure entire header is read Patch applied in commit 0cf813f835e48ab0f94dd54200ceba0dc25fa1c4.
Thanks, Steve