Detecting vulnerabilities with the bug hunting

[Daniel Marjamäki]

I am investigating vulnerabilities in the NVD database. I would like to have a list of vulnerabilities that Cppcheck can find / can not find with the bug hunting. And if we find false negatives in Cppcheck, I want to fix those.

If anybody wants to join feel free to do it.

The bug hunting should be able to detect buffer overflows, array index out of bounds, uninitialized variables, and division by zero.

Here is an example search:
https://nvd.nist.gov/vuln/search/results?cwe_id=CWE-787&pub_start_date=01%2F01%2F2020

Rough procedure:
1. Open vulnerability details https://nvd.nist.gov/vuln/detail/CVE-2020-26572
2. We need to know what source code repo it is, which specific revision fixed the bug, and understand what the bug is just so we know what cppcheck should warn about. Look in the vulnerability details for a link to some issue or fix. In this case it says: https://github.com/OpenSC/OpenSC/commit/9d294de90d1cc66956389856e60b6944b27b4817
3. clone repo: git clone https://github.com/OpenSC/OpenSC.git
4. goto fix: git reset --hard 9d294de9
5. goto buggy code: git reset --hard HEAD^1
6. check if bug is found: cppcheck --bug-hunting src/libopensc/card-tcos.c
7. In this case the bug is found... but if it is not found then use --check-config and ensure that local include paths are set.
8. report if bug is found or not.

[Daniel Marjamäki]

Two CVEs that are found:

# CVE-2020-26572
# https://nvd.nist.gov/vuln/detail/CVE-2020-26572
# https://github.com/OpenSC/OpenSC/commit/9d294de90d1cc66956389856e60b6944b27b4817
# Language: C
# Buffer overflow
git clone https://github.com/OpenSC/OpenSC.git
cd OpenSC
git reset --hard 9d294de90d1cc66956389856e60b6944b27b4817 # fixed
git reset --hard HEAD^1 # vulnerable
~/cppcheck/cppcheck --bug-hunting --suppress=bughuntingUninit src/libopensc/card-tcos.c

src/libopensc/card-tcos.c:626:8: error: Buffer read/write, when calling 'memcpy' it cannot be determined that 1st argument is not overflowed [bughuntingBufferOverflow]
 memcpy(sbuf+1, crgram, crgram_len);
       ^



# CVE-2020-15365
# https://nvd.nist.gov/vuln/detail/CVE-2020-15365
# Language: C++
# Array index out of bounds
git clone https://github.com/LibRaw/LibRaw.git
git reset --hard b22e637a857ee6921cf325de16c1bc0732690756
cppcheck --check-config src/metadata/cr3_parser.cpp
cppcheck -I. --bug-hunting src/metadata/cr3_parser.cpp

src/metadata/cr3_parser.cpp:89:34: error: Array index out of bounds, cannot determine that i is less than 10 [bughuntingArrayIndexOutOfBounds]
       tpixels = INT64(tiff_ifd[i].t_height) * INT64(tiff_ifd[i].t_height);
                                ^

[Daniel Marjamäki]

For information.. I want to have the commands that are used so it will be possible to reproduce and check for regressions etc later..

[Daniel Marjamäki]

One more CVE:

# CVE-2020-15395
# https://sourceforge.net/p/mediainfo/bugs/1127/
# https://github.com/MediaArea/MediaInfoLib/pull/1290/commits/5b998282f47f080592d298a25c642f13a895c4dc
# C++
# Array index out of bounds

git clone https://github.com/MediaArea/MediaInfoLib.git
cd MediaInfoLib
git reset --hard 5b998282f47f080592d298a25c642f13a895c4dc # fixed
git reset --hard HEAD^1 # vulnerable
cppcheck --check-config Source/MediaInfo/Multiple/File_MpegPs.cpp
cppcheck --bug-hunting -ISource Source/MediaInfo/Multiple/File_MpegPs.cpp

Source/MediaInfo/Multiple/File_MpegPs.cpp:408:16: error: Array index out of bounds, cannot determine that StreamKind_Last is less than 7 [bughuntingArrayIndexOutOfBounds]
    if (Counts[StreamKind_Last]+Count==Count_Get(StreamKind_Last)) //Old method
               ^

[Daniel Marjamäki]

A CVE that is not found:

# CVE-2019-15048
# https://nvd.nist.gov/vuln/detail/CVE-2019-15048
# https://github.com/axiomatic-systems/bento4/issues/409
# vulnerable version: 1.5.1.0
git clone https://github.com/axiomatic-systems/Bento4.git
cd Bento4
git reset --hard v1.5.0-609 # vulnerable
cppcheck --bug-hunting Source/C++/Core/Ap4AvccAtom.cpp

Comment: The bug hunting does not have proper checking of pointer[index] yet.

[orbitcowboy]

Good idea search for CVEs and improve the checker. Are there plans to create tests, demonstrating that specific CVEs are detected?

[Daniel Marjamäki]

yes .. we have some tests in cppcheck/test/bug-hunting/cve already.. but well it's a bit clumpsy to work with those. for instance you are supposed to copy headers and stuff to the cppcheck repo. maybe we can make some new testing that is less clumpsy..

[Daniel Marjamäki]

we could create a script. we put these commands in that script. when that is executed it generates some nice html report.. and we could show that on our webpage. I would like to see a table where each CVE has 1 row and we will indicate with a green or red background color if cppcheck does detect it or not.. for each cve we can write which CVE-id it has, what CWE it is, if it is c or c++ code, .. and not sure if something more is interesting.

[orbitcowboy]

Very good idea to demonstrate that we are able to detect specific known issues.
In additon, we could activate bug-hunting on daca to see what it brings up?

[Daniel Marjamäki]

I think we can discuss what we want to have first and then see how we can achieve that in the best way.

[Daniel Marjamäki]

One more CVE that we do detect:

# CVE-2019-15939
# https://nvd.nist.gov/vuln/detail/CVE-2019-15939
# https://github.com/opencv/opencv/commit/c05595e48274188e34a30d37ef22bdedc87c53ae
# Division by zero
git clone https://github.com/opencv/opencv.git
cd opencv
git reset --hard c05595e482 # fixed
git reset --hard HEAD^1 # vulnerable
cppcheck --bug-hunting modules/objdetect/src/hog.cpp

modules/objdetect/src/hog.cpp:71:40: error: There is division, cannot determine that there can't be a division by zero. [bughuntingDivByZero]
    return (size - part_size + stride) / stride;
                                       ^

[Daniel Marjamäki]

One more CVE that we detect:

# CVE-2020-27347
# https://nvd.nist.gov/vuln/detail/CVE-2020-27347
# https://github.com/tmux/tmux/commit/a868bacb46e3c900530bed47a1c6f85b0fbe701c
# Array index out of bounds
git clone https://github.com/tmux/tmux.git
cd tmux
git reset --hard a868bacb46 # fixed
git reset --hard HEAD^1 # vulnerable
cppcheck --bug-hunting input.c => syntaxError
cppcheck --bug-hunting --library=bsd input.c

input.c:1983:49: error: Array index out of bounds, cannot determine that n-1 is less than 8 [bughuntingArrayIndexOutOfBounds]
  log_debug("%s: %u = %d", __func__, n - 1, p[n - 1]);
                                                ^

[Daniel Marjamäki]

This CVE is not detected:

# CVE-2020-19667
# https://nvd.nist.gov/vuln/detail/CVE-2020-19667
# issue: https://github.com/ImageMagick/ImageMagick/issues/1895
# fix: https://github.com/ImageMagick/ImageMagick/commit/5462fd4725018567764c8f66bed98b7ee3e23006
# bug at: coders/xpm.c:232
# Buffer overflow
git clone https://github.com/ImageMagick/ImageMagick.git
cd ImageMagick
git reset --hard 5462fd4725018567764c8f66bed98b7ee3e23006
git reset --hard HEAD^1
cppcheck --bug-hunting coders/xpm.c
cppcheck --bug-hunting -I. -DMAGICKCORE_QUANTUM_DEPTH=8 -DMAGICKCORE_HDRI_ENABLE=0 coders/xpm.c

Expected: Buffer overflow at coders/xpm.c:232

This is very interesting. I believe we can fix this if we add special handling for zero terminated strings.

[Daniel Marjamäki]

This CVE is detected:

# CVE-2019-9578
# https://nvd.nist.gov/vuln/detail/CVE-2019-9578
# fix: https://github.com/Yubico/libu2f-host/commit/e4bb58cc8b6202a421e65f8230217d8ae6e16eb5
# Uninitialized variable

git clone https://github.com/Yubico/libu2f-host.git
cd libu2f-host
git reset --hard e4bb58cc8b
git reset --hard HEAD^1
cppcheck --bug-hunting u2f-host/devs.c

u2f-host/devs.c:311:26: error: Cannot determine that 'initresp.cid' is initialized [bughuntingUninit]
      dev->cid = initresp.cid;
                         ^

[Daniel Marjamäki]

Does anybody volounteer to write a python/bash script that would run these cases and produce some nice html report?

[Daniel Marjamäki]

One more CVE that we detect:

# CVE-2020-11494
# https://nvd.nist.gov/vuln/detail/CVE-2020-11494
# fix: https://github.com/torvalds/linux/commit/b9258a2cece4ec1f020715fe3554bc2e360f6264
# uninitialized struct padding
git clone https://github.com/torvalds/linux.git
cd linux
git reset --hard b9258a2cec
git reset --hard HEAD^1
cppcheck --bug-hunting drivers/net/can/slcan.c

drivers/net/can/slcan.c:220:21: error: Cannot determine that 'cf' is initialized [bughuntingUninit]
 skb_put_data(skb, &cf, sizeof(struct can_frame));
                    ^

[Georgiy Komarov]

This is an interesting idea.

NVD provides access to their data in JSON format: https://nvd.nist.gov/vuln/data-feeds#JSON_FEED. This allows us to automate the loading and analysis the latest data.

We can start with something simple like:

#!/bin/bash
wget https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz
gunzip nvdcve-1.1-2020.json.gz
egrep '"url".*git(hub|lab).*(pull|issue).*' nvdcve-1.1-2020.json | awk '{print substr($3, 1, length($3)-2)}'

This will give us a list of links to all pull requests and issues listed in NVD reports.
Next, the problem is that their data contains entries for all programming languages, not only C/C++. So, the next step should be detection of the language for the given repository. This could be achieved through github/gitlab API, I'll take a look.

[Daniel Marjamäki]

👍 👍 👍 !!!

It's already a super good start .. much better than the searches I've been doing.

[Georgiy Komarov]

I did some work on the automation. Here is my quick-and-dirty script: https://github.com/jubnzv/cppcheck-nvd-checker .

It does the following:

1. Downloads NVD dataset in json format.
2. Parses Github repositories for which the commit hash is specified.
3. Uses Github API to filter C and C++ repositories.
4. Then it clones repository in /tmp and runs cppcheck on the required repository commit. It does exactly what you specified in the first post. It will be easier to read the source of the script. 🙂

Here is an example output:

[Daniel Marjamäki]

👍 I will try it out. if we make it this automated we could even run something similar in daca@home.

[Daniel Marjamäki]

I think it is a good start...

but if I just get all the results then I don't know what to look for. I can't say if the CVE is detected or not.

I think it's necessary to manually look at the commit message and/or the issue.. and understand what the issue is and how the changes fixes that problem.

Can the script print out some such info about each C/C++ CVE:

CVE-2020-12345
Bugtype: Buffer overflow/Uninitialized data/Division by zero
Language: C/C++
description bla bla
github/gitlab issue
fix commit/version
commands to run bug hunting (can be copy pasted to terminal)

[Daniel Marjamäki]

I guess there are use cases when we would like the script to execute cppcheck .. so feel free to keep the code. maybe a "-s" could mean that the commands are only written on the screen..

[Georgiy Komarov]

I think it's necessary to manually look at the commit message and/or the issue.. and understand what the issue is and how the changes fixes that problem.

Yes. I believe we need to manually find the corresponding "bughunting" warning in the output. So we will need both diff for this commit and the full Cppcheck output on modified files.

Since the report of Cppcheck can be enormous, it makes sense to save diff and the output as the files and print to user only the brief summary with paths to these files.

I think we can use this scenario when script is running with -s argument. Otherwise we can just print summaries with formatted data from the json database. And possible clone and hard-reset the repositories, if an additional argument was set, say -c.

[Georgiy Komarov]

I implemented this in https://github.com/jubnzv/cppcheck-nvd-checker .

Now we can get the full report in the format you mentioned. 🙂
I added it to the attachments.

[Daniel Marjamäki]

Fantastic. So now the question is if we could coordinate the investigation online..

For each CVE I would like to document additional cppcheck flags needed and the location and expected cppcheck error id that Cppcheck should warn about. then maybe your script can be used to check if those CVEs are detected or not..

The CVE => cppcheck flags, location, error-id can be a simple text document in the wiki that anybody can edit .. or does anybody have a better idea..