#582 Global buffer overflow in the cb_evaluate_expr() function

[Frederic Cambus]

Hi,

While fuzzing gnucobol with Honggfuzz, I found a global buffer overflow in the cb_evaluate_expr() function, in field.c.

Attaching a reproducer, issue can be reproduced by running:

cobc test02.cob

=================================================================
==13307==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000011b42e0 at pc 0x00000062e423 bp 0x7ffee11cfdd0 sp 0x7ffee11cfdc8
WRITE of size 8 at 0x0000011b42e0 thread T0
    #0 0x62e422 in cb_evaluate_expr /home/f/gnucobol/cobc/field.c:253:25
    #1 0x62d951 in cb_validate_78_item /home/f/gnucobol/cobc/field.c:2538:15
    #2 0x561f53 in yyparse /home/f/gnucobol/cobc/parser.y:6358:18
    #3 0x51d901 in process_translate /home/f/gnucobol/cobc/cobc.c:6937:8
    #4 0x5014d7 in process_file /home/f/gnucobol/cobc/cobc.c:8037:19
    #5 0x4faaaf in main /home/f/gnucobol/cobc/cobc.c:8219:12
    #6 0x7f0cceffdb6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
    #7 0x41c539 in _start (/usr/local/bin/cobc+0x41c539)

0x0000011b42e0 is located 32 bytes to the left of global variable 'op_val_pos' defined in 'field.c:57:26' (0x11b4300) of size 4
0x0000011b42e0 is located 0 bytes to the right of global variable 'op_val' defined in 'field.c:60:18' (0x11b4260) of size 128
SUMMARY: AddressSanitizer: global-buffer-overflow /home/f/gnucobol/cobc/field.c:253:25 in cb_evaluate_expr
Shadow bytes around the buggy address:
  0x00008022e800: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x00008022e810: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x00008022e820: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x00008022e830: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9
  0x00008022e840: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x00008022e850: 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9
  0x00008022e860: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x00008022e870: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x00008022e880: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x00008022e890: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x00008022e8a0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==13307==ABORTING

[Frederic Cambus]

This issue got assigned CVE-2019-14486.

[Simon Sobisch]

I've just seen that those issues references GnuCOBOL 2.2.
Can you please recheck with current trunk? There where some changes in the expression handling so the issue is possibly solved already. If you need a tarball then check the current CI build artifact.

[Frederic Cambus]

For all issues I reported, the fuzzer ran against latest trunk version, and I verified the issues are also triggered in 2.2.

The CVE reports mention 2.2 as it's the latest released version.

[Ron Norman]

This is now corrected in the 'pangaea' branch which is to be merged or replace trunk very soon.

[Simon Sobisch]

Merged to trunk for the 3.1 release with [r3244] (and the recent fixes for the other bugs merged to pangaea), leaving only [bugs:#581]... ....and the failures we currently have in the testsuite with active sanatizers, I'll recheck and create bug reports for those, where missing after at least inspecting 581.