Memory Use Bugs (MUS) Examples

CVE-2014-0160 - Heartbleed Buffer Overflow

BF Taxonomy

MAD (Reposition)

Cause: Improper Object - Wrong Size Used (for s→s3→rrec.data[0])

Attributes:
Mechanism: Sequential
Source Code: Codebase (d1_both.c and t1_lib.c)
Execution Space: Userland
Pointer Span: Huge
Object Location: Heap

Consequence: Improper Pointer - Over Bounds

MUS (Clear)

Cause: Improper Operation - Missing

Attributes:
Mechanism: Sequential
Source Code: Codebase
Execution Space: Userland
Pointer Span: Huge
Object Location: Heap

Consequence: Memory Error - Not Cleared Object

MUS (Read)

Cause: Improper Pointer - Over Bounds (for s→s3→rrec.data[0])

Attributes:
Mechanism: Sequential
Source Code: Codebase (d1_both.c and t1_lib.c)
Execution Space: Userland
Pointer Span: Huge
Object Location: Heap

Consequence: Memory Error - Buffer Overflow

BF Description:

Heartbleed is a vulnerability due to a bug in the OpenSSL – a crypto library for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Using the heartbeat extension tests in TLS and Datagram Transport Layer Security (DTLS) protocols, a user can send a heartbeat request to a server. The request contains a string and a payload unsigned integer, which value is expected to be the string size. The server responds with the same string. However, due to the bug, a malicious user could set the payload as big as 65535 and the server would read out of bounds. This could expose confidential information that was not cleared before release.

CVE Description

Analysis

The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g have a bug the d1_both.c and t1_lib.c files. In the Heartbleed attack, the software stores the user data in an array s−>s3−>rrec.data[0]. The size of that array is much less than the huge 65535 bytes payload. The software does not check the size of the data (s−>s3−>rrec.length) towards the value of the payload. It assumes these numbers are equal and using memcpy() reads payload consecutive bytes from the array, beginning at its first byte, then sends them to the malicious user.

Source Code

Code With Bug

1 2 3 4 5 6 7 8 hbtype = *p++; n2s(p, payload); pl = p;

Code With Fix

1 2 3 4 5 6 7 8 /* Read type and payload length first */ if (1 +2 + 16 > s->s3->rrec.length)  return 0; /* silently discard */ hbtype = *p++; n2s(p, payload); if (1 + 2 + payload + 16 > s->s3->rrec.length)  return 0; /* silently discard per RFC 6520 sec. 4 */ pl = p;

CVE-2018-20991 - Rust SmallVec Iterator Panic

BF Taxonomy

MUS (Deallocate)

Cause: Improper Pointer - Dangling Pointer (to SmallVec)

Attributes:
Mechanism: Explicit
Source Code: Standard Library (lib.rs)
Execution Space: Userland
Object Ownership: Shared
Object Location: Heap

Consequence: Memory Error - Double Free

MUS (Deallocate)

Cause: Improper Pointer - Wrong Sized Used (for SmallVec)

Attributes:
Mechanism: Explicit
Source Code: Standard Library (lib.rs>)
Execution Space: Userland
Object Ownership: Shared
Object Location: Heap

Consequence: Memory Error - Memory Leak

BF Description:

Rust is a multi-paradigm programming language focused on safe concurrency. It has a similar syntax to C++ and offers features to deal with dynamic memory allocation, such as smart pointers. In general, a Rust programmer does not need to keep track of memory allocation and deallocation, as the language is designed to be memory safe this way.

CVE Description

Analysis

The versions before Rust 0.6.3 have a bug in the lib.rs file. The insert_many() method in the SmallVec class has two parameters: an iterable I and an index. The method inserts all elements in the iterable I at position index, shifting all the following elements backwards. In the SmallVec class, if an iterator passed to SmallVec::insert_many() panics in Iterator::next, the destructor is called while the vector is in an inconsistent state, possibly causing double free (deallocation via references to same object).

Source Code

Code With Bug	Code With Fix
Source Code Not Available	Source Code Not Available