Open-Xchange: Null pointer dereference in lib-sieve after calling sieve_binary_block_index

2021-03-19T16:53:59

Description

There are some places that program calls function sieve_binary_block_index without checking the return value(mainly in sieve-binary-dumper.c). Such as: ``` pigeonhole/src/lib-sieve/sieve-binary-dumper.c: bool sieve_binary_dumper_run(struct sieve_binary_dumper *dumper, struct ostream *stream, bool verbose) { struct sieve_binary *sbin = dumper->dumpenv.sbin; struct sieve_script *script = sieve_binary_script(sbin); struct sieve_dumptime_env *denv = &(dumper->dumpenv); struct sieve_binary_block *sblock; bool success = TRUE; sieve_size_t offset; int count, i; ...... ...... sieve_binary_dump_sectionf(denv, "Script metadata (block: %d)", SBIN_SYSBLOCK_SCRIPT_DATA); sblock = sieve_binary_block_get(sbin, SBIN_SYSBLOCK_SCRIPT_DATA); T_BEGIN { offset = 0; success = sieve_script_binary_dump_metadata( script, denv, sblock, &offset); } T_END; ``` Using the sieve-dump tools can produce a crash with a specially crafted sieve-binary: ``` pigeonhole/src/sieve-tools/.libs/sieve-dump -c /etc/dovecot/dovecot.conf ./1.crash * Script metadata (block: 0): sieve-dump(root): Error: sieve: binary ./1.crash: load: binary is corrupt: header of block 0 has non-matching id 1818846724 ASAN:DEADLYSIGNAL ================================================================= ==21708==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f89474bbd58 bp 0x7fff8bfc8280 sp 0x7fff8bfc8128 T0) ==21708==The signal is caused by a READ memory access. ==21708==Hint: address points to the zero page. #0 0x7f89474bbd57 in sieve_binary_block_get_binary /home/user/data/pigeonhole/src/lib-sieve/sieve-binary.c:323 #1 0x7f894748f160 in sieve_script_binary_dump_metadata /home/user/data/pigeonhole/src/lib-sieve/sieve-script.c:474 #2 0x7f894750e19e in sieve_binary_dumper_run /home/user/data/pigeonhole/src/lib-sieve/sieve-binary-dumper.c:135 #3 0x7f8947597463 in sieve_dump /home/user/data/pigeonhole/src/lib-sieve/sieve.c:503 #4 0x55908b00e891 in sieve_tool_dump_binary_to /home/user/data/pigeonhole/src/lib-sieve-tool/sieve-tool.c:615 #5 0x55908b007b5b in main /home/user/data/pigeonhole/src/sieve-tools/sieve-dump.c:85 #6 0x7f89468fbbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #7 0x55908b007fa9 in _start (/root/sieve-dump+0x3fa9) ``` The program will crash when using the null pointer returned by sieve_binary_block_index(without checking). I don't try other places, but still suggest to check the null pointer all of them. ## Impact NULL pointer will cause a crash in program using these APIs.

{"id": "H1:1130792", "vendorId": null, "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Open-Xchange: Null pointer dereference in lib-sieve after calling sieve_binary_block_index", "description": "There are some places that program calls function sieve_binary_block_index without checking the return value(mainly in sieve-binary-dumper.c).\nSuch as:\n```\npigeonhole/src/lib-sieve/sieve-binary-dumper.c:\n\nbool sieve_binary_dumper_run(struct sieve_binary_dumper *dumper,\n\t\t\t struct ostream *stream, bool verbose)\n{\n\tstruct sieve_binary *sbin = dumper->dumpenv.sbin;\n\tstruct sieve_script *script = sieve_binary_script(sbin);\n\tstruct sieve_dumptime_env *denv = &(dumper->dumpenv);\n\tstruct sieve_binary_block *sblock;\n\tbool success = TRUE;\n\tsieve_size_t offset;\n\tint count, i;\n\n ......\n ......\n\n\tsieve_binary_dump_sectionf(denv, \"Script metadata (block: %d)\",\n\t\t\t\t SBIN_SYSBLOCK_SCRIPT_DATA);\n\tsblock = sieve_binary_block_get(sbin, SBIN_SYSBLOCK_SCRIPT_DATA);\n\n\tT_BEGIN {\n\t\toffset = 0;\n\t\tsuccess = sieve_script_binary_dump_metadata(\n\t\t\tscript, denv, sblock, &offset);\n\t} T_END;\n\n```\nUsing the sieve-dump tools can produce a crash with a specially crafted sieve-binary:\n```\npigeonhole/src/sieve-tools/.libs/sieve-dump -c /etc/dovecot/dovecot.conf ./1.crash \n\n* Script metadata (block: 0):\n\nsieve-dump(root): Error: sieve: binary ./1.crash: load: binary is corrupt: header of block 0 has non-matching id 1818846724\nASAN:DEADLYSIGNAL\n=================================================================\n==21708==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f89474bbd58 bp 0x7fff8bfc8280 sp 0x7fff8bfc8128 T0)\n==21708==The signal is caused by a READ memory access.\n==21708==Hint: address points to the zero page.\n #0 0x7f89474bbd57 in sieve_binary_block_get_binary /home/user/data/pigeonhole/src/lib-sieve/sieve-binary.c:323\n #1 0x7f894748f160 in sieve_script_binary_dump_metadata /home/user/data/pigeonhole/src/lib-sieve/sieve-script.c:474\n #2 0x7f894750e19e in sieve_binary_dumper_run /home/user/data/pigeonhole/src/lib-sieve/sieve-binary-dumper.c:135\n #3 0x7f8947597463 in sieve_dump /home/user/data/pigeonhole/src/lib-sieve/sieve.c:503\n #4 0x55908b00e891 in sieve_tool_dump_binary_to /home/user/data/pigeonhole/src/lib-sieve-tool/sieve-tool.c:615\n #5 0x55908b007b5b in main /home/user/data/pigeonhole/src/sieve-tools/sieve-dump.c:85\n #6 0x7f89468fbbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)\n #7 0x55908b007fa9 in _start (/root/sieve-dump+0x3fa9)\n```\nThe program will crash when using the null pointer returned by sieve_binary_block_index(without checking).\nI don't try other places, but still suggest to check the null pointer all of them.\n\n## Impact\n\nNULL pointer will cause a crash in program using these APIs.", "published": "2021-03-19T16:53:59", "modified": "2021-03-26T10:20:11", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://hackerone.com/reports/1130792", "reporter": "northsea", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-10-09T13:24:50", "viewCount": 49, "enchantments": {"dependencies": {}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "_state": {"dependencies": 1665416057, "score": 1665420760}, "_internal": {"score_hash": "2a0d1d37c38efcb1ad24670f7fc90f33"}, "bounty": 0.0, "bountyState": "informative", "h1team": {"url": "https://hackerone.com/open-xchange", "handle": "open-xchange", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/JtYLEsu5yRZxGitSmAjeAFtK/866ee71cd31a762660c292f5a83c460018409d8ecb48c41a0a6a99f85339baf4", "medium": "https://profile-photos.hackerone-user-content.com/variants/JtYLEsu5yRZxGitSmAjeAFtK/94b3712d9e5abbd36ce7a482476dd87ba5bbd7e8343379fcbab9f3c0fe8b2bb9"}}, "h1reporter": {"disabled": false, "username": "northsea", "url": "/northsea", "is_me?": false, "cleared": false, "hackerone_triager": false, "hacker_mediation": false}}