Summary
An integer signedness mismatch vulnerability has been detected in the trio_length_max function in triostr.c.
Product
FreeRDP
Tested Version
Development version - master branch (May 25, 2020)
Details: Integer casting vulnerability in trio_length_max
Under certain circumstances (mainly when /log-level:TRACE is enabled and WLog_PrintMessage is called) the TrioParse parse function in trio.c returns parameters.precision = -1. This value is subsequently passed as the max parameter to the trio_length_max function.
So, the problem is that the size_t max argument in the trio_length_max function is an unsigned integer, but precision is a signed integer. For this reason, when precision = -1 is passed to the function trio_lenght_max, the max parameter is converted to SIZE_MAX which on e.g. 64bit Linux is 18446744073709551615UL.
/* winpr/libwinpr/utils/trio/trio.c */
TRIO_PRIVATE void TrioWriteString TRIO_ARGS5((self, string, flags, width, precision), trio_class_t* self, TRIO_CONST char* string, trio_flags_t flags, int width, int precision)
...
length = trio_length_max(string, precision); // precision = -1
...
/* winpr/libwinpr/utils/trio/triostr.c */
TRIO_PUBLIC_STRING size_t trio_length_max TRIO_ARGS2((string, max), TRIO_CONST char* string, size_t max) // max = 18446744073709551615
{
size_t i;
for (i = 0; i < max; ++i)
{
if (string[i] == 0)
break;
}
return i;
}
Impact
This issue may lead to Out-of-Bounds read.
CVE
- CVE-2020-4030
Coordinated Disclosure Timeline
This report was subject to the GHSL coordinated disclosure policy.
- 05/25/2020: Report sent to Vendor
- 05/26/2020: Vendor acknowledges report
- 06/22/2020: Patch published
Supporting Resources
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fjr5-97f5-qq98
- https://github.com/FreeRDP/FreeRDP/commit/05cd9ea2290d23931f615c1b004d4b2e69074e27
Credit
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
Contact
You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-106 in any communication regarding this issue.