July 1, 2020

GHSL-2020-125: integer signedness mismatch vulnerability in FreeRDP leads to OOB read - CVE-2020-4032

Antonio Morales

Summary

An integer casting vulnerability has been detected in update_recv_secondary_order in orders.c.

Product

FreeRDP

Tested Version

Development version - master branch (May 27, 2020)

Details: Integer casting vulnerability in update_recv_secondary_order

Under certain circumstances (glyph-cache and relax-order-checks should be enabled) the update_recv_secondary_order function in orders.c is affected by an integer signedness mismatch vulnerability.

The problem is that the size_t diff variable is an unsigned integer type, but start - end is a signed integer arithmetic expression that can return a negative value. When such a negative value is assigned to the unsigned size_t diff variable, it becomes a very large positive value at [1] up to and including SIZE_MAX. Consequently, Stream_Seek will be called with an extremely large diff value, moving the s stream pointer to an invalid address [2].

View on GitHub!

/* libfreerdp/core/orders.c */
...
diff = start - end; // [1]
if (diff > 0)
{
		WLog_Print(update->log, WLOG_DEBUG,
		           "SECONDARY_ORDER %s: read %" PRIuz "bytes short, skipping", name, diff);
		Stream_Seek(s, diff); // [2]
}
return rc;
...

Impact

This issue may lead to Out-of-Bounds read.

CVE

  • CVE-2020-4032

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 05/27/2020: Report sent to Vendor
  • 05/27/2020: Vendor acknowledges report
  • 06/22/2020: Bug fixed and patch released by the vendor

Supporting Resources

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-125 in any communication regarding this issue.