(CVE-2025-32906) Out of bounds reads in soup_headers_parse_request()
Original reporter: Tan Wei Chong
Area: Platform component (libraries, tools)
Message
I retest libsoup as reported in https://offsec.almond.consulting/using-aflplusplus-on-bug-bounty-programs-an-example-with-gnome-libsoup.html. I use a different input and libsoup crashes. Kindly email me for the executable and input file (which contains Non-ISO extended-ASCII text).
git log gives the following commit at the top: 8b46a93b
nl -ba soup-headers.c | grep 228 gives 228 if (*p != '.' || !g_ascii_isdigit (p[1]))
Output from AFL++ as follows.
=================================================================
==103==ERROR: AddressSanitizer: use-after-poison on address 0x7f1c914ff81c at pc 0x7f1c94e7b43d bp 0x7ffe743226d0 sp 0x7ffe743226c8
READ of size 1 at 0x7f1c914ff81c thread T0
#0 0x7f1c94e7b43c in soup_headers_parse_request /fuzzing/libsoup/_build/../libsoup/soup-headers.c:228:20
#1 0x5624c27c6bb7 in LLVMFuzzerTestOneInput /root/harness.c:8:9
#2 0x5624c27caac9 in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:256:7
#3 0x5624c27ca8b9 in LLVMFuzzerRunDriver /AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#4 0x5624c27ca3fd in main /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:312:10
#5 0x7f1c949e0d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#6 0x7f1c949e0e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#7 0x5624c26f2484 in _start (/root/harness.elf+0x1f484) (BuildId: 06ca866041f6a9f97275e3d5433a23bb63068a83)
0x7f1c914ff81c is located 28 bytes inside of 1048576-byte region [0x7f1c914ff800,0x7f1c915ff800)
allocated by thread T0 here:
#0 0x5624c278c2ae in malloc (/root/harness.elf+0xb92ae) (BuildId: 06ca866041f6a9f97275e3d5433a23bb63068a83)
#1 0x5624c27ca9f1 in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:222:41
SUMMARY: AddressSanitizer: use-after-poison /fuzzing/libsoup/_build/../libsoup/soup-headers.c:228:20 in soup_headers_parse_request
Shadow bytes around the buggy address:
0x7f1c914ff580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f1c914ff600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f1c914ff680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f1c914ff700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f1c914ff780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x7f1c914ff800: 00 00 00[04]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7f1c914ff880: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7f1c914ff900: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7f1c914ff980: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7f1c914ffa00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x7f1c914ffa80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==103==ABORTINGEdited by Michael Catanzaro