Out of bounds read due to lack of string termination in assert

Products Impacted

This vulnerability is present in ONNX v1.1.0 up to and including v1.15.0.

CVSS Score: 3.3

AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE Categorization

CWE-125: Out-of-bounds Read

Details

The vulnerability exists within the onnx/common/assertions.cc file, in the barf function. This is triggered when any assert fails and the resulting string is 2048 characters or longer.

std::string barf(const char* fmt, ...) {
  char msg[2048];
  va_list args;

  va_start(args, fmt);
  // Although vsnprintf might have vulnerability issue while using format string with overflowed length,
  // it should be safe here to use fixed length for buffer "msg". No further checking is needed.
  vsnprintf(msg, 2048, fmt, args);
  va_end(args);

  return std::string(msg);
}

In the barf function, which is called by  ONNX_ASSERT and ONNX_ASSERTM a buffer with 2048 bytes is allocated for the generated string. However, in the vsnprintf call 2048 bytes are copied to the buffer before turning the buffer into a string. This means that any strings 2048 bytes or longer will not have a null terminator. When the string is created the program will continue reading past the end of the buffer and will copy arbitrary program memory until a string terminator is reached.

Project URL

https://github.com/onnx/onnx

Patches

https://github.com/onnx/onnx/releases/tag/v1.16.0