Invalid memory access in BCFtools 1.9Loginsoft-2018-1004August 18, 2018
CWE
CWE-476: NULL Pointer Dereference
Product Details
BCFtools is a program for variant calling and manipulating files in the Variant Call Format (VCF) and its binary counterpart BCF. All commands work transparently with both VCFs and BCFs, both uncompressed and BGZF-compressed. In order to avoid tedious repetion, throughout this document we will use "VCF" and "BCF" interchangeably, unless specifically noted.Most commands accept VCF, bgzipped VCF and BCF with filetype detected automatically even when streaming from a pipe. Indexed VCF and BCF work in all situations. Unindexed VCF and BCF and streams work in most, but not all situations. In general, whenever multiple VCFs are read simultaneously, they must be indexed and therefore also compressed.
URL:https://samtools.github.io/bcftools
Vulnerable Versions
bcftools 1.9
Vulnerability Details
An Invalid memory access was discovered in bcftools 1.9 versions.
SYNOPSIS
Two issue were addressed while parsing in a broken bcf file as an input, both being an Invalid memory access issue.
1. Issue in main_vcfcall()
BCFtools while parsing a supplied bcf file, main_vcfcall() in vcf_call.cpp is called . It incorrectly handles a broken bcf file, resulting in populating NULL values inside the bcf record struct `bcf_rec`. Later the code, we have an if statement, which tries to access the member of s structure of type char** for comparison operation [1], causing an segmentation fault, as the value contained is 0, creating a NULL dereference issue.
2. Issue in bcf_seqname()
The function main_vcfcall() calls the set_ploidy(), internally calling an inline function bcf_seqname() located in the header file vcfcall.h. In bcf_seqname() , while returning the value, it tries to access the members of the strcuture`hdr`.
`hdr` is a struct, accessing its member id of index value BCF_DT_CTG (hardcoded as 1)
`rec` again being a struct trying to access its member rid (1)
`key` being a const character pointer, member of hdr.id struct.
While accessing the structure member `key`, which is a character pointer is having an invalid memory address, possibly due to heap overflow giving away a segmentation fault signal.
Fix: As both the issue were the result of a broken bcf file, as a part of fix, a bound check has been added in vcfcall.c to check the correctness of the provided bcf file as input before parsing the bcf file.
Commit: f9ab25129be77da536e03486327b9832c4bd6778
Analysis
Backtrace
Proof of concept
bcftools call -c $POC
`call` is used for performing SNP/indel calling. SNP / Indel calling is one the most frequently performed type of next generation sequencing analysis.
Timeline
Vendor Disclosure: 2018-08-16
Patch Release: 2018-08-17
Public Disclosure: 2018-08-18
Credit
Discovered by ACE Team - Loginsoft