Original Versions

• Author-supplied POVs: POV1, POV2
• Browse Source
POVs in CQE must follow the POV markup specification.

Known Vulnerabilities

• CWE-129 - Improper Validation of Array Index
• CWE-193 - Off-by-one Error
• CWE-20 - Improper Input Validation
CWEs are listed as indicated by the challenge author.

Scores

• ForAllSecure: 1.75
• TECHx: 1.58
• CSDS: 1.14
• CodeJitsu: 0.3
• TrailofBits: 0.17
• Disekt: 0.0
• Shellphish: 0.0
• FuzzBOMB: 0.0
• DeepRed: 0.0
The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

• CodeJitsu - CB1
• CSDS - CB1
• ForAllSecure - CB1
• TECHx - CB1
• TrailofBits - CB1

Proved a POV in reference challenge

• Shellphish - POV
POVs in CQE must follow the POV markup specification.

Defense against reference POVs

• CodeJitsu: 100.0% - CB1
• TECHx: 100.0% - CB1
• CSDS: 100.0% - CB1
• TrailofBits: 100.0% - CB1
• ForAllSecure: 50.0% - CB1

No submission

• Eighth Place Team
• Eleventh Place Team
• Fifth Place Team - Finalist
• First Place Team - Finalist
• Fourth Place Team - Finalist
• Ninth Place Team
• Second Place Team - Finalist
• Seventh Place Team - Finalist
• Sixth Place Team - Finalist
• Tenth Place Team
• Third Place Team - Finalist
• Thirteenth Place Team
• Twelfth Place Team

All Submissions

• Submission 1
• Submission 2
• Submission 3
• Submission 4
• Submission 5
• Submission 6
• Submission 7
• Submission 8
• Submission 9

Author Information

"Nick Davis" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)

Description

SOLFEDGE is state of the art software used by ARRRRGH, the Academy of Really, Really, Really, Really, Great Harmony, to translate their music between notes and syllables (Solmization).

ARRRRGH teaches their classes in French, so SOFEDGE is designed to use the French 'fixed do' method of solfedge and only recognizes the C major scale.

Feature List

This service is a translation engine, so it has 2 primary functions:

• It accepts large strings of notes and converts them to syllables.
• It accepts large strings of syllables and converts them to notes.

Valid notes are: C D E F G A * B

And valid syllables are: Ut Re Mi Fa Sol La * Si

A single harmony can contain up to 2048 syllables or notes.

Vulnerability

The buffer that stores syllables is 4096 bytes long. Assuming syllables are 2 bytes, that allows 2048 syllables. The syllable 'sol' is 3 bytes long, while the rest are 2 chars long. So, if the user provides a harmony that contains 2048 notes and one or more of those notes corresponds to the syllable 'sol', then writing those notes as syllables will go beyond the syllables buffer (page) and cause a segfault.

More specifically, in operation.c:process_notes, the while loop will cause write_syllable_to_buf to write into the syllables_buf until one of 3 conditions happens. 1) an error is returned, 2) all of the input bytes have been processed, and 3) the total chars written to the syllable buf has reached the MAX_SYLLABLES_BYTES. The comparison (total_bytes_written < MAX_SYLLABLES_BYTES) is a form of an off-by-one error, because each iteration of the loop can write 2 or 3 bytes. So, if total_bytes_written is 1 or 2 less than MAX_SYLLABLES_BYTES, the loop will run one more iteration. If it is 1 less, that iteration will cause a segfault with both a 2-btye and 3-byte syllable. If it is 2 less, that iteration will cause segfault with a 3-byte syllable.

The segfault will occur in operations.c:write_syllable_to_buf at either line 224 or 227.

There are multiple ways to patch this vuln. The provided PATCHED version uses a more optimal patch that covers both failure conditions. It is also possible to put a much more restrictive bound on total_bytes_written (i.e. 100 or 2000), that will prevent the overflow, but will also greatly shorten the possible harmony length.

A more extensive patch, that is unlikely for automated patching is to pass the total_bytes_written value into write_syllable_to_buf, and perform a check that can calculate how many more bytes will fit into the buffer before it writes any bytes. It could then return an error value if there are not enough bytes remaining to complete the write.

Generic class of vulnerability

Improper Input Validation Improper Validation of Array Index Off-by-one Error

CWE classification

Improper Input Validation CWE-20

Improper Validation of Array Index CWE-129

Off-by-one Error CWE-193

Challenges

• This CB is intentionally on the easier side. A SAT solver should be able to reason about the difference between the syllables' buffer size and the amount of data that can be written to it.
• The way in which a team patches the vuln should indicate if they can reason that both failure points are due to a common cause. If they simply try to patch both failure points separately, they may not have been able to correlate the 2 failure points.