View Issue Details

IDProjectCategoryView StatusLast Update
0005846libextractorextractpublic2021-01-30 15:33
Reporterjianglin Assigned ToChristian Grothoff  
PriorityhighSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformlinuxOSubuntuOS Version16.4
Product Version1.9 
Target Version1.10Fixed in Version1.10 
Summary0005846: A heap-buffer-overflow vulneribility in function EXTRACTOR_dvi_extract_method in dvi_extractor.c
DescriptionIn EXTRACTOR_dvi_extract_method function, it read klen from file, so a crafted file can set klen to an invalid value. When exceeding the valid size, it will cause an overflow and trigger a crash in the code.
Steps To Reproduceextract -i ../crashes/EXTRACTOR_dvi_extract_method@dvi_extractor.c_264-5___heap-buffer-overflow
TagsError

Activities

jianglin

2019-08-21 09:31

reporter  

EXTRACTOR_dvi_extract_method@dvi_extractor.c_264_heapbufferoverflow.md (3,815 bytes)   
## EXTRACTOR_dvi_extract_method@dvi_extractor.c:264-5___heap-buffer-overflow

### description

    An issue was discovered in libextractor 1.1, There is a/an heap-buffer-overflow in function EXTRACTOR_dvi_extract_method at dvi_extractor.c:264-5

### commandline

    extract -i @@ /dev/null

### source

```c
 260   {
 261     char comment[klen + 1];
 262     
 263     comment[klen] = '\0';
> 264    memcpy (comment, &data[15], klen);
 265     if (0 != ec->proc (ec->cls, 
 266 		       "dvi",
 267 		       EXTRACTOR_METATYPE_COMMENT,
 268 		       EXTRACTOR_METAFORMAT_C_STRING,
 269 		       "text/plain",

```

### bug report

```txt
=================================================================
==4645==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000007220 at pc 0x0000004a2e3d bp 0x7fffec7aa230 sp 0x7fffec7a99e0
READ of size 249 at 0x60b000007220 thread T0
    #0 0x4a2e3c in __asan_memcpy (/src/aflbuild/installed/bin/extract+0x4a2e3c)
    #1 0x7fb9d56bcd59 in EXTRACTOR_dvi_extract_method /src/libextractor/src/plugins/dvi_extractor.c:264:5
    #2 0x7fb9da6dc97f in do_extract /src/libextractor/src/main/extractor.c:582:7
    #3 0x7fb9da6da8c9 in EXTRACTOR_extract /src/libextractor/src/main/extractor.c:661:3
    #4 0x4ec5b3 in main /src/libextractor/src/main/extract.c:983:2
    #5 0x7fb9d97c282f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x418fd8 in _start (/src/aflbuild/installed/bin/extract+0x418fd8)

0x60b000007220 is located 0 bytes to the right of 112-byte region [0x60b0000071b0,0x60b000007220)
allocated by thread T0 here:
    #0 0x4b9108 in __interceptor_malloc (/src/aflbuild/installed/bin/extract+0x4b9108)
    #1 0x7fb9d56bc53c in EXTRACTOR_dvi_extract_method /src/libextractor/src/plugins/dvi_extractor.c:185:23
    #2 0x7fb9da6dc97f in do_extract /src/libextractor/src/main/extractor.c:582:7
    #3 0x7fb9da6da8c9 in EXTRACTOR_extract /src/libextractor/src/main/extractor.c:661:3

SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/aflbuild/installed/bin/extract+0x4a2e3c) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c167fff8df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff8e00: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c167fff8e10: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c167fff8e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c167fff8e30: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
=>0x0c167fff8e40: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
  0x0c167fff8e50: 00 00 00 00 00 00 00 00 07 fa fa fa fa fa fa fa
  0x0c167fff8e60: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c167fff8e70: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c167fff8e80: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
  0x0c167fff8e90: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4645==ABORTING

```

### others

    from fuzz project pwd-libextractor-extract-00
    crash name pwd-libextractor-extract-00-00000016-20190817
    Auto-generated by pyspider at 2019-08-17 14:51:38

    please send email to  teamseri0us360@gmail.com if you have any questions.

jianglin

2019-08-21 12:10

reporter   ~0014800

the data points to a chunk whose size is 129, but when tring to read 249 triggers a heap-over-flow.
pwndbg> malloc_chunk data-0x10
0x6072a0 FASTBIN {
  prev_size = 0,
  size = 129,
  fd = 0xf914f9f9fffe02f7,
  bk = 0xf9f9f9f9f9f9f9f9,
  fd_nextsize = 0xe8f9f9fffffffff8,
  bk_nextsize = 0xf9f9f9f9f9f9f903
}
pwndbg> p klen
$4 = 249

jianglin

2019-08-21 12:11

reporter  

EXTRACTOR_dvi_extract_method@dvi_extractor.c_264_heapbufferoverflow(1).md (4,210 bytes)   
## EXTRACTOR_dvi_extract_method@dvi_extractor.c:264-5___heap-buffer-overflow

### description

    An issue was discovered in libextractor 1.1, There is a/an heap-buffer-overflow in function EXTRACTOR_dvi_extract_method at dvi_extractor.c:264-5

### commandline

    extract -i @@ /dev/null

### source

```c
 260   {
 261     char comment[klen + 1];
 262     
 263     comment[klen] = '\0';
> 264    memcpy (comment, &data[15], klen);
 265     if (0 != ec->proc (ec->cls, 
 266 		       "dvi",
 267 		       EXTRACTOR_METATYPE_COMMENT,
 268 		       EXTRACTOR_METAFORMAT_C_STRING,
 269 		       "text/plain",

```


### debug

```
pwndbg> malloc_chunk data-0x10
0x6072a0 FASTBIN {
  prev_size = 0, 
  size = 129, 
  fd = 0xf914f9f9fffe02f7, 
  bk = 0xf9f9f9f9f9f9f9f9, 
  fd_nextsize = 0xe8f9f9fffffffff8, 
  bk_nextsize = 0xf9f9f9f9f9f9f903
}
pwndbg> p klen
$4 = 249

```

### bug report

```txt
=================================================================
==4645==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000007220 at pc 0x0000004a2e3d bp 0x7fffec7aa230 sp 0x7fffec7a99e0
READ of size 249 at 0x60b000007220 thread T0
    #0 0x4a2e3c in __asan_memcpy (/src/aflbuild/installed/bin/extract+0x4a2e3c)
    #1 0x7fb9d56bcd59 in EXTRACTOR_dvi_extract_method /src/libextractor/src/plugins/dvi_extractor.c:264:5
    #2 0x7fb9da6dc97f in do_extract /src/libextractor/src/main/extractor.c:582:7
    #3 0x7fb9da6da8c9 in EXTRACTOR_extract /src/libextractor/src/main/extractor.c:661:3
    #4 0x4ec5b3 in main /src/libextractor/src/main/extract.c:983:2
    #5 0x7fb9d97c282f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x418fd8 in _start (/src/aflbuild/installed/bin/extract+0x418fd8)

0x60b000007220 is located 0 bytes to the right of 112-byte region [0x60b0000071b0,0x60b000007220)
allocated by thread T0 here:
    #0 0x4b9108 in __interceptor_malloc (/src/aflbuild/installed/bin/extract+0x4b9108)
    #1 0x7fb9d56bc53c in EXTRACTOR_dvi_extract_method /src/libextractor/src/plugins/dvi_extractor.c:185:23
    #2 0x7fb9da6dc97f in do_extract /src/libextractor/src/main/extractor.c:582:7
    #3 0x7fb9da6da8c9 in EXTRACTOR_extract /src/libextractor/src/main/extractor.c:661:3

SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/aflbuild/installed/bin/extract+0x4a2e3c) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c167fff8df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff8e00: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c167fff8e10: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c167fff8e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c167fff8e30: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
=>0x0c167fff8e40: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
  0x0c167fff8e50: 00 00 00 00 00 00 00 00 07 fa fa fa fa fa fa fa
  0x0c167fff8e60: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c167fff8e70: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c167fff8e80: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
  0x0c167fff8e90: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4645==ABORTING

```


![image](https://note.youdao.com/yws/public/resource/3b7c0127c9c4c2ad0e78cdd349059ec8/xmlnote/64AAF5527F764EC5BFAE55B65EAE74B1/22386)

### others

    from fuzz project pwd-libextractor-extract-00
    crash name pwd-libextractor-extract-00-00000016-20190817
    Auto-generated by pyspider at 2019-08-17 14:51:38

    please send email to  teamseri0us360@gmail.com if you have any questions.

Christian Grothoff

2019-08-23 09:38

manager   ~0014801

Fixed in 1ecee9a..756ba06, thanks for reporting!

Issue History

Date Modified Username Field Change
2019-08-21 09:31 jianglin New Issue
2019-08-21 09:31 jianglin Tag Attached: Error
2019-08-21 09:31 jianglin File Added: EXTRACTOR_dvi_extract_method@dvi_extractor.c_264_heapbufferoverflow.md
2019-08-21 09:31 jianglin File Added: EXTRACTOR_dvi_extract_method@dvi_extractor.c_264-5___heap-buffer-overflow
2019-08-21 12:10 jianglin Note Added: 0014800
2019-08-21 12:11 jianglin File Added: EXTRACTOR_dvi_extract_method@dvi_extractor.c_264_heapbufferoverflow(1).md
2019-08-23 09:38 Christian Grothoff Note Added: 0014801
2019-08-23 09:38 Christian Grothoff Assigned To => Christian Grothoff
2019-08-23 09:38 Christian Grothoff Status new => resolved
2019-08-23 09:38 Christian Grothoff Resolution open => fixed
2019-08-23 09:38 Christian Grothoff Fixed in Version => 1.10
2019-08-23 09:39 Christian Grothoff Target Version => 1.10
2021-01-30 15:33 Christian Grothoff Status resolved => closed