View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005846 | libextractor | extract | public | 2019-08-21 09:31 | 2024-02-29 22:47 |
| Reporter | jianglin | Assigned To | Christian Grothoff | ||
| Priority | high | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Platform | linux | OS | ubuntu | OS Version | 16.4 |
| Product Version | 1.9 | ||||
| Target Version | 1.10 | Fixed in Version | 1.10 | ||
| Summary | 0005846: A heap-buffer-overflow vulneribility in function EXTRACTOR_dvi_extract_method in dvi_extractor.c | ||||
| Description | In EXTRACTOR_dvi_extract_method function, it read klen from file, so a crafted file can set klen to an invalid value. When exceeding the valid size, it will cause an overflow and trigger a crash in the code. | ||||
| Steps To Reproduce | extract -i ../crashes/EXTRACTOR_dvi_extract_method@dvi_extractor.c_264-5___heap-buffer-overflow | ||||
| Tags | No tags attached. | ||||
| Attached Files | EXTRACTOR_dvi_extract_method@dvi_extractor.c_264_heapbufferoverflow.md (3,815 bytes)
## EXTRACTOR_dvi_extract_method@dvi_extractor.c:264-5___heap-buffer-overflow
### description
An issue was discovered in libextractor 1.1, There is a/an heap-buffer-overflow in function EXTRACTOR_dvi_extract_method at dvi_extractor.c:264-5
### commandline
extract -i @@ /dev/null
### source
```c
260 {
261 char comment[klen + 1];
262
263 comment[klen] = '\0';
> 264 memcpy (comment, &data[15], klen);
265 if (0 != ec->proc (ec->cls,
266 "dvi",
267 EXTRACTOR_METATYPE_COMMENT,
268 EXTRACTOR_METAFORMAT_C_STRING,
269 "text/plain",
```
### bug report
```txt
=================================================================
==4645==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000007220 at pc 0x0000004a2e3d bp 0x7fffec7aa230 sp 0x7fffec7a99e0
READ of size 249 at 0x60b000007220 thread T0
#0 0x4a2e3c in __asan_memcpy (/src/aflbuild/installed/bin/extract+0x4a2e3c)
#1 0x7fb9d56bcd59 in EXTRACTOR_dvi_extract_method /src/libextractor/src/plugins/dvi_extractor.c:264:5
#2 0x7fb9da6dc97f in do_extract /src/libextractor/src/main/extractor.c:582:7
#3 0x7fb9da6da8c9 in EXTRACTOR_extract /src/libextractor/src/main/extractor.c:661:3
#4 0x4ec5b3 in main /src/libextractor/src/main/extract.c:983:2
#5 0x7fb9d97c282f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#6 0x418fd8 in _start (/src/aflbuild/installed/bin/extract+0x418fd8)
0x60b000007220 is located 0 bytes to the right of 112-byte region [0x60b0000071b0,0x60b000007220)
allocated by thread T0 here:
#0 0x4b9108 in __interceptor_malloc (/src/aflbuild/installed/bin/extract+0x4b9108)
#1 0x7fb9d56bc53c in EXTRACTOR_dvi_extract_method /src/libextractor/src/plugins/dvi_extractor.c:185:23
#2 0x7fb9da6dc97f in do_extract /src/libextractor/src/main/extractor.c:582:7
#3 0x7fb9da6da8c9 in EXTRACTOR_extract /src/libextractor/src/main/extractor.c:661:3
SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/aflbuild/installed/bin/extract+0x4a2e3c) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c167fff8df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff8e00: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c167fff8e10: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c167fff8e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c167fff8e30: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
=>0x0c167fff8e40: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
0x0c167fff8e50: 00 00 00 00 00 00 00 00 07 fa fa fa fa fa fa fa
0x0c167fff8e60: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c167fff8e70: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c167fff8e80: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
0x0c167fff8e90: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4645==ABORTING
```
### others
from fuzz project pwd-libextractor-extract-00
crash name pwd-libextractor-extract-00-00000016-20190817
Auto-generated by pyspider at 2019-08-17 14:51:38
please send email to teamseri0us360@gmail.com if you have any questions. EXTRACTOR_dvi_extract_method@dvi_extractor.c_264_heapbufferoverflow(1).md (4,210 bytes)
## EXTRACTOR_dvi_extract_method@dvi_extractor.c:264-5___heap-buffer-overflow
### description
An issue was discovered in libextractor 1.1, There is a/an heap-buffer-overflow in function EXTRACTOR_dvi_extract_method at dvi_extractor.c:264-5
### commandline
extract -i @@ /dev/null
### source
```c
260 {
261 char comment[klen + 1];
262
263 comment[klen] = '\0';
> 264 memcpy (comment, &data[15], klen);
265 if (0 != ec->proc (ec->cls,
266 "dvi",
267 EXTRACTOR_METATYPE_COMMENT,
268 EXTRACTOR_METAFORMAT_C_STRING,
269 "text/plain",
```
### debug
```
pwndbg> malloc_chunk data-0x10
0x6072a0 FASTBIN {
prev_size = 0,
size = 129,
fd = 0xf914f9f9fffe02f7,
bk = 0xf9f9f9f9f9f9f9f9,
fd_nextsize = 0xe8f9f9fffffffff8,
bk_nextsize = 0xf9f9f9f9f9f9f903
}
pwndbg> p klen
$4 = 249
```
### bug report
```txt
=================================================================
==4645==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000007220 at pc 0x0000004a2e3d bp 0x7fffec7aa230 sp 0x7fffec7a99e0
READ of size 249 at 0x60b000007220 thread T0
#0 0x4a2e3c in __asan_memcpy (/src/aflbuild/installed/bin/extract+0x4a2e3c)
#1 0x7fb9d56bcd59 in EXTRACTOR_dvi_extract_method /src/libextractor/src/plugins/dvi_extractor.c:264:5
#2 0x7fb9da6dc97f in do_extract /src/libextractor/src/main/extractor.c:582:7
#3 0x7fb9da6da8c9 in EXTRACTOR_extract /src/libextractor/src/main/extractor.c:661:3
#4 0x4ec5b3 in main /src/libextractor/src/main/extract.c:983:2
#5 0x7fb9d97c282f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#6 0x418fd8 in _start (/src/aflbuild/installed/bin/extract+0x418fd8)
0x60b000007220 is located 0 bytes to the right of 112-byte region [0x60b0000071b0,0x60b000007220)
allocated by thread T0 here:
#0 0x4b9108 in __interceptor_malloc (/src/aflbuild/installed/bin/extract+0x4b9108)
#1 0x7fb9d56bc53c in EXTRACTOR_dvi_extract_method /src/libextractor/src/plugins/dvi_extractor.c:185:23
#2 0x7fb9da6dc97f in do_extract /src/libextractor/src/main/extractor.c:582:7
#3 0x7fb9da6da8c9 in EXTRACTOR_extract /src/libextractor/src/main/extractor.c:661:3
SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/aflbuild/installed/bin/extract+0x4a2e3c) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c167fff8df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff8e00: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c167fff8e10: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c167fff8e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c167fff8e30: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
=>0x0c167fff8e40: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
0x0c167fff8e50: 00 00 00 00 00 00 00 00 07 fa fa fa fa fa fa fa
0x0c167fff8e60: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c167fff8e70: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c167fff8e80: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
0x0c167fff8e90: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4645==ABORTING
```
### others
from fuzz project pwd-libextractor-extract-00
crash name pwd-libextractor-extract-00-00000016-20190817
Auto-generated by pyspider at 2019-08-17 14:51:38
please send email to teamseri0us360@gmail.com if you have any questions. | ||||
|
|
the data points to a chunk whose size is 129, but when tring to read 249 triggers a heap-over-flow. pwndbg> malloc_chunk data-0x10 0x6072a0 FASTBIN { prev_size = 0, size = 129, fd = 0xf914f9f9fffe02f7, bk = 0xf9f9f9f9f9f9f9f9, fd_nextsize = 0xe8f9f9fffffffff8, bk_nextsize = 0xf9f9f9f9f9f9f903 } pwndbg> p klen $4 = 249 |
|
|
Fixed in 1ecee9a..756ba06, thanks for reporting! |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2019-08-21 09:31 | jianglin | New Issue | |
| 2019-08-21 09:31 | jianglin | Tag Attached: Error | |
| 2019-08-21 09:31 | jianglin | File Added: EXTRACTOR_dvi_extract_method@dvi_extractor.c_264_heapbufferoverflow.md | |
| 2019-08-21 09:31 | jianglin | File Added: EXTRACTOR_dvi_extract_method@dvi_extractor.c_264-5___heap-buffer-overflow | |
| 2019-08-21 12:10 | jianglin | Note Added: 0014800 | |
| 2019-08-21 12:11 | jianglin | File Added: EXTRACTOR_dvi_extract_method@dvi_extractor.c_264_heapbufferoverflow(1).md | |
| 2019-08-23 09:38 | Christian Grothoff | Note Added: 0014801 | |
| 2019-08-23 09:38 | Christian Grothoff | Assigned To | => Christian Grothoff |
| 2019-08-23 09:38 | Christian Grothoff | Status | new => resolved |
| 2019-08-23 09:38 | Christian Grothoff | Resolution | open => fixed |
| 2019-08-23 09:38 | Christian Grothoff | Fixed in Version | => 1.10 |
| 2019-08-23 09:39 | Christian Grothoff | Target Version | => 1.10 |
| 2021-01-30 15:33 | Christian Grothoff | Status | resolved => closed |
| 2024-02-29 22:47 | Christian Grothoff | Tag Detached: Error |
