Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Buffer overflow when processing malformed mesh files #21

Open
retpoline opened this issue Jan 7, 2022 · 2 comments
Open

Buffer overflow when processing malformed mesh files #21

retpoline opened this issue Jan 7, 2022 · 2 comments

Comments

@retpoline
Copy link

retpoline commented Jan 7, 2022

Hi folks,

An interesting crash was found while fuzz testing of the mesh2poly binary which can be triggered via a malformed mesh file. Although the below malformed file only crashes the program as-is, it could potentially be crafted further and create a security issue where these kinds of files would be able compromise the process's memory through taking advantage of affordances given by memory corruption. It's recommend to harden the code to prevent these kinds of bugs as it could greatly mitigate such this issue and even future bugs.

crash.mesh (create file from scratch, no magic bytes necessary)

echo -ne `perl -e 'print "B" x 2176'` > test.mesh

debug log

(gdb) r test.mesh /tmp/empty.mesh
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: mesh2poly test.mesh /tmp/empty.mesh
*** stack smashing detected ***: terminated

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7ddb859 in __GI_abort () at abort.c:79
#2  0x00007ffff7e463ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f7007c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7ee8b4a in __GI___fortify_fail (msg=msg@entry=0x7ffff7f70064 "stack smashing detected") at fortify_fail.c:26
#4  0x00007ffff7ee8b16 in __stack_chk_fail () at stack_chk_fail.c:24
#5  0x000055555555b5d2 in GmfOpenMesh ()
#6  0x4242424242424242 in ?? ()
#7  0x0000000000000000 in ?? ()
(gdb) exploitable
Description: Stack buffer overflow
Short description: StackBufferOverflow (6/22)
Hash: ea307ff89c1110d6e6c6f565bfc6a9ce.350b4f5ab2938b2eb4fa0a598f3508e1
Exploitability Classification: EXPLOITABLE
Explanation: The target stopped while handling a signal that was generated by libc due to detection of a stack buffer overflow. Stack buffer overflows are generally considered exploitable.
Other tags: PossibleStackCorruption (7/22), AbortSignal (20/22)
@LoicMarechal
Copy link
Owner

LoicMarechal commented Jan 7, 2022 via email

@retpoline
Copy link
Author

Great, thanks for the quick fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants