-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Several heap buffer overflow issues have been found. #189
Comments
When I run this through mkd2html on my dev machine, I don't get any warnings on the internal debugging malloc that I put into discount (except for the two memory blocks that contain the source filename & output html name, which are expected) so I've a couple of questions:
|
Sorry for replying so late. |
Some other issues have been found by fuzzing process, the executable file is mkd2html, there are totally 2 issues.
|
Once you pointed me at the offending compiler flag I was able to reproduce it (and holy cow the code slows waaaay down when built with -fsanitize=address -- the clang documentation that says it doesn't slow things down much is a baldfaced lie) and fix it (normally I null-terminate input lines by doing an (And I also found a bug where I was setting the dle of the new line from the dle of the old line, so a bit of code like {3 spaces at the start of the line} ANYWAY, I've pushed a little patch that makes -fsanitize=address NOT abend on your issue2_testcase (and I suspect not abend on your issue1 & issue3 testcases, because the offending data block is allocated in |
The issues from #189 (comment) have been assigned CVE-2018-11503 and CVE-2018-11504 respectively. |
Another issue has been found when I fuzz markdown.Details are displayed as follows:
|
How are you calling the markdown program? |
I just call markdown without any parameter : ./markdown input, and the input is the test case I record at https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue4_testcase. |
So you're doing
by itself. What compiler flags are you passing, and what configure.sh options are you using? I couldn't repeat the fault here, and this is configuring discount as
|
I use afl-gcc as the compiler when I run the script configure. The flags are the same. |
Do you do any of the configure.sh options, or just
? (I'm on a mac, so no afl-gcc for me; clang's sanitize=address is good for catching boundary overflows) |
just
clang may work too. |
Clang on macos ( Can you bisect the input file to see if you can reproduce the fault with a shorter test case? If I can't duplicate the error on my build machines I'll have to walk the code by eye to see if I can figure out the problem, and I'd much rather do that with a considerably shorter piece of source. |
And also which version of discount are you using; top of source or an earlier version? |
I'm going to close this issue because all of your overflow catches involved splitline(), which I reworked to null-terminate the lines after splitting. If you find anything that makes afl freak out on top-of-source, let me know and I'll reopen it. |
Hi, Can you refer me to the commit that fix this issue ? |
A buffer overflow has been discovered. The information is displayed as follows:
==4515==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000a91a at pc 0x7f7e7a5e7df8 bp 0x7ffe878efa50 sp 0x7ffe878ef1f8
READ of size 103 at 0x60b00000a91a thread T0
#0 0x7f7e7a5e7df7 in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cdf7)
#1 0x40b516 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:59
#2 0x40b516 in __mkd_trim_line /home/ubuntu/mfc_fuzz/discount/mkdio.c:85
#3 0x4260e0 in codeblock /home/ubuntu/mfc_fuzz/discount/markdown.c:611
#4 0x4260e0 in compile /home/ubuntu/mfc_fuzz/discount/markdown.c:1317
#5 0x42a56e in compile_document /home/ubuntu/mfc_fuzz/discount/markdown.c:1230
#6 0x42a56e in mkd_compile /home/ubuntu/mfc_fuzz/discount/markdown.c:1436
#7 0x40272c in main /home/ubuntu/mfc_fuzz/discount/mkd2html.c:177
#8 0x7f7e7a1b182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x403d48 in _start (/home/ubuntu/mfc_fuzz/discount/mkd2html+0x403d48)
0x60b00000a91a is located 0 bytes to the right of 106-byte region [0x60b00000a8b0,0x60b00000a91a)
allocated by thread T0 here:
#0 0x7f7e7a5f3602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x41e88d in splitline /home/ubuntu/mfc_fuzz/discount/markdown.c:174
#2 0x41e88d in htmlblock /home/ubuntu/mfc_fuzz/discount/markdown.c:333
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memmove
Shadow bytes around the buggy address:
0x0c167fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9510: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
=>0x0c167fff9520: 00 00 00[02]fa fa fa fa fa fa fa fa 00 00 00 00
0x0c167fff9530: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
0x0c167fff9540: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c167fff9550: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c167fff9560: 00 00 00 00 04 fa fa fa fa fa fa fa fa fa 00 00
0x0c167fff9570: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==4515==ABORTING
The input test case is at: https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue1_testcase
The executable file is mkd2html.
The text was updated successfully, but these errors were encountered: