Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap overflow in ReadStat #108

Closed
xcainiao opened this issue Jan 11, 2018 · 1 comment
Closed

Heap overflow in ReadStat #108

xcainiao opened this issue Jan 11, 2018 · 1 comment

Comments

@xcainiao
Copy link

xcainiao commented Jan 11, 2018

ReadStat version 1.0-prerelease
Ubuntu 16.04 x86_64

git log

commit 2330b36f536705a23a50e9cbd9f0f72b38b0be98
Author: Evan Miller <emmiller@gmail.com>
Date:   Wed Jan 10 20:26:31 2018 -0500

    SAS7BDAT: Fix 4096-byte test (was 2096 bytes)

./readstat ./heap-buffer-overflow.dta 1.sav

=================================================================
==19976==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000000b2 at pc 0x000000448071 bp 0x7fff0960c110 sp 0x7fff0960b8c0
READ of size 19 at 0x6030000000b2 thread T0
    #0 0x448070  (/home/test/libfuzz/new/ReadStat/build/bin/readstat+0x448070)
    #1 0x49494d  (/home/test/libfuzz/new/ReadStat/build/bin/readstat+0x49494d)
    #2 0x494de0  (/home/test/libfuzz/new/ReadStat/build/bin/readstat+0x494de0)
    #3 0x7f4b84a3fe27  (/home/test/libfuzz/new/ReadStat/build/lib/libreadstat.so.0+0x6ce27)
    #4 0x7f4b84a4275d  (/home/test/libfuzz/new/ReadStat/build/lib/libreadstat.so.0+0x6f75d)
    #5 0x513e4f  (/home/test/libfuzz/new/ReadStat/build/bin/readstat+0x513e4f)
    #6 0x7f4b83ae182f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x41b888  (/home/test/libfuzz/new/ReadStat/build/bin/readstat+0x41b888)

0x6030000000b2 is located 0 bytes to the right of 18-byte region [0x6030000000a0,0x6030000000b2)
allocated by thread T0 here:
    #0 0x4dc388  (/home/test/libfuzz/new/ReadStat/build/bin/readstat+0x4dc388)
    #1 0x7f4b84a4209e  (/home/test/libfuzz/new/ReadStat/build/lib/libreadstat.so.0+0x6f09e)
    #2 0x513e4f  (/home/test/libfuzz/new/ReadStat/build/bin/readstat+0x513e4f)
    #3 0x7f4b83ae182f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/test/libfuzz/new/ReadStat/build/bin/readstat+0x448070)
Shadow bytes around the buggy address:
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00
=>0x0c067fff8010: 00 00 fa fa 00 00[02]fa fa fa fa fa fa fa fa fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19976==ABORTING

testcase:https://github.com/xcainiao/poc/blob/master/readstat_heap-buffer-overflow.dta

@evanmiller
Copy link
Contributor

Fixed in 79793db

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants