Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improper buffer handling resulting in overflow which leads to crash #4

Closed
adhokshajmishra opened this issue Sep 5, 2017 · 0 comments

Comments

@adhokshajmishra
Copy link

How to trigger:
src/pinfo -m python2 -c 'print "A"*558'

Output
Przemek's Info Viewer v0.6.10
Looking for man page...

Caught signal 11, bye!
pinfo: crash with: No such file or directory

Register Dump
[----------------------------------registers-----------------------------------]
RAX: 0x54 ('T')
RBX: 0x20414141414141 ('AAAAAA ')
RCX: 0x8a0
RDX: 0x10
RSI: 0x0
RDI: 0x7f72f8c7b8a0 --> 0x727245004d524554 ('TERM')
RBP: 0x7fffffffdcf8 --> 0x20414141414141 ('AAAAAA ')
RSP: 0x7fffffffd6b0 --> 0x7f72f8c7b8a0 --> 0x727245004d524554 ('TERM')
RIP: 0x7f72f88bac95 (<getenv+165>: cmp r12w,WORD PTR [rbx])
R8 : 0x0
R9 : 0x20 (' ')
R10: 0x524
R11: 0x7f72f88babf0 (: push r15)
R12: 0x4554 ('TE')
R13: 0x7f72f8c7b8a2 --> 0x726f727245004d52 ('RM')
R14: 0x4
R15: 0x2
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]

Stack Dump
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd6b0 --> 0x7f72f8c7b8a0 --> 0x727245004d524554 ('TERM')
0008| 0x7fffffffd6b8 --> 0x0
0016| 0x7fffffffd6c0 --> 0x7fffffffd700 --> 0x7fffffffd9e0 --> 0x7fffffffdbf0 ('A' <repeats 200 times>...)
0024| 0x7fffffffd6c8 --> 0x555555556e90 (<_start>: xor ebp,ebp)
0032| 0x7fffffffd6d0 --> 0x7fffffffdcd0 ('A' <repeats 46 times>, " ")
0040| 0x7fffffffd6d8 --> 0x0
0048| 0x7fffffffd6e0 --> 0x0
0056| 0x7fffffffd6e8 --> 0x7f72f8c4bca1 (<initscr+49>: test rax,rax)
[------------------------------------------------------------------------------]

Call Stack Trace
#0 0x00007f72f88bac95 in getenv () from /usr/lib/libc.so.6
#1 0x00007f72f8c4bca1 in initscr () from /usr/lib/libncursesw.so.6
#2 0x0000555555569d58 in init_curses () at utils.c:285
#3 0x0000555555560ea5 in handlemanual (name=0x7fffffffdad0 'A' <repeats 200 times>...) at manual.c:266
#4 0x00005555555574bb in main (argc=0x3, argv=0x7fffffffdcd8) at pinfo.c:205

I am working on a patch for this, which will be submitted once done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant