Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in ‘/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47dc3’ #18

Closed
ConcoctionSec opened this issue Jun 7, 2021 · 1 comment

Comments

@ConcoctionSec
Copy link

ConcoctionSec commented Jun 7, 2021

Version

203defd

Environment

Ubuntu 18.04,64 bit

Testcase

#include <stdio.h>
#include <stdlib.h>
#include "ok_png.c" 
#include "ok_png.h"

int main(int _argc, char **_argv) {
    FILE *file = fopen(_argv[1], "rb");
    ok_png image = ok_png_read(file, OK_PNG_COLOR_FORMAT_RGBA );
    fclose(file);
    if (image.data) {
        printf("Got image! Size: %li x %li\n", (long)image.width, (long)image.height);
        free(image.data);
    }
    return 0;
}

Command

Compile test program:

$ gcc -g -o main main.c ok_png.h

Compile test program with address sanitizer with this command:

$ gcc -g -fsanitize=address -o asanpng main.c ok_png.h

Result

The result of running without ASAN:

$ ./main heap-buffer-overflow-6.png
free(): invalid pointer
Aborted (core dumped)

Information obtained by using ASAN:

$ ./asanpng heap-buffer-overflow-6.png
=================================================================
==80024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000cff1 at pc 0x7fa588189dc4 bp 0x7ffcdbf9eeb0 sp 0x7ffcdbf9e658
WRITE of size 769 at 0x60d00000cff1 thread T0
    #0 0x7fa588189dc3  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47dc3)
    #1 0x562d30f5a72f in ok_png_read_data /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:853
    #2 0x562d30f5b15d in ok_png_decode2 /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:971
    #3 0x562d30f5b608 in ok_png_decode /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:1025
    #4 0x562d30f542f3 in ok_png_read_with_allocator /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:188
    #5 0x562d30f541cf in ok_png_read /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:177
    #6 0x562d30f607d7 in main /home/xrz/afl++/ok-file-formats-png/issues/main.c:8
    #7 0x7fa587d72b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x562d30f53d79 in _start (/home/xrz/afl++/ok-file-formats-png/issues/heap-buffer-overflow-6/asanpng+0x1d79)

0x60d00000cff1 is located 0 bytes to the right of 129-byte region [0x60d00000cf70,0x60d00000cff1)
allocated by thread T0 here:
    #0 0x7fa588208e80 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6e80)
    #1 0x562d30f53e9b in ok_stdlib_alloc /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:58
    #2 0x562d30f59e7c in ok_png_read_data /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:788
    #3 0x562d30f5b15d in ok_png_decode2 /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:971
    #4 0x562d30f5b608 in ok_png_decode /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:1025
    #5 0x562d30f542f3 in ok_png_read_with_allocator /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:188
    #6 0x562d30f541cf in ok_png_read /home/xrz/afl++/ok-file-formats-png/issues/ok_png.c:177
    #7 0x562d30f607d7 in main /home/xrz/afl++/ok-file-formats-png/issues/main.c:8
    #8 0x7fa587d72b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47dc3) 
Shadow bytes around the buggy address:
  0x0c1a7fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff99d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff99e0: 00 00 00 00 01 fa fa fa fa fa fa fa fa fa 00 00
=>0x0c1a7fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa
  0x0c1a7fff9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==80024==ABORTING

Description

A heap-buffer-overflow was discovered in ok_file_formats. The issue is being triggered in ‘/usr/lib/x86_64-linux-gnu/libasan.so.3+0x47dc3’.

Poc

Poc file is this.

@brackeen
Copy link
Owner

brackeen commented Jun 8, 2021

Duplicate of #15 (PNGs with multiple IHDR chunks)

@brackeen brackeen closed this as completed Jun 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants