New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

global-buffer-overflow in /lib/support/unicodeconv/unicodeconv.c:40:2 #59

Closed
moonAgirl opened this Issue Dec 30, 2018 · 7 comments

Comments

Projects
None yet
3 participants
@moonAgirl
Copy link

moonAgirl commented Dec 30, 2018

Test Version

dev version, git clone https://github.com/caryll/otfcc.git

Test Program

otfcc/bin/release-x64/otfccdump [infile]

Asan Debug Information

➜  release-x64 git:(master) ✗ ./otfccdump ../../../crashes_1/2018-12-30-01-global-buffer-overflow.otf   
=================================================================
==46365==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000008be881 at pc 0x0000004582e5 bp 0x7fff894427d0 sp 0x7fff89441f80
READ of size 95 at 0x0000008be881 thread T0
    #0 0x4582e4  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x4582e4)
    #1 0x86c0c1  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x86c0c1)
    #2 0x844322  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x844322)
    #3 0x68c74d  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x68c74d)
    #4 0x4fb6ec  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x4fb6ec)
    #5 0x4eb79f  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x4eb79f)
    #6 0x7f893917c82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x418c88  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x418c88)

0x0000008be881 is located 0 bytes to the right of global variable '<string literal>' defined in '../../lib/support/unicodeconv/unicodeconv.c:40:22' (0x8be880) of size 1
  '<string literal>' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x4582e4) 
Shadow bytes around the buggy address:
  0x00008010fcc0: 00 00 00 06 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9
  0x00008010fcd0: 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x00008010fce0: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9
  0x00008010fcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008010fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008010fd10:[01]f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x00008010fd20: 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9
  0x00008010fd30: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 00 f9 f9
  0x00008010fd40: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x00008010fd50: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 04 f9 f9
  0x00008010fd60: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 07 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==46365==ABORTING

POC file

https://github.com/moonAgirl/Bugs/blob/master/otfcc/2018-12-30-01-global-buffer-overflow.otf/

@be5invis

This comment has been minimized.

Copy link
Member

be5invis commented Dec 30, 2018

Do you have a more detailed stack trace for this?
@clerkma

@HongxuChen

This comment has been minimized.

Copy link

HongxuChen commented Dec 31, 2018

FYI, here is the result on my machine when building with ASAN and debug.

=================================================================
==13108==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000007f9561 at pc 0x0000004d91e2 bp 0x7ffece0d47c0 sp 0x7ffece0d3f70
READ of size 17 at 0x0000007f9561 thread T0              
    #0 0x4d91e1 in __asan_memcpy (/home/hongxu/FOT/otfcc-asan/bin/debug-x64/otfccdump+0x4d91e1)
    #1 0x7a7bfa in sdsnewlen /home/hongxu/FOT/otfcc-asan/build/gmake/../../dep/extern/sds.c:131:9
    #2 0x78508c in utf16be_to_utf8 /home/hongxu/FOT/otfcc-asan/build/gmake/../../lib/support/unicodeconv/unicodeconv.c:123:12
    #3 0x630b9a in otfcc_readName /home/hongxu/FOT/otfcc-asan/build/gmake/../../lib/table/name.c:63:22
    #4 0x51f781 in readOtf /home/hongxu/FOT/otfcc-asan/build/gmake/../../lib/otf-reader/otf-reader.c:26:16
    #5 0x514b0b in main /home/hongxu/FOT/otfcc-asan/build/gmake/../../src/otfccdump.c:199:10                                                                                                                                                  
    #6 0x7f2bbd247b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #7 0x41a469 in _start (/home/hongxu/FOT/otfcc-asan/bin/debug-x64/otfccdump+0x41a469)                                                                                                                                                      
                                                                                  
0x0000007f9561 is located 0 bytes to the right of global variable '<string literal>' defined in '../../lib/support/unicodeconv/unicodeconv.c:40:22' (0x7f9560) of size 1                                                                      
  '<string literal>' is ascii string ''                                                                                                                                                                                                       
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/hongxu/FOT/otfcc-asan/bin/debug-x64/otfccdump+0x4d91e1) in __asan_memcpy
Shadow bytes around the buggy address:                                                                                                                                                                                                        
  0x0000800f7250: 00 00 00 00 00 00 00 06 f9 f9 f9 f9 00 00 02 f9
  0x0000800f7260: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000800f7270: 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 06                                                                                                                                                                             
  0x0000800f7280: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                             
  0x0000800f7290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800f72a0: 00 00 00 00 00 00 00 00 00 00 00 00[01]f9 f9 f9                                                                                                                                                                             
  0x0000800f72b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800f72c0: 01 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
  0x0000800f72d0: 00 04 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x0000800f72e0: 00 04 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800f72f0: 00 05 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                                                          
  Addressable:           00                           
  Partially addressable: 01 02 03 04 05 06 07                                                                                                                                                                                                 
  Heap left redzone:       fa
  Freed heap region:       fd                                                                                                                                                                                                                 
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13108==ABORTING

Similar crashes happens with inputs such as cff.abs.otf inside https://github.com/caryll/otfcc/blob/master/tests/payload/cffspecial/

@be5invis

This comment has been minimized.

Copy link
Member

be5invis commented Dec 31, 2018

I am curious about that why you are filing these bugs since I am deprecating otfcc (I have an internal TypeScript lib to deal with OTFs). Are you (or someone else) using it?

@HongxuChen

This comment has been minimized.

Copy link

HongxuChen commented Dec 31, 2018

Not exactly, I just saw some CVE entries and would like to find interesting projects to analyze 😸

@be5invis

This comment has been minimized.

Copy link
Member

be5invis commented Dec 31, 2018

CVE?
Also I am away from my dev env and want to depreciate this project (that TS lib would be much better.) PRs are welcome.

@be5invis

This comment has been minimized.

Copy link
Member

be5invis commented Dec 31, 2018

The crash site is sds (a string library) 's allocation func.

@be5invis

This comment has been minimized.

Copy link
Member

be5invis commented Jan 2, 2019

Hmm your file crashes TTX too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment