Skip to content
This repository has been archived by the owner on Nov 28, 2022. It is now read-only.

global-buffer-overflow in calc_hash src/map.c:35 #118

Open
EnchantedJohn opened this issue Jun 27, 2018 · 3 comments
Open

global-buffer-overflow in calc_hash src/map.c:35 #118

EnchantedJohn opened this issue Jun 27, 2018 · 3 comments

Comments

@EnchantedJohn
Copy link

Hello.I use my company tool.I found two heapoverflow.There is first one.Then I want to provide more information.I hope will hope your guys.
@EnchantedJohn
Copy link
Author

then I want to provide GDB information.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000403d0a in _pbcB_register_fields ()
(gdb) bt
#0  0x0000000000403d0a in _pbcB_register_fields ()
#1  0x0000000000401c42 in pbc_register ()
#2  0x0000000000400ff5 in test_decode ()
#3  0x0000000000400bed in main ()
(gdb) i r
rax            0x0	0
rbx            0x0	0
rcx            0x60ff78	6356856
rdx            0x8167a454b114d488	-9122141836560509816
rsi            0x0	0
rdi            0x6130fd	6369533
rbp            0x60ff60	0x60ff60
rsp            0x7fffffffe000	0x7fffffffe000
r8             0x2	2
r9             0x7fffffffe0d0	140737488347344
r10            0xfffffffffffff20e	-3570
r11            0x7ffff7b9bb01	140737349532417
r12            0xf	15
r13            0x7fffffffe0d0	140737488347344
r14            0x7fffffffe010	140737488347152
r15            0x60d010	6344720
rip            0x403d0a	0x403d0a <_pbcB_register_fields+122>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) x/10i $pc
=> 0x403d0a <_pbcB_register_fields+122>:	mov    0x18(%rax),%rdx
   0x403d0e <_pbcB_register_fields+126>:	add    $0x1,%ebx
   0x403d11 <_pbcB_register_fields+129>:	cmp    %r12d,%ebx
   0x403d14 <_pbcB_register_fields+132>:	mov    %rdx,(%rcx)
   0x403d17 <_pbcB_register_fields+135>:	mov    0x20(%rax),%rax
   0x403d1b <_pbcB_register_fields+139>:	mov    %rax,0x8(%rcx)
   0x403d1f <_pbcB_register_fields+143>:	jne    0x403cc8 <_pbcB_register_fields+56>
   0x403d21 <_pbcB_register_fields+145>:	nopl   0x0(%rax)
   0x403d28 <_pbcB_register_fields+152>:	add    $0x28,%rsp
   0x403d2c <_pbcB_register_fields+156>:	pop    %rbx

@EnchantedJohn
Copy link
Author

then I want to provide ASAN information:

==33963==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000421541 at pc 0x7fd8ace8e2a8 bp 0x7ffc95022120 sp 0x7ffc950220f8
READ of size 1 at 0x000000421541 thread T0
    #0 0x7fd8ace8e2a7 in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x322a7)
    #1 0x405c0f in calc_hash src/map.c:35
    #2 0x40865d in _pbcM_sp_query src/map.c:384
    #3 0x404bc1 in _pbcP_push_message src/proto.c:94
    #4 0x4033ed in _register_extension src/register.c:168
    #5 0x4037a7 in _register_message src/register.c:203
    #6 0x403b66 in _register src/register.c:241
    #7 0x404044 in _register_no_dependency src/register.c:296
    #8 0x404310 in pbc_register src/register.c:329
    #9 0x401e42 in test_decode ../test/decode.c:67
    #10 0x401f10 in main ../test/decode.c:79
    #11 0x7fd8acab4f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #12 0x401408 (/home/lx/github/6_27/pbc/pbc-master/build/decode+0x401408)

0x000000421541 is located 0 bytes to the right of global variable '*.LC5' from 'src/bootstrap.c' (0x421540) of size 1
  '*.LC5' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
  0x00008007c250: 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008007c260: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 03 f9 f9 f9 f9
  0x00008007c270: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008007c280: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x00008007c290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008007c2a0: 00 00 00 00 00 00 00 00[01]f9 f9 f9 f9 f9 f9 f9
  0x00008007c2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008007c2c0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x00008007c2d0: 05 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x00008007c2e0: 05 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
  0x00008007c2f0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==33963==ABORTING

@NicoleG25
Copy link

NicoleG25 commented Dec 26, 2019
edited

Is there a plan to fix this ? could you give more information? thanks.

ASSIGNED : CVE-2018-12915

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@EnchantedJohn @NicoleG25