Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack-based buffer overflow in the main() function #3

Closed
fcambus opened this issue Jul 29, 2019 · 2 comments
Closed

Stack-based buffer overflow in the main() function #3

fcambus opened this issue Jul 29, 2019 · 2 comments

Comments

@fcambus
Copy link

@fcambus fcambus commented Jul 29, 2019

Hi,

While reading pcf2bdf code, I found a stack-based buffer overflow in the main() function, in pcf2bdf.cc.

Attaching a gzipped PCF file: spleen-5x8.pcf.gz

Issue can be reproduced by running:

PATHNAME="long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname/long/pathname"

mkdir -p $PATHNAME
cp spleen-5x8.pcf.gz $PATHNAME
./pcf2bdf $PATHNAME/spleen-5x8.pcf.gz
=================================================================
==29565==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc2d4d0fc0 at pc 0x00000044743a bp 0x7ffc2d4d0aa0 sp 0x7ffc2d4d0250
WRITE of size 1035 at 0x7ffc2d4d0fc0 thread T0
    #0 0x447439 in vsprintf (/home/fcambus/pcf2bdf/pcf2bdf+0x447439)
    #1 0x447766 in __interceptor_sprintf (/home/fcambus/pcf2bdf/pcf2bdf+0x447766)
    #2 0x519396 in main /home/fcambus/pcf2bdf/pcf2bdf.cc:663:5
    #3 0x7fb6438eeb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #4 0x41a5a9 in _start (/home/fcambus/pcf2bdf/pcf2bdf+0x41a5a9)

Address 0x7ffc2d4d0fc0 is located in stack of thread T0 at offset 1056 in frame
    #0 0x51912f in main /home/fcambus/pcf2bdf/pcf2bdf.cc:605

  This frame has 1 object(s):
    [32, 1056) 'buf' (line 662) <== Memory access at offset 1056 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/fcambus/pcf2bdf/pcf2bdf+0x447439) in vsprintf
Shadow bytes around the buggy address:
  0x100005a921a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100005a921b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100005a921c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100005a921d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100005a921e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100005a921f0: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
  0x100005a92200: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x100005a92210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100005a92220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100005a92230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100005a92240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29565==ABORTING
@ganaware

This comment has been minimized.

Copy link
Owner

@ganaware ganaware commented Jul 30, 2019

Thank you! I will fix it.

@ganaware

This comment has been minimized.

Copy link
Owner

@ganaware ganaware commented Aug 27, 2019

FIxed in 50ce60d

@ganaware ganaware closed this Aug 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.