Hello, I was testing my fuzzer and found a heap buffer overflow in cfg_tilde_expand, src/confuse.c:1909. A heap buffer overflow can be triggered when parsing a crafted file. As shown in the attachment
Using libConfuse 3.3 by Martin Hedenfalk <martin@bzero.se>
=================================================================
==418268==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000572 at pc 0x7f94939440ab bp 0x7ffcd3b274a0 sp 0x7ffcd3b26c48
READ of size 3 at 0x602000000572 thread T0
#0 0x7f94939440aa in __interceptor_getpwnam ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1922
#1 0x555a8791cb33 in cfg_tilde_expand /benchmark/libconfuse/src/confuse.c:1909
#2 0x555a8792a97f in cfg_lexer_include /benchmark/libconfuse/src/lexer.l:332
#3 0x555a8791d6e0 in call_function /benchmark/libconfuse/src/confuse.c:1274
#4 0x555a87921a3e in cfg_parse_internal /benchmark/libconfuse/src/confuse.c:1566
#5 0x555a87922523 in cfg_parse_fp /benchmark/libconfuse/src/confuse.c:1701
#6 0x555a87922523 in cfg_parse_fp /benchmark/libconfuse/src/confuse.c:1685
#7 0x555a8792266f in cfg_parse /benchmark/libconfuse/src/confuse.c:1802
#8 0x555a8791750a in main /benchmark/libconfuse/examples/cfgtest.c:129
#9 0x7f94936bad8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#10 0x7f94936bae3f in __libc_start_main_impl ../csu/libc-start.c:392
#11 0x555a87917d04 in _start (/benchmark/libconfuse/examples/cfgtest+0x7d04)
0x602000000572 is located 0 bytes to the right of 2-byte region [0x602000000570,0x602000000572)
allocated by thread T0 here:
#0 0x7f949396d867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x555a8791cb0d in cfg_tilde_expand /benchmark/libconfuse/src/confuse.c:1904
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1922 in __interceptor_getpwnam
Shadow bytes around the buggy address:
0x0c047fff8050: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff8060: fa fa 00 fa fa fa 05 fa fa fa fd fa fa fa fd fa
0x0c047fff8070: fa fa 00 fa fa fa fd fd fa fa 00 fa fa fa 00 fa
0x0c047fff8080: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa 00 fa
0x0c047fff8090: fa fa fd fd fa fa 00 fa fa fa 00 fa fa fa 00 fa
=>0x0c047fff80a0: fa fa 00 fa fa fa 03 fa fa fa 00 fa fa fa[02]fa
0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==418268==ABORTING
short summary
Hello, I was testing my fuzzer and found a heap buffer overflow in cfg_tilde_expand, src/confuse.c:1909. A heap buffer overflow can be triggered when parsing a crafted file. As shown in the attachment
Step to reproduce
Environment
ASan Log
Credit
Han Zheng (NCNIPC of China, Hexhive)
POC
poc0.zip
The text was updated successfully, but these errors were encountered: