Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow on address 0xb5e007d7 at pc 0x804a78c bp 0xbf815888 sp 0xbf81587c #87

Closed
zhunki opened this issue Jan 17, 2017 · 5 comments

Comments

@zhunki
Copy link
Contributor

zhunki commented Jan 17, 2017

I found a heap-buffer-overflow vulnerability.
Should I submit it here and can it be assigned a CVE ID if validated?
Should I submit poc after the report is closed?
Thanks,

here is the stack trace:
==21852== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5e007d7 at pc 0x804a78c bp 0xbf815888 sp 0xbf81587c
READ of size 1 at 0xb5e007d7 thread T0
#0 0x804a78b in main /home/b/asan/libplist/tools/plistutil.c:137
#1 0xb5f7fa82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#2 0x804ad45 in _start (/home/b/asan/libplist/tools/plistutil+0x804ad45)
0xb5e007d7 is located 4 bytes to the right of 3-byte region [0xb5e007d0,0xb5e007d3)
allocated by thread T0 here:
#0 0xb6147854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
#1 0x80497ae in main /home/b/asan/libplist/tools/plistutil.c:132
#2 0xb5f7fa82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/b/asan/libplist/tools/plistutil.c:137

@nikias
Copy link
Member

nikias commented Jan 17, 2017

If I'm not mistaken this happens when you try to parse a file with plistutil that is shorter than 8 bytes. Correct?

@zhunki
Copy link
Contributor Author

zhunki commented Jan 17, 2017

sure. seems you have known this bug.
I also find a few other bugs. should I submit them here?

@nikias
Copy link
Member

nikias commented Jan 17, 2017

I didn't know the bug but could figure it from the actual lines of code from the address sanitizer output. If you have other bugs you can submit them here.

nikias added a commit that referenced this issue Jan 18, 2017
As pointed out in #87 plistutil would do a memcmp with a heap buffer
without checking the size. If the size is less than 8 it would read
beyond the bounds of this heap buffer. This commit prevents that.
@nikias
Copy link
Member

nikias commented Jan 18, 2017

Fixed in master with commit 7391a50

@nikias nikias closed this as completed Jan 18, 2017
@epozuelo
Copy link

This is CVE-2017-5545

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants