Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow on address 0xb5e007d7 at pc 0x804a78c bp 0xbf815888 sp 0xbf81587c #87

Closed
zhunki opened this issue Jan 17, 2017 · 5 comments

Comments

Projects
None yet
3 participants
@zhunki
Copy link
Contributor

commented Jan 17, 2017

I found a heap-buffer-overflow vulnerability.
Should I submit it here and can it be assigned a CVE ID if validated?
Should I submit poc after the report is closed?
Thanks,

here is the stack trace:
==21852== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5e007d7 at pc 0x804a78c bp 0xbf815888 sp 0xbf81587c
READ of size 1 at 0xb5e007d7 thread T0
#0 0x804a78b in main /home/b/asan/libplist/tools/plistutil.c:137
#1 0xb5f7fa82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#2 0x804ad45 in _start (/home/b/asan/libplist/tools/plistutil+0x804ad45)
0xb5e007d7 is located 4 bytes to the right of 3-byte region [0xb5e007d0,0xb5e007d3)
allocated by thread T0 here:
#0 0xb6147854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
#1 0x80497ae in main /home/b/asan/libplist/tools/plistutil.c:132
#2 0xb5f7fa82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/b/asan/libplist/tools/plistutil.c:137

@nikias

This comment has been minimized.

Copy link
Member

commented Jan 17, 2017

If I'm not mistaken this happens when you try to parse a file with plistutil that is shorter than 8 bytes. Correct?

@zhunki

This comment has been minimized.

Copy link
Contributor Author

commented Jan 17, 2017

sure. seems you have known this bug.
I also find a few other bugs. should I submit them here?

@nikias

This comment has been minimized.

Copy link
Member

commented Jan 17, 2017

I didn't know the bug but could figure it from the actual lines of code from the address sanitizer output. If you have other bugs you can submit them here.

nikias added a commit that referenced this issue Jan 18, 2017

plistutil: Prevent OOB heap buffer read by checking input size
As pointed out in #87 plistutil would do a memcmp with a heap buffer
without checking the size. If the size is less than 8 it would read
beyond the bounds of this heap buffer. This commit prevents that.
@nikias

This comment has been minimized.

Copy link
Member

commented Jan 18, 2017

Fixed in master with commit 7391a50

@nikias nikias closed this Jan 18, 2017

@epozuelo

This comment has been minimized.

Copy link

commented Jan 26, 2017

This is CVE-2017-5545

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.