Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in parse_string_node #95

Closed
zhunki opened this issue Feb 8, 2017 · 2 comments
Closed

heap-buffer-overflow in parse_string_node #95

zhunki opened this issue Feb 8, 2017 · 2 comments

Comments

@zhunki
Copy link
Contributor

zhunki commented Feb 8, 2017
edited by nikias
Loading 

==4536== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5e0074e at pc 0x806616b bp 0xbfabe008 sp 0xbfabdffc
WRITE of size 1 at 0xb5e0074e thread T0
    #0 0x806616a in parse_string_node /home/b/asan/libplist/src/bplist.c:298
    #1 0x806616a in parse_bin_node /home/b/asan/libplist/src/bplist.c:668
    #2 0x806616a in parse_bin_node_at_index /home/b/asan/libplist/src/bplist.c:755
    #3 0x80632a0 in parse_dict_node /home/b/asan/libplist/src/bplist.c:461
    #4 0x80632a0 in parse_bin_node /home/b/asan/libplist/src/bplist.c:697
    #5 0x80632a0 in parse_bin_node_at_index /home/b/asan/libplist/src/bplist.c:755
    #6 0x8068b30 in plist_from_bin /home/b/asan/libplist/src/bplist.c:844
    #7 0x804a175 in main /home/b/asan/libplist/tools/plistutil.c:150
    #8 0xb5f9ba82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #9 0x804aef5 in _start (/home/b/asan/libplist/tools/plistutil+0x804aef5)
0xb5e0074e is located 2 bytes to the left of 1-byte region [0xb5e00750,0xb5e00751)
allocated by thread T0 here:
    #0 0xb6163854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
    #1 0x8063b7c in parse_string_node /home/b/asan/libplist/src/bplist.c:292
    #2 0x8063b7c in parse_bin_node /home/b/asan/libplist/src/bplist.c:668
    #3 0x8063b7c in parse_bin_node_at_index /home/b/asan/libplist/src/bplist.c:755
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/b/asan/libplist/src/bplist.c:298 parse_string_node
Shadow bytes around the buggy address:
  0x36bc0090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36bc00e0: fa fa fa fa fa fa fa fa fa[fa]01 fa fa fa 00 04
  0x36bc00f0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x36bc0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe

poc.txt
@nikias
Copy link
Member

nikias commented Feb 15, 2017
edited
Loading

Can you please re-run with lastet code? AFAIK this was fixed with commit 32ee521.

@nikias nikias closed this as completed Feb 15, 2017
@carnil
Copy link

carnil commented Mar 16, 2017

This is CVE-2017-6439

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nikias @carnil @zhunki