Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in parse_unicode_node #98

Closed
zhunki opened this issue Feb 24, 2017 · 2 comments
Closed

heap-buffer-overflow in parse_unicode_node #98

zhunki opened this issue Feb 24, 2017 · 2 comments

Comments

@zhunki
Copy link
Contributor

zhunki commented Feb 24, 2017

==8367== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5e00750 at pc 0x8066423 bp 0xbf8e7e78 sp 0xbf8e7e6c
WRITE of size 2 at 0xb5e00750 thread T0
    #0 0x8066422 in parse_unicode_node /home/b/asan/libplist/src/bplist.c:384
    #1 0x8066422 in parse_bin_node /home/b/asan/libplist/src/bplist.c:679
    #2 0x8066422 in parse_bin_node_at_index /home/b/asan/libplist/src/bplist.c:759
    #3 0x8063780 in parse_dict_node /home/b/asan/libplist/src/bplist.c:461
    #4 0x8063780 in parse_bin_node /home/b/asan/libplist/src/bplist.c:701
    #5 0x8063780 in parse_bin_node_at_index /home/b/asan/libplist/src/bplist.c:759
    #6 0x8069760 in plist_from_bin /home/b/asan/libplist/src/bplist.c:853
    #7 0x804a324 in main /home/b/asan/libplist/tools/plistutil.c:150
    #8 0xb5f45a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #9 0x804af35 in _start (/home/b/asan/libplist/tools/plistutil+0x804af35)
0xb5e00751 is located 0 bytes to the right of 1-byte region [0xb5e00750,0xb5e00751)
allocated by thread T0 here:
    #0 0xb610d854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
    #1 0x8062cbe in parse_unicode_node /home/b/asan/libplist/src/bplist.c:377
    #2 0x8062cbe in parse_bin_node /home/b/asan/libplist/src/bplist.c:679
    #3 0x8062cbe in parse_bin_node_at_index /home/b/asan/libplist/src/bplist.c:759
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/b/asan/libplist/src/bplist.c:384 parse_unicode_node
Shadow bytes around the buggy address:
  0x36bc0090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36bc00e0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa 00 04
  0x36bc00f0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x36bc0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==8367== ABORTING

poc.txt

@carnil
Copy link

carnil commented Mar 16, 2017

This is CVE-2017-6438

@nikias
Copy link
Member

nikias commented Mar 26, 2017

Should be fixed with dccd929

@nikias nikias closed this as completed Mar 26, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants