Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-based buffer overflow in the myformat() function #37

Closed
fcambus opened this issue Dec 13, 2019 · 2 comments
Closed

Heap-based buffer overflow in the myformat() function #37

fcambus opened this issue Dec 13, 2019 · 2 comments

Comments

@fcambus
Copy link

@fcambus fcambus commented Dec 13, 2019

Hi,

While fuzzing yabasic 2.86.2 with Honggfuzz, I found a heap-based buffer overflow in the myformat() function, in function.c.

Attaching a reproducer (gzipped so GitHub accepts it): test02.yab.gz

Issue can be reproduced by running:

yabasic test02.yab
=================================================================
==20807==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x626000002814 at pc 0x00000043cce7 bp 0x7ffe28e0e900 sp 0x7ffe28e0e098
WRITE of size 41236 at 0x626000002814 thread T0
    #0 0x43cce6 in vsprintf (/home/fcambus/yabasic-2.86.2/yabasic+0x43cce6)
    #1 0x43dc73 in sprintf (/home/fcambus/yabasic-2.86.2/yabasic+0x43dc73)
    #2 0x4e4ad3 in myformat /home/fcambus/yabasic-2.86.2/function.c:1254:9
    #3 0x4ded27 in function /home/fcambus/yabasic-2.86.2/function.c:465:14
    #4 0x4d5717 in run_it /home/fcambus/yabasic-2.86.2/main.c:1779:17
    #5 0x4c5fe8 in main /home/fcambus/yabasic-2.86.2/main.c:325:9
    #6 0x7f664ab9b1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #7 0x41da2d in _start (/home/fcambus/yabasic-2.86.2/yabasic+0x41da2d)

0x626000002814 is located 0 bytes to the right of 10004-byte region [0x626000000100,0x626000002814)
allocated by thread T0 here:
    #0 0x49592d in malloc (/home/fcambus/yabasic-2.86.2/yabasic+0x49592d)
    #1 0x4c6314 in my_malloc /home/fcambus/yabasic-2.86.2/main.c:2099:12
    #2 0x4c5012 in main /home/fcambus/yabasic-2.86.2/main.c:122:23
    #3 0x7f664ab9b1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fcambus/yabasic-2.86.2/yabasic+0x43cce6) in vsprintf
Shadow bytes around the buggy address:
  0x0c4c7fff84b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff84c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff84e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff84f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4c7fff8500: 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==20807==ABORTING
@fcambus

This comment has been minimized.

Copy link
Author

@fcambus fcambus commented Dec 13, 2019

This issue has been assigned CVE-2019-19796.

@marcIhm

This comment has been minimized.

Copy link
Owner

@marcIhm marcIhm commented Dec 15, 2019

Thanx, this is fixed with version 2.86.3.

@fcambus fcambus closed this Dec 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.