You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The list_exec function is prone to a stack overflow that also affect's the program's heap. The code below triggers the vulnerability. Attached is the Valgrind, ASAN, and GDB output.
func main() {
var list = List(999999999999999999999);
return list.count;
}
Valgrind:
==3899== Memcheck, a memory error detector
==3899== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==3899== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==3899== Command: ./gravity /home/ctf/Desktop/upper.gravity
==3899==
==3899== Warning: set address range perms: large range [0x715dc040, 0x8d5dc040) (undefined)
==3899== Warning: set address range perms: large range [0x395db028, 0x555db058) (noaccess)
==3899== Invalid write of size 8
==3899== at 0x42477A: list_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== by 0x41BBCB: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== Address 0x38000000 is not stack'd, malloc'd or (recently) free'd
==3899==
==3899==
==3899== Process terminating with default action of signal 11 (SIGSEGV)
==3899== Bad permissions for mapped region at address 0x38000000
==3899== at 0x42477A: list_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== by 0x41BBCB: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899==
==3899== HEAP SUMMARY:
==3899== in use at exit: 939,598,591 bytes in 1,032 blocks
==3899== total heap usage: 1,109 allocs, 77 frees, 3,758,175,387 bytes allocated
==3899==
==3899== LEAK SUMMARY:
==3899== definitely lost: 264 bytes in 6 blocks
==3899== indirectly lost: 1,384 bytes in 17 blocks
==3899== possibly lost: 939,524,096 bytes in 1 blocks
==3899== still reachable: 72,847 bytes in 1,008 blocks
==3899== suppressed: 0 bytes in 0 blocks
==3899== Rerun with --leak-check=full to see details of leaked memory
==3899==
==3899== For counts of detected and suppressed errors, rerun with: -v
==3899== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
The list_exec function is prone to a stack overflow that also affect's the program's heap. The code below triggers the vulnerability. Attached is the Valgrind, ASAN, and GDB output.
Valgrind:
==3899== Memcheck, a memory error detector
==3899== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==3899== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==3899== Command: ./gravity /home/ctf/Desktop/upper.gravity
==3899==
==3899== Warning: set address range perms: large range [0x715dc040, 0x8d5dc040) (undefined)
==3899== Warning: set address range perms: large range [0x395db028, 0x555db058) (noaccess)
==3899== Invalid write of size 8
==3899== at 0x42477A: list_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== by 0x41BBCB: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== Address 0x38000000 is not stack'd, malloc'd or (recently) free'd
==3899==
==3899==
==3899== Process terminating with default action of signal 11 (SIGSEGV)
==3899== Bad permissions for mapped region at address 0x38000000
==3899== at 0x42477A: list_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== by 0x41BBCB: gravity_vm_exec (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== by 0x41FC72: gravity_vm_runmain (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899== by 0x401777: main (in /home/ctf/Desktop/Updated_Gravity/gravity/gravity)
==3899==
==3899== HEAP SUMMARY:
==3899== in use at exit: 939,598,591 bytes in 1,032 blocks
==3899== total heap usage: 1,109 allocs, 77 frees, 3,758,175,387 bytes allocated
==3899==
==3899== LEAK SUMMARY:
==3899== definitely lost: 264 bytes in 6 blocks
==3899== indirectly lost: 1,384 bytes in 17 blocks
==3899== possibly lost: 939,524,096 bytes in 1 blocks
==3899== still reachable: 72,847 bytes in 1,008 blocks
==3899== suppressed: 0 bytes in 0 blocks
==3899== Rerun with --leak-check=full to see details of leaked memory
==3899==
==3899== For counts of detected and suppressed errors, rerun with: -v
==3899== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
ASAN:
3829==ERROR: AddressSanitizer failed to allocate 0xa4c683000 (44231569408) bytes of LargeMmapAllocator (errno: 12)
==3829==Process memory map follows:
0x000000400000-0x000000445000 /home/ctf/Desktop/Updated_Gravity/gravity/gravity
0x000000645000-0x000000646000 /home/ctf/Desktop/Updated_Gravity/gravity/gravity
0x000000646000-0x000000647000 /home/ctf/Desktop/Updated_Gravity/gravity/gravity
0x000000647000-0x000000648000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x602000000000
0x602000000000-0x602000010000
0x602000010000-0x603000000000
0x603000000000-0x603000010000
0x603000010000-0x604000000000
0x604000000000-0x604000010000
0x604000010000-0x606000000000
0x606000000000-0x606000010000
0x606000010000-0x607000000000
0x607000000000-0x607000010000
0x607000010000-0x608000000000
0x608000000000-0x608000010000
0x608000010000-0x60b000000000
0x60b000000000-0x60b000010000
0x60b000010000-0x60c000000000
0x60c000000000-0x60c000010000
0x60c000010000-0x611000000000
0x611000000000-0x611000010000
0x611000010000-0x616000000000
0x616000000000-0x616000020000
0x616000020000-0x619000000000
0x619000000000-0x619000020000
0x619000020000-0x61b000000000
0x61b000000000-0x61b000020000
0x61b000020000-0x61d000000000
0x61d000000000-0x61d000020000
0x61d000020000-0x621000000000
0x621000000000-0x621000020000
0x621000020000-0x624000000000
0x624000000000-0x624000020000
0x624000020000-0x640000000000
0x640000000000-0x640000003000
0x7fc673f00000-0x7fc674000000
0x7fc674100000-0x7fc674200000
0x7fc6742e7000-0x7fc676639000
0x7fc676639000-0x7fc67664f000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fc67664f000-0x7fc67684e000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fc67684e000-0x7fc67684f000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fc67684f000-0x7fc676852000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7fc676852000-0x7fc676a51000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7fc676a51000-0x7fc676a52000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7fc676a52000-0x7fc676a53000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7fc676a53000-0x7fc676a6b000 /lib/x86_64-linux-gnu/libpthread-2.23.so
0x7fc676a6b000-0x7fc676c6a000 /lib/x86_64-linux-gnu/libpthread-2.23.so
0x7fc676c6a000-0x7fc676c6b000 /lib/x86_64-linux-gnu/libpthread-2.23.so
0x7fc676c6b000-0x7fc676c6c000 /lib/x86_64-linux-gnu/libpthread-2.23.so
0x7fc676c6c000-0x7fc676c70000
0x7fc676c70000-0x7fc676e2f000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7fc676e2f000-0x7fc67702f000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7fc67702f000-0x7fc677033000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7fc677033000-0x7fc677035000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7fc677035000-0x7fc677039000
0x7fc677039000-0x7fc677040000 /lib/x86_64-linux-gnu/librt-2.23.so
0x7fc677040000-0x7fc67723f000 /lib/x86_64-linux-gnu/librt-2.23.so
0x7fc67723f000-0x7fc677240000 /lib/x86_64-linux-gnu/librt-2.23.so
0x7fc677240000-0x7fc677241000 /lib/x86_64-linux-gnu/librt-2.23.so
0x7fc677241000-0x7fc677349000 /lib/x86_64-linux-gnu/libm-2.23.so
0x7fc677349000-0x7fc677548000 /lib/x86_64-linux-gnu/libm-2.23.so
0x7fc677548000-0x7fc677549000 /lib/x86_64-linux-gnu/libm-2.23.so
0x7fc677549000-0x7fc67754a000 /lib/x86_64-linux-gnu/libm-2.23.so
0x7fc67754a000-0x7fc67763e000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
0x7fc67763e000-0x7fc67783e000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
0x7fc67783e000-0x7fc677841000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
0x7fc677841000-0x7fc677842000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
0x7fc677842000-0x7fc6784b7000
0x7fc6784b7000-0x7fc6784dd000 /lib/x86_64-linux-gnu/ld-2.23.so
0x7fc67868a000-0x7fc6786c0000
0x7fc6786c3000-0x7fc6786cf000
0x7fc6786d2000-0x7fc6786dc000
0x7fc6786dc000-0x7fc6786dd000 /lib/x86_64-linux-gnu/ld-2.23.so
0x7fc6786dd000-0x7fc6786de000 /lib/x86_64-linux-gnu/ld-2.23.so
0x7fc6786de000-0x7fc6786df000
0x7ffe0fa32000-0x7ffe0fa53000 [stack]
0x7ffe0fbad000-0x7ffe0fbaf000 [vvar]
0x7ffe0fbaf000-0x7ffe0fbb1000 [vdso]
0xffffffffff600000-0xffffffffff601000 [vsyscall]
==3829==End of process memory map.
==3829==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
#0 0x7fc6775ea631 (/usr/lib/gcc/x86_64-linux-gnu/5/libasan.so+0xa0631)
#1 0x7fc6775ef613 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/gcc/x86_64-linux-gnu/5/libasan.so+0xa5613)
#2 0x7fc6775f7641 (/usr/lib/gcc/x86_64-linux-gnu/5/libasan.so+0xad641)
#3 0x7fc67756cc0c (/usr/lib/gcc/x86_64-linux-gnu/5/libasan.so+0x22c0c)
#4 0x7fc6775e292f in realloc (/usr/lib/gcc/x86_64-linux-gnu/5/libasan.so+0x9892f)
#5 0x430b9c in gravity_list_new (/home/ctf/Desktop/Updated_Gravity/gravity/gravity+0x430b9c)
#6 0x42473e in list_exec (/home/ctf/Desktop/Updated_Gravity/gravity/gravity+0x42473e)
#7 0x41bbcb in gravity_vm_exec (/home/ctf/Desktop/Updated_Gravity/gravity/gravity+0x41bbcb)
#8 0x41fc72 in gravity_vm_runmain (/home/ctf/Desktop/Updated_Gravity/gravity/gravity+0x41fc72)
#9 0x401777 in main (/home/ctf/Desktop/Updated_Gravity/gravity/gravity+0x401777)
#10 0x7fc676c9082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x401988 in _start (/home/ctf/Desktop/Updated_Gravity/gravity/gravity+0x401988)
GDB:
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x64c270 --> 0x64a1d0 (0x000000000064a1d0)
RBX: 0x648010 --> 0x6497b0 --> 0x1100000100
RCX: 0x0
RDX: 0x0
RSI: 0x7000001
RDI: 0x0
RBP: 0x2
RSP: 0x7fffffffc9f0 --> 0x7ffff750dff8 --> 0x6c5f755f72647800 ('')
RIP: 0x42477a (<list_exec+346>: mov QWORD PTR [r8],rax)
R8 : 0x70000000 ('')
R9 : 0x21000
R10: 0x22 ('"')
R11: 0x201
R12: 0x65d690 --> 0x64c9b0 --> 0x64a1d0 (0x000000000064a1d0)
R13: 0x7000001
R14: 0xffffffff
R15: 0x647628 --> 0x64c270 --> 0x64a1d0 (0x000000000064a1d0)
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x42476f <list_exec+335>: add r8,rdi
0x424772 <list_exec+338>: cmp r14d,r13d
0x424775 <list_exec+341>: mov QWORD PTR [r12+0x18],rsi
=> 0x42477a <list_exec+346>: mov QWORD PTR [r8],rax
0x42477d <list_exec+349>: mov QWORD PTR [r8+0x8],0x0
0x424785 <list_exec+357>: je 0x4247d0 <list_exec+432>
0x424787 <list_exec+359>: cmp rsi,QWORD PTR [r12+0x20]
0x42478c <list_exec+364>: mov r8,rsi
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc9f0 --> 0x7ffff750dff8 --> 0x6c5f755f72647800 ('')
0008| 0x7fffffffc9f8 --> 0x7ffff7500d80 --> 0x0
0016| 0x7fffffffca00 --> 0x7fffffffca34 --> 0x0
0024| 0x7fffffffca08 --> 0x7fffffffcb00 --> 0xffffffff
0032| 0x7fffffffca10 --> 0x7ffff7fdbab8 --> 0x7ffff7ffe168 --> 0x0
0040| 0x7fffffffca18 --> 0x0
0048| 0x7fffffffca20 --> 0x6
0056| 0x7fffffffca28 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000042477a in list_exec ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[─────────────────────────────────────────────────────────────REGISTERS─────────────────────────────────────────────────────────────]
*RAX 0x64c270 —▸ 0x64a1d0 ◂— 0x64a1d0
*RBX 0x648010 —▸ 0x6497b0 ◂— 0x1100000100
RCX 0x0
RDX 0x0
RDI 0x0
*RSI 0x7000001
*R8 0x70000000
*R9 0x21000
*R10 0x22
*R11 0x201
*R12 0x65d690 —▸ 0x64c9b0 —▸ 0x64a1d0 ◂— 0x64a1d0
*R13 0x7000001
*R14 0xffffffff
*R15 0x647628 (gravity_class_null) —▸ 0x64c270 —▸ 0x64a1d0 ◂— 0x64a1d0
*RBP 0x2
*RSP 0x7fffffffc9f0 —▸ 0x7ffff750dff8 ◂— add byte ptr [rax + 0x64], bh
*RIP 0x42477a (list_exec+346) ◂— mov qword ptr [r8], rax
[───────────────────────────────────────────────────────────────CODE────────────────────────────────────────────────────────────────]
► 0x42477a <list_exec+346> mov qword ptr [r8], rax
0x42477d <list_exec+349> mov qword ptr [r8 + 8], 0
0x424785 <list_exec+357> je list_exec+432 <0x4247d0>
↓
0x4247d0 <list_exec+432> mov rsi, qword ptr [r12]
0x4247d4 <list_exec+436> mov ecx, ebp
0x4247d6 <list_exec+438> mov rdx, r12
0x4247d9 <list_exec+441> mov rdi, rbx
0x4247dc <list_exec+444> call gravity_vm_setslot <0x41fcd0>
0x4247e1 <list_exec+449> mov eax, 1
0x4247e6 <list_exec+454> jmp list_exec+222 <0x4246fe>
↓
0x4246fe <list_exec+222> mov rcx, qword ptr [rsp + 0x1008]
[───────────────────────────────────────────────────────────────STACK───────────────────────────────────────────────────────────────]
00:0000│ rsp 0x7fffffffc9f0 —▸ 0x7ffff750dff8 ◂— add byte ptr [rax + 0x64], bh
01:0008│ 0x7fffffffc9f8 —▸ 0x7ffff7500d80 ◂— add byte ptr [rax], al
02:0010│ 0x7fffffffca00 —▸ 0x7fffffffca34 ◂— 0x0
03:0018│ 0x7fffffffca08 —▸ 0x7fffffffcb00 ◂— 0xffffffff
04:0020│ 0x7fffffffca10 —▸ 0x7ffff7fdbab8 —▸ 0x7ffff7ffe168 ◂— 0x0
05:0028│ 0x7fffffffca18 ◂— 0x0
06:0030│ 0x7fffffffca20 ◂— 0x6
07:0038│ 0x7fffffffca28 ◂— 0x0
[─────────────────────────────────────────────────────────────BACKTRACE─────────────────────────────────────────────────────────────]
► f 0 42477a list_exec+346
f 1 41bbcc gravity_vm_exec+19772
f 2 41fc73 gravity_vm_runmain+243
f 3 401778 main+744
f 4 7ffff751d830 __libc_start_main+240
Program received signal SIGSEGV (fault address 0x70000000)
The text was updated successfully, but these errors were encountered: