Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack-buffer-overflow in codedoc_strlcpy codedoc.c:144 #5

Closed
cuanduo opened this issue Jul 3, 2019 · 1 comment

Comments

@cuanduo
Copy link

commented Jul 3, 2019

root@ubuntu:/home/tim/fuzz/codedoc# ./codedoc poc2
poc2.zip

asan output

=================================================================
==29166==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffffffddc40 at pc 0x7ffff6e94d82 bp 0x7ffffffd9b70 sp 0x7ffffffd9318
WRITE of size 1 at 0x7ffffffddc40 thread T0
    #0 0x7ffff6e94d81 in __interceptor_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ad81)
    #1 0x555555567c6e in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40
    #2 0x555555567c6e in codedoc_strlcpy /home/tim/codedoc-addr/codedoc.c:144
    #3 0x555555567e8c in add_variable /home/tim/codedoc-addr/codedoc.c:860
    #4 0x55555556d103 in scan_file /home/tim/codedoc-addr/codedoc.c:3591
    #5 0x555555566b56 in main /home/tim/codedoc-addr/codedoc.c:488
    #6 0x7ffff660eb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #7 0x5555555675e9 in _start (/home/tim/fuzz/codedoc/codedoc-addr+0x135e9)

Address 0x7ffffffddc40 is located in stack of thread T0 at offset 16480 in frame
    #0 0x555555567cb0 in add_variable /home/tim/codedoc-addr/codedoc.c:810

  This frame has 2 object(s):
    [32, 36) 'whitespace'
    [96, 16480) 'buffer' <== Memory access at offset 16480 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ad81) in __interceptor_memmove
Shadow bytes around the buggy address:
  0x10007fff3b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff3b80: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 00 00 00 00
  0x10007fff3b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3ba0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2
  0x10007fff3bb0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29166==ABORTING

gdb output

*** stack smashing detected ***: <unknown> terminated

Program received signal SIGABRT, Aborted.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7ffffffd9bd0 --> 0x0 
RCX: 0x7ffff75e6e97 (<__GI_raise+199>:	mov    rcx,QWORD PTR [rsp+0x108])
RDX: 0x0 
RSI: 0x7ffffffd9930 --> 0x0 
RDI: 0x2 
RBP: 0x7ffffffd9d60 --> 0x7ffff775e97e ("<unknown>")
RSP: 0x7ffffffd9930 --> 0x0 
RIP: 0x7ffff75e6e97 (<__GI_raise+199>:	mov    rcx,QWORD PTR [rsp+0x108])
R8 : 0x0 
R9 : 0x7ffffffd9930 --> 0x0 
R10: 0x8 
R11: 0x246 
R12: 0x7ffffffd9bd0 --> 0x0 
R13: 0x1000 
R14: 0x0 
R15: 0x30 ('0')
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff75e6e8b <__GI_raise+187>:	mov    edi,0x2
   0x7ffff75e6e90 <__GI_raise+192>:	mov    eax,0xe
   0x7ffff75e6e95 <__GI_raise+197>:	syscall 
=> 0x7ffff75e6e97 <__GI_raise+199>:	mov    rcx,QWORD PTR [rsp+0x108]
   0x7ffff75e6e9f <__GI_raise+207>:	xor    rcx,QWORD PTR fs:0x28
   0x7ffff75e6ea8 <__GI_raise+216>:	mov    eax,r8d
   0x7ffff75e6eab <__GI_raise+219>:	jne    0x7ffff75e6ecc <__GI_raise+252>
   0x7ffff75e6ead <__GI_raise+221>:	add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7ffffffd9930 --> 0x0 
0008| 0x7ffffffd9938 --> 0x0 
0016| 0x7ffffffd9940 --> 0x0 
0024| 0x7ffffffd9948 --> 0x0 
0032| 0x7ffffffd9950 --> 0x0 
0040| 0x7ffffffd9958 --> 0x0 
0048| 0x7ffffffd9960 --> 0x0 
0056| 0x7ffffffd9968 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff75e8801 in __GI_abort () at abort.c:79
#2  0x00007ffff7631897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff775e988 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff76dccd1 in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=0x0, msg=msg@entry=0x7ffff775e966 "stack smashing detected") at fortify_fail.c:33
#4  0x00007ffff76dcc92 in __stack_chk_fail () at stack_chk_fail.c:29
#5  0x0000555555558602 in add_variable (parent=<optimized out>, name=<optimized out>, type=<optimized out>) at codedoc.c:930
#6  0x000055555555b95e in scan_file (file=<optimized out>, tree=<optimized out>) at codedoc.c:3591
#7  0x00005555555577d6 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe098) at codedoc.c:488
#8  0x00007ffff75c9b97 in __libc_start_main (main=0x555555557239 <main>, argc=0x2, argv=0x7fffffffe098, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe088) at ../csu/libc-start.c:310
#9  0x0000555555557dfa in _start ()
gdb-peda$ 

@michaelrsweet michaelrsweet self-assigned this Jul 3, 2019

@michaelrsweet michaelrsweet added the bug label Jul 3, 2019

@michaelrsweet michaelrsweet added this to the Stable milestone Jul 3, 2019

@michaelrsweet michaelrsweet added unconfirmed and removed bug labels Jul 3, 2019

michaelrsweet added a commit that referenced this issue Jul 3, 2019

@michaelrsweet michaelrsweet added bug and removed unconfirmed labels Jul 3, 2019

@michaelrsweet

This comment has been minimized.

Copy link
Owner

commented Jul 3, 2019

[master 19532db] Fix a buffer overflow issue with fuzzer-generated code (Issue #5)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.