transicc stack buffer overflow in TakeFloatValues > GetLine #43

Closed
mikispag opened this Issue Apr 30, 2015 · 2 comments

Comments

Projects
None yet
3 participants
@mikispag

There is a very simple stack buffer overflow in transicc:

$ ./transicc -i ../../testbed/test1.icc 
LittleCMS ColorSpace conversion calculator - 4.3 [LittleCMS 2.07]

Enter values, 'q' to quit
C? 1
=================================================================
==10338==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc0e6606f0 at pc 0x7fa6864c31d2 bp 0x7ffc0e660060 sp 0x7ffc0e660018
WRITE of size 4096 at 0x7ffc0e6606f0 thread T0
    #0 0x7fa6864c31d1 in scanf_common ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors_scanf.inc:307
    #1 0x7fa6864c3911 in __interceptor___isoc99_vscanf ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:598
    #2 0x7fa6864c39f7 in __interceptor___isoc99_scanf ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:630
    #3 0x40f38e in GetLine /home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc.c:630
    #4 0x40f994 in TakeFloatValues /home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc.c:746
    #5 0x40b55d in main /home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc.c:1274
    #6 0x7fa685bd7ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #7 0x40e52c (/home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc+0x40e52c)

Address 0x7ffc0e6606f0 is located in stack of thread T0 at offset 928 in frame
    #0 0x40f7af in TakeFloatValues /home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc.c:719

  This frame has 7 object(s):
    [32, 34) 'index'
    [96, 136) 'Name'
    [192, 232) 'Prefix'
    [288, 328) 'Suffix'
    [384, 640) 'ChannelName'
    [672, 928) 'Buffer'
    [960, 5056) 'Buffer' <== Memory access at offset 928 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors_scanf.inc:307 scanf_common
Shadow bytes around the buggy address:
  0x100001cc4080: f2 f2 00 00 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00
  0x100001cc4090: 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
  0x100001cc40a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100001cc40b0: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00
  0x100001cc40c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100001cc40d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2
  0x100001cc40e0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100001cc40f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100001cc4100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100001cc4110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100001cc4120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==10338==ABORTING

This is because in TakeFloatValues (transicc.c:746) a:

char Buffer[cmsMAX_PATH];

with cmsMAX_PATH = 256 is declared and passed to GetLine, and then, in transicc.c:630, a:

res = scanf("%4095s", Buffer);

overflows it.

ya1gaurav added a commit to ya1gaurav/Little-CMS that referenced this issue Jun 5, 2015

Fix stack buffer overflow in transicc
With reference to mm2#43
Address sanitizer reported stack buffer overflow.
As Getline function reads 4095, in this case Buffer is of length cmsMAX_PATH(256).
Its length should be 4096.
@ya1gaurav

This comment has been minimized.

Show comment
Hide comment
@ya1gaurav

ya1gaurav Nov 24, 2015

Contributor

Error with latest code:

./transicc -i ../../testbed/test1.icc
LittleCMS ColorSpace conversion calculator - 4.3 [LittleCMS 2.08]

Enter values, 'q' to quit

C? 1

==15392== ERROR: AddressSanitizer: unknown-crash on address 0x7fff22f08030 at pc 0x7f487047605f bp 0x7fff22f07bf0 sp 0x7fff22f07ba8
WRITE of size 4096 at 0x7fff22f08030 thread T0
#0 0x7f487047605e (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xb05e)
#1 0x7f4870476a20 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xba20)
#2 0x7f4870476b16 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xbb16)
#3 0x403d6b (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x403d6b)
#4 0x4044da (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x4044da)
#5 0x406c2b (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x406c2b)
#6 0x7f486f8b4ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#7 0x402578 (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x402578)
Address 0x7fff22f08030 is located at offset 384 in frame of T0's stack:
This frame has 3 object(s):
[32, 34) 'index'
[96, 352) 'ChannelName'
[384, 640) 'Buffer'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
Shadow bytes around the buggy address:
0x1000645d8fb0: 00 00 00 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x1000645d8fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d8fd0: 00 00 00 00 00 00 f1 f1 f1 f1 02 f4 f4 f4 f2 f2
0x1000645d8fe0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d8ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000645d9000: 00 00 f2 f2 f2 f2[00]00 00 00 00 00 00 00 00 00
0x1000645d9010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d9020: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
0x1000645d9030: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x1000645d9040: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d9050: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==15392== ABORTING

Contributor

ya1gaurav commented Nov 24, 2015

Error with latest code:

./transicc -i ../../testbed/test1.icc
LittleCMS ColorSpace conversion calculator - 4.3 [LittleCMS 2.08]

Enter values, 'q' to quit

C? 1

==15392== ERROR: AddressSanitizer: unknown-crash on address 0x7fff22f08030 at pc 0x7f487047605f bp 0x7fff22f07bf0 sp 0x7fff22f07ba8
WRITE of size 4096 at 0x7fff22f08030 thread T0
#0 0x7f487047605e (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xb05e)
#1 0x7f4870476a20 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xba20)
#2 0x7f4870476b16 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xbb16)
#3 0x403d6b (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x403d6b)
#4 0x4044da (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x4044da)
#5 0x406c2b (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x406c2b)
#6 0x7f486f8b4ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#7 0x402578 (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x402578)
Address 0x7fff22f08030 is located at offset 384 in frame of T0's stack:
This frame has 3 object(s):
[32, 34) 'index'
[96, 352) 'ChannelName'
[384, 640) 'Buffer'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
Shadow bytes around the buggy address:
0x1000645d8fb0: 00 00 00 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x1000645d8fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d8fd0: 00 00 00 00 00 00 f1 f1 f1 f1 02 f4 f4 f4 f2 f2
0x1000645d8fe0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d8ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000645d9000: 00 00 f2 f2 f2 f2[00]00 00 00 00 00 00 00 00 00
0x1000645d9010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d9020: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
0x1000645d9030: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x1000645d9040: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d9050: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==15392== ABORTING

@mm2

This comment has been minimized.

Show comment
Hide comment
@mm2

mm2 Nov 24, 2015

Owner

That is now fixed. Thanks for pointing out.

Regards

Marti

From: Gaurav [mailto:notifications@github.com]
Sent: martes, 24 de noviembre de 2015 3:51
To: mm2/Little-CMS Little-CMS@noreply.github.com
Subject: Re: [Little-CMS] transicc stack buffer overflow in TakeFloatValues > GetLine (#43)

Error with latest code:

./transicc -i ../../testbed/test1.icc
LittleCMS ColorSpace conversion calculator - 4.3 [LittleCMS 2.08]

Enter values, 'q' to quit

C? 1

==15392== ERROR: AddressSanitizer: unknown-crash on address 0x7fff22f08030 at pc 0x7f487047605f bp 0x7fff22f07bf0 sp 0x7fff22f07ba8
WRITE of size 4096 at 0x7fff22f08030 thread T0
#0 0x7f487047605e (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xb05e)
#1 #1 0x7f4870476a20 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xba20)
#2 #2 0x7f4870476b16 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xbb16)
#3 #3 0x403d6b (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x403d6b)
#4 #4 0x4044da (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x4044da)
#5 #5 0x406c2b (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x406c2b)
#6 #6 0x7f486f8b4ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#7 #7 0x402578 (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x402578)
Address 0x7fff22f08030 is located at offset 384 in frame of T0's stack:
This frame has 3 object(s):
[32, 34) 'index'
[96, 352) 'ChannelName'
[384, 640) 'Buffer'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
Shadow bytes around the buggy address:
0x1000645d8fb0: 00 00 00 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x1000645d8fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d8fd0: 00 00 00 00 00 00 f1 f1 f1 f1 02 f4 f4 f4 f2 f2
0x1000645d8fe0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d8ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000645d9000: 00 00 f2 f2 f2 f2[00]00 00 00 00 00 00 00 00 00
0x1000645d9010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d9020: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
0x1000645d9030: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x1000645d9040: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d9050: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==15392== ABORTING


Reply to this email directly or view it on GitHub #43 (comment) . https://github.com/notifications/beacon/AAMLwpWemOH6fHxnLqAV1D1WNfVIgFCFks5pI8gcgaJpZM4EMr7Z.gif

Owner

mm2 commented Nov 24, 2015

That is now fixed. Thanks for pointing out.

Regards

Marti

From: Gaurav [mailto:notifications@github.com]
Sent: martes, 24 de noviembre de 2015 3:51
To: mm2/Little-CMS Little-CMS@noreply.github.com
Subject: Re: [Little-CMS] transicc stack buffer overflow in TakeFloatValues > GetLine (#43)

Error with latest code:

./transicc -i ../../testbed/test1.icc
LittleCMS ColorSpace conversion calculator - 4.3 [LittleCMS 2.08]

Enter values, 'q' to quit

C? 1

==15392== ERROR: AddressSanitizer: unknown-crash on address 0x7fff22f08030 at pc 0x7f487047605f bp 0x7fff22f07bf0 sp 0x7fff22f07ba8
WRITE of size 4096 at 0x7fff22f08030 thread T0
#0 0x7f487047605e (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xb05e)
#1 #1 0x7f4870476a20 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xba20)
#2 #2 0x7f4870476b16 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xbb16)
#3 #3 0x403d6b (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x403d6b)
#4 #4 0x4044da (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x4044da)
#5 #5 0x406c2b (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x406c2b)
#6 #6 0x7f486f8b4ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#7 #7 0x402578 (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x402578)
Address 0x7fff22f08030 is located at offset 384 in frame of T0's stack:
This frame has 3 object(s):
[32, 34) 'index'
[96, 352) 'ChannelName'
[384, 640) 'Buffer'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
Shadow bytes around the buggy address:
0x1000645d8fb0: 00 00 00 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x1000645d8fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d8fd0: 00 00 00 00 00 00 f1 f1 f1 f1 02 f4 f4 f4 f2 f2
0x1000645d8fe0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d8ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000645d9000: 00 00 f2 f2 f2 f2[00]00 00 00 00 00 00 00 00 00
0x1000645d9010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d9020: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
0x1000645d9030: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x1000645d9040: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d9050: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==15392== ABORTING


Reply to this email directly or view it on GitHub #43 (comment) . https://github.com/notifications/beacon/AAMLwpWemOH6fHxnLqAV1D1WNfVIgFCFks5pI8gcgaJpZM4EMr7Z.gif

@mm2 mm2 closed this Jun 22, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment