Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

transicc stack buffer overflow in TakeFloatValues > GetLine #43

Closed
mikispag opened this issue Apr 30, 2015 · 2 comments
Closed

transicc stack buffer overflow in TakeFloatValues > GetLine #43

mikispag opened this issue Apr 30, 2015 · 2 comments

Comments

@mikispag
Copy link

@mikispag mikispag commented Apr 30, 2015

There is a very simple stack buffer overflow in transicc:

$ ./transicc -i ../../testbed/test1.icc 
LittleCMS ColorSpace conversion calculator - 4.3 [LittleCMS 2.07]

Enter values, 'q' to quit
C? 1
=================================================================
==10338==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc0e6606f0 at pc 0x7fa6864c31d2 bp 0x7ffc0e660060 sp 0x7ffc0e660018
WRITE of size 4096 at 0x7ffc0e6606f0 thread T0
    #0 0x7fa6864c31d1 in scanf_common ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors_scanf.inc:307
    #1 0x7fa6864c3911 in __interceptor___isoc99_vscanf ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:598
    #2 0x7fa6864c39f7 in __interceptor___isoc99_scanf ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:630
    #3 0x40f38e in GetLine /home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc.c:630
    #4 0x40f994 in TakeFloatValues /home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc.c:746
    #5 0x40b55d in main /home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc.c:1274
    #6 0x7fa685bd7ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #7 0x40e52c (/home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc+0x40e52c)

Address 0x7ffc0e6606f0 is located in stack of thread T0 at offset 928 in frame
    #0 0x40f7af in TakeFloatValues /home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc.c:719

  This frame has 7 object(s):
    [32, 34) 'index'
    [96, 136) 'Name'
    [192, 232) 'Prefix'
    [288, 328) 'Suffix'
    [384, 640) 'ChannelName'
    [672, 928) 'Buffer'
    [960, 5056) 'Buffer' <== Memory access at offset 928 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors_scanf.inc:307 scanf_common
Shadow bytes around the buggy address:
  0x100001cc4080: f2 f2 00 00 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00
  0x100001cc4090: 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
  0x100001cc40a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100001cc40b0: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00
  0x100001cc40c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100001cc40d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2
  0x100001cc40e0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100001cc40f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100001cc4100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100001cc4110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100001cc4120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==10338==ABORTING

This is because in TakeFloatValues (transicc.c:746) a:

char Buffer[cmsMAX_PATH];

with cmsMAX_PATH = 256 is declared and passed to GetLine, and then, in transicc.c:630, a:

res = scanf("%4095s", Buffer);

overflows it.

ya1gaurav added a commit to ya1gaurav/Little-CMS that referenced this issue Jun 5, 2015
With reference to mm2#43
Address sanitizer reported stack buffer overflow.
As Getline function reads 4095, in this case Buffer is of length cmsMAX_PATH(256).
Its length should be 4096.
@ya1gaurav
Copy link
Contributor

@ya1gaurav ya1gaurav commented Nov 24, 2015

Error with latest code:

./transicc -i ../../testbed/test1.icc
LittleCMS ColorSpace conversion calculator - 4.3 [LittleCMS 2.08]

Enter values, 'q' to quit

C? 1

==15392== ERROR: AddressSanitizer: unknown-crash on address 0x7fff22f08030 at pc 0x7f487047605f bp 0x7fff22f07bf0 sp 0x7fff22f07ba8
WRITE of size 4096 at 0x7fff22f08030 thread T0
#0 0x7f487047605e (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xb05e)
#1 0x7f4870476a20 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xba20)
#2 0x7f4870476b16 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xbb16)
#3 0x403d6b (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x403d6b)
#4 0x4044da (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x4044da)
#5 0x406c2b (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x406c2b)
#6 0x7f486f8b4ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#7 0x402578 (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x402578)
Address 0x7fff22f08030 is located at offset 384 in frame of T0's stack:
This frame has 3 object(s):
[32, 34) 'index'
[96, 352) 'ChannelName'
[384, 640) 'Buffer'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
Shadow bytes around the buggy address:
0x1000645d8fb0: 00 00 00 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x1000645d8fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d8fd0: 00 00 00 00 00 00 f1 f1 f1 f1 02 f4 f4 f4 f2 f2
0x1000645d8fe0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d8ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000645d9000: 00 00 f2 f2 f2 f2[00]00 00 00 00 00 00 00 00 00
0x1000645d9010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d9020: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
0x1000645d9030: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x1000645d9040: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d9050: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==15392== ABORTING

@mm2
Copy link
Owner

@mm2 mm2 commented Nov 24, 2015

That is now fixed. Thanks for pointing out.

Regards

Marti

From: Gaurav [mailto:notifications@github.com]
Sent: martes, 24 de noviembre de 2015 3:51
To: mm2/Little-CMS Little-CMS@noreply.github.com
Subject: Re: [Little-CMS] transicc stack buffer overflow in TakeFloatValues > GetLine (#43)

Error with latest code:

./transicc -i ../../testbed/test1.icc
LittleCMS ColorSpace conversion calculator - 4.3 [LittleCMS 2.08]

Enter values, 'q' to quit

C? 1

==15392== ERROR: AddressSanitizer: unknown-crash on address 0x7fff22f08030 at pc 0x7f487047605f bp 0x7fff22f07bf0 sp 0x7fff22f07ba8
WRITE of size 4096 at 0x7fff22f08030 thread T0
#0 0x7f487047605e (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xb05e)
#1 #1 0x7f4870476a20 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xba20)
#2 #2 0x7f4870476b16 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xbb16)
#3 #3 0x403d6b (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x403d6b)
#4 #4 0x4044da (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x4044da)
#5 #5 0x406c2b (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x406c2b)
#6 #6 0x7f486f8b4ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#7 #7 0x402578 (/home4/Little-CMS-master/utils/transicc/.libs/lt-transicc+0x402578)
Address 0x7fff22f08030 is located at offset 384 in frame of T0's stack:
This frame has 3 object(s):
[32, 34) 'index'
[96, 352) 'ChannelName'
[384, 640) 'Buffer'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
Shadow bytes around the buggy address:
0x1000645d8fb0: 00 00 00 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x1000645d8fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d8fd0: 00 00 00 00 00 00 f1 f1 f1 f1 02 f4 f4 f4 f2 f2
0x1000645d8fe0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d8ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000645d9000: 00 00 f2 f2 f2 f2[00]00 00 00 00 00 00 00 00 00
0x1000645d9010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d9020: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
0x1000645d9030: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x1000645d9040: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x1000645d9050: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==15392== ABORTING


Reply to this email directly or view it on GitHub #43 (comment) . https://github.com/notifications/beacon/AAMLwpWemOH6fHxnLqAV1D1WNfVIgFCFks5pI8gcgaJpZM4EMr7Z.gif

@mm2 mm2 closed this Jun 22, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.