Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Buffer overflow in the TexOpen() function #60

Closed
fcambus opened this issue Dec 5, 2019 · 2 comments
Closed

Buffer overflow in the TexOpen() function #60

fcambus opened this issue Dec 5, 2019 · 2 comments

Comments

@fcambus
Copy link

@fcambus fcambus commented Dec 5, 2019

Hi,

While fuzzing OpenDetex with Honggfuzz, I found a buffer overflow in the TexOpen() function, in detex.l.

Attaching a reproducer (gzipped so GitHub accepts it): test01.gz

Issue can be reproduced by running:

detex test01
=================================================================
==2795==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000db1540 at pc 0x00000043a607 bp 0x7ffdb2beab20 sp 0x7ffdb2bea2b8
WRITE of size 6062 at 0x000000db1540 thread T0
    #0 0x43a606 in vsprintf (/home/fcambus/opendetex-2.8.5/detex+0x43a606)
    #1 0x43b593 in sprintf (/home/fcambus/opendetex-2.8.5/detex+0x43b593)
    #2 0x4cbbb5 in TexOpen /home/fcambus/opendetex-2.8.5/detex.l:904:9
    #3 0x4c6cbd in IncludeFile /home/fcambus/opendetex-2.8.5/detex.l:756:14
    #4 0x4c4382 in yylex /home/fcambus/opendetex-2.8.5/detex.l
    #5 0x4cb20e in main /home/fcambus/opendetex-2.8.5/detex.l:602:12
    #6 0x7fd1c14491e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #7 0x41b34d in _start (/home/fcambus/opendetex-2.8.5/detex+0x41b34d)

0x000000db1540 is located 0 bytes to the right of global variable 'sbFullPath' defined in 'detex.l:893:14' (0xdb0540) of size 4096
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/fcambus/opendetex-2.8.5/detex+0x43a606) in vsprintf
Shadow bytes around the buggy address:
  0x0000801ae250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801ae260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801ae270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801ae280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801ae290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000801ae2a0: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9
  0x0000801ae2b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801ae2c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801ae2d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801ae2e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801ae2f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2795==ABORTING
@fcambus

This comment has been minimized.

Copy link
Author

@fcambus fcambus commented Dec 5, 2019

This issue has been assigned CVE-2019-19601.

@norbusan

This comment has been minimized.

Copy link

@norbusan norbusan commented Jan 23, 2020

A few comments: first of all, this bug happens in the code path where kpathsea is not used (#ifndef KPATHSEA), thus, when compiled with kpathsea which is probably mostly used there is no problem. For example, those using detex from the TeX Live sources and build in the usual way, that is with kpathsea, will not be affected.

For a fix, Akira Kakuto from the TeX Live team suggested:

--- detex.l.orig    Sun Feb 03 19:49:09 2019
+++ detex.l    Thu Jan 23 11:23:50 2020
@@ -898,10 +898,10 @@
#else
        if (*sbFile == '/') {    /* absolute path */
#endif
-        (void)sprintf(sbFullPath, "%s", sbFile);
+        (void)snprintf(sbFullPath, PATH_MAX-1, "%s", sbFile);
        iPath = csbInputPaths;    /* only check once */
        } else
-        (void)sprintf(sbFullPath, "%s/%s", rgsbInputPaths[iPath], sbFile);
+        (void)snprintf(sbFullPath, PATH_MAX-1, "%s/%s", rgsbInputPaths[iPath], sbFile);
#ifdef OS2
        pch = sbFullPath;
        while (pch = strchr(pch, '\\'))

but this is unchecked.

Hope that helps.

@pkubowicz pkubowicz closed this in c551c02 Jan 25, 2020
pkubowicz added a commit that referenced this issue Jan 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.