Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Global Buffer overflow in gettoken at Main.c (Ver 1.91) #75

Closed
Halcy0nic opened this issue Oct 15, 2022 · 12 comments
Closed

Global Buffer overflow in gettoken at Main.c (Ver 1.91) #75

Halcy0nic opened this issue Oct 15, 2022 · 12 comments

Comments

@Halcy0nic
Copy link

Hi @sasagawa888,

I pulled down the most recent version of nprolog (Ver 1.91) and ran it through my fuzz tests. It looks like there is a global buffer overflow in gettoken at Main.c when you tell NPL to run a file in script mode.

npl_crash

I have attached most of the crash files for reproduction. If you compile the project with AddressSanitizer it can also detect the global overflow:

Makefile

CC   = gcc
LIBS = -lm -ldl -fsanitize=address


LIBSRASPI = -lm -ldl -lwiringPi -fsanitize=address
INCS =  
CFLAGS = $(INCS) -Wall -O3 -fsanitize=address
DEST = /usr/local/bin

Running NPL in script mode

global_overflow_gettoken

crash.zip

@sasagawa888
Copy link
Owner

Sorry for the late reply. I missed it. I will consider

@sasagawa888
Copy link
Owner

I changed the game called lights-out included in hiroi.pl for script mode and tried it. It worked fine. My environment is Linux-MINT. Which Prolog file did you run? please tell me in detail.

 npl -s tests/hiroi.pl

11000
11011
00111
01110
01101

10110
01110
11100
11011
00011

01101
01110
00111
11011
11000

00011
11011
11100
01110
10110
sasagawa@sasagawa-Diginnos-PC:~/nprolog$ 

@Halcy0nic
Copy link
Author

Halcy0nic commented Nov 16, 2022

Hi there! In the original message I attached a file for reproduction (named crash.zip). If you unzip this file you will find a script to run using NPL. After running this file in script mode, NPL will segfault. Compiling the project with address sanitizer (above) and running the attached NPL script will indicate where the global buffer overflow takes place.

I tested this on Ubuntu 18, 20, 16.04, and Debian. All 64 bit operating systems

@sasagawa888
Copy link
Owner

Thank you for your reply. I will try.

@sasagawa888
Copy link
Owner

Hi HalcOnic.

I downloaded crash.zip and unzipped it. However, the contents could not be read. Could you please send the data again?

@Halcy0nic
Copy link
Author

Halcy0nic commented Nov 18, 2022

Hi @sasagawa888!

I just pulled down the file again and it seems like it is working correctly. If you unzip the file it should have a folder named report and another folder named vuln underneath it. The contents of the script may not be human readable (meaning the bytes of the file have been modified) but can still be executed by running the following:

npl -s [any file in the vuln directory]

Some of the output isn’t human readable, because it was generated by the fuzzer I am using (AFL), and the file bytes have been modified.

Are you able to see all of the files that start with the pattern id:000… in the report/vuln directory?

If not I will upload another sample.

@sasagawa888
Copy link
Owner

When I unzipped the zip file, it looked like this: Cannot read inside the file. File name is also unknown. Do you have any other samples?
Screenshot at 2022-11-18 18-57-36

@Halcy0nic
Copy link
Author

@sasagawa888

Here are a few new examples. If you unzip the 'testcases.zip' file:

testcases.zip

You will see a folder named 'testcases' with the following contents inside:

  • test1.pl
  • test2.pl
  • test3.pl

Viewing and executing test1.pl without AddressSanitizer

test1_contents

test1_segfault

Executing test1.pl with AddressSanitizer

test1

Viewing and executing test2.pl without AddressSanitizer

test2_contents

test2_segfault

Executing test2.pl with AddressSanitizer

test2

Viewing and executing test3.pl without AddressSanitizer

test3_contents

test3_segfault

Executing test3.pl with AddressSanitizer

test3

@sasagawa888
Copy link
Owner

I tested.
An error occurred in test1.pl.

test2.pl Test3.pl becomes a segmentation fault. The reason is that $ is a symbol representing a string and the terminating $ is not given. I needed to detect file_end and make it an error.

N-Prolog is ARITY-Prolog compatible. Not ISO-Prolog.

N-Prolog Ver 1.91
?- X = $abcd$.
X = $abcd$ .
yes
?- 

sasagawa@DESKTOP-0D0L6O5:~/nprolog$ cat tests/test1.pl
...
sasagawa@DESKTOP-0D0L6O5:~/nprolog$ npl -s tests/test1.pl
Syntax error expected operator  
around here line=1 column=0
?- halt.
Not callable ?-  .halt
?- halt.
- good bye -
sasagawa@DESKTOP-0D0L6O5:~/nprolog$ cat tests/test2.pl
:-
$1 is N+u is N+u.
sasagawa@DESKTOP-0D0L6O5:~/nprolog$ npl -s tests/test2.pl
Segmentation fault (core dumped)
sasagawa@DESKTOP-0D0L6O5:~/nprolog$ cat tests/test3.pl
:-
%1-
$1 :-:-
%.
sasagawa@DESKTOP-0D0L6O5:~/nprolog$ npl -s tests/test3.pl
Segmentation fault (core dumped)
sasagawa@DESKTOP-0D0L6O5:~/nprolog$ 

@Halcy0nic
Copy link
Author

Glad you were able to reproduce.

Just a heads up, it will segfault and cause a global buffer overflow even without the '$' character. Here is an example (attached):

test4.zip

test4_contents

test4_segfault

Executing with AddressSanitizer

test4_asan

@sasagawa888
Copy link
Owner

Reproduced. The reason is that I didn't expect the case without the period. Finding file_end should be an error.

sasagawa@sasagawa-Diginnos-PC:~/nprolog$ cat tests/test4.pl
ffAon(Nf)'sasagawa@sasagawa-Diginnos-PC:~/nprolog$ npl -s tests/test4.pl
Segmentation fault (core dumped)
sasagawa@sasagawa-Diginnos-PC:~/nprolog$ 

@sasagawa888
Copy link
Owner

I fixed it. Please continue testing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants