Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-based buffer overflow (READ of size 8) in the fmt_mtm_load_song() function #249

Closed
bsdb0y opened this issue Apr 6, 2021 · 1 comment
Labels

Comments

@bsdb0y
Copy link

bsdb0y commented Apr 6, 2021

Hi,

While fuzzing Schism Tracker git nightly rev: e665489 (and also latest release Schism Tracker 20200412 ) with Honggfuzz, I found a heap-based buffer overflow READ of size 8 in the fmt_mtm_load_song() function, in mtm.c.

Attaching a reproducer (gzipped so GitHub accepts it): testx.mtm.gz

Issue can be reproduced by running:

schismtracker testx.mtm

Note: It may not crash or segfault, it silently reads 8 bytes, so to reproduce the behaviour please follow the below steps:

  • CC=clang CFLAGS="-g -fsanitize=address" ./configure

  • make

  • schismtracker testx.mtm

OS Version:

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"

Compiler Version:

clang version 10.0.0-4ubuntu1 
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
=================================================================
==165186==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000018800 at pc 0x000000594375 bp 0x7ffd1cd7e4f0 sp 0x7ffd1cd7e4e8
READ of size 8 at 0x633000018800 thread T0
    #0 0x594374 in fmt_mtm_load_song /home/bsdboy/schismtracker/fmt/mtm.c:210:15
    #1 0x69d127 in song_create_load /home/bsdboy/schismtracker/schism/audio_loadsave.c:224:11
    #2 0x69d63a in song_load_unchecked /home/bsdboy/schismtracker/schism/audio_loadsave.c:282:12
    #3 0x5ee913 in main /home/bsdboy/schismtracker/schism/main.c:1132:7
    #4 0x7fced812b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41eb6d in _start (/home/bsdboy/schismtracker/schismtracker+0x41eb6d)

0x633000018800 is located 0 bytes to the right of 98304-byte region [0x633000000800,0x633000018800)
allocated by thread T0 here:
    #0 0x497422 in calloc (/home/bsdboy/schismtracker/schismtracker+0x497422)
    #1 0x5cb82c in mem_calloc /home/bsdboy/schismtracker/schism/util.c:113:6
    #2 0x593fc3 in fmt_mtm_load_song /home/bsdboy/schismtracker/fmt/mtm.c:190:14
    #3 0x69d127 in song_create_load /home/bsdboy/schismtracker/schism/audio_loadsave.c:224:11
    #4 0x69d63a in song_load_unchecked /home/bsdboy/schismtracker/schism/audio_loadsave.c:282:12
    #5 0x5ee913 in main /home/bsdboy/schismtracker/schism/main.c:1132:7
    #6 0x7fced812b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bsdboy/schismtracker/fmt/mtm.c:210:15 in fmt_mtm_load_song
Shadow bytes around the buggy address:
  0x0c667fffb0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==165186==ABORTING

@jangler
Copy link
Member

jangler commented Apr 6, 2021

The value from that read was never used anyway, so I just removed it.

@jangler jangler closed this as completed Apr 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants