Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a stack-based buffer overflow in the ReadNextCell function of mat5.c(at 1001) #129

Closed
gutiniao opened this issue Nov 7, 2019 · 4 comments

Comments

@gutiniao
Copy link

gutiniao commented Nov 7, 2019

A crafted input will lead to crash in mat5.c at matio 1.5.17.
Triggered by
./matdump POC

Poc
003-stackoverflow-ReadNextCell-mat51001

The ASAN information is as follows:

./matdump 003-stackoverflow-ReadNextCell-mat51001 
InflateRankDims: inflate returned data error
=================================================================
==41935==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdd5e70bb0 at pc 0x7f134197a587 bp 0x7ffdd5e70a20 sp 0x7ffdd5e70a10
READ of size 4 at 0x7ffdd5e70bb0 thread T0
    #0 0x7f134197a586 in ReadNextCell /home/matio_asan/src/mat5.c:1001
    #1 0x7f1341a38e78 in Mat_VarReadNextInfo5 /home/matio_asan/src/mat5.c:4961
    #2 0x7f1341a4f46b in Mat_VarReadNextInfo /home/matio_asan/src/mat.c:2342
    #3 0x408126 in main /home/matio_asan/tools/matdump.c:944
    #4 0x7f134122a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x401b58 in _start (/usr/local/matio_asan/bin/matdump+0x401b58)

Address 0x7ffdd5e70bb0 is located in stack of thread T0 at offset 288 in frame
    #0 0x7f13419793b9 in ReadNextCell /home/matio_asan/src/mat5.c:892

  This frame has 4 object(s):
    [32, 40) 'nelems'
    [96, 104) 'dims'
    [160, 184) 'buf'
    [224, 288) 'uncomp_buf' <== Memory access at offset 288 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/matio_asan/src/mat5.c:1001 ReadNextCell
Shadow bytes around the buggy address:
  0x10003abc6120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003abc6130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003abc6140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003abc6150: 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2 00 f4
  0x10003abc6160: f4 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2 f2 f2 00 00
=>0x10003abc6170: 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 00 00
  0x10003abc6180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003abc6190: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4
  0x10003abc61a0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4
  0x10003abc61b0: f4 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2 f2 f2 00 00
  0x10003abc61c0: 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==41935==ABORTING
@tbeu
Copy link
Owner

tbeu commented Nov 9, 2019

No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues.

Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.

@tbeu tbeu closed this as completed Nov 9, 2019
@gutiniao
Copy link
Author

gutiniao commented Nov 11, 2019

No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues.

Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.

Yes, I just use 'git clone' to fetch the current master of the matio,the issue is still reproducible.
image

image
i 'm sure the issue is different from the fuzzing issues on OSS-fuzz.

tbeu added a commit that referenced this issue Nov 11, 2019
@tbeu
Copy link
Owner

tbeu commented Nov 11, 2019

Should be fixed now.

@carnil
Copy link

carnil commented Dec 27, 2019

CVE-2019-20018 has been assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants