New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a heap-buffer-overflow on numutils.c:22 getlong #1

Open
leonzhao7 opened this Issue Dec 24, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@leonzhao7
Copy link

leonzhao7 commented Dec 24, 2018

Test Version

latest version, git clone https://github.com/uvoteam/libdoc

Environment

Ubuntu 16.04-x64, gcc version 5.4.0 20160609

Test Program and command

gcc main.c -o doc2txt -L ../build/ -lasan -fsanitize=address -ggdb ../build/libdoc.a
doc2txt [infile]

Gdb and Backtrace

Reading symbols from doc2txt...done.
(gdb) run libdoc_numutils_getlong_22.overflow 
Starting program: /var/normal/bin/doc2txt libdoc_numutils_getlong_22.overflow
*** Error in `/var/normal/bin/doc2txt': corrupted size vs. prev_size: 0x000000000064dfc0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff7a847e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x80d36)[0x7ffff7a8dd36]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff7a9153c]
/var/normal/bin/doc2txt[0x400e52]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff7a2d830]
/var/normal/bin/doc2txt[0x400c99]
======= Memory map: ========
00400000-0044c000 r-xp 00000000 08:01 526540                             /var/normal/bin/doc2txt
0064b000-0064c000 r--p 0004b000 08:01 526540                             /var/normal/bin/doc2txt
0064c000-0064d000 rw-p 0004c000 08:01 526540                             /var/normal/bin/doc2txt
0064d000-0066e000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff77f7000-7ffff780d000 r-xp 00000000 08:01 1053568                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff780d000-7ffff7a0c000 ---p 00016000 08:01 1053568                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a0c000-7ffff7a0d000 rw-p 00015000 08:01 1053568                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a0d000-7ffff7bcd000 r-xp 00000000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7bcd000-7ffff7dcd000 ---p 001c0000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dcd000-7ffff7dd1000 r--p 001c0000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd1000-7ffff7dd3000 rw-p 001c4000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0 
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 1053502                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fde000-7ffff7fe1000 rw-p 00000000 00:00 0 
7ffff7ff6000-7ffff7ff7000 rw-p 00000000 00:00 0 
7ffff7ff7000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1053502                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1053502                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff7a4402a in __GI_abort () at abort.c:89
#2  0x00007ffff7a847ea in __libc_message (do_abort=2, fmt=fmt@entry=0x7ffff7b9ded8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff7a8dd36 in malloc_printerr (ar_ptr=0x7ffff7dd1b20 <main_arena>, ptr=<optimized out>, str=0x7ffff7b9ac75 "corrupted size vs. prev_size", action=3) at malloc.c:5006
#4  _int_free (av=0x7ffff7dd1b20 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4005
#5  0x00007ffff7a9153c in __GI___libc_free (mem=<optimized out>) at malloc.c:2968
#6  0x0000000000400e52 in main ()

Asan Debug Information

root@leon-virtual-machine:/var/asan/bin# ./doc2txt libdoc_numutils_getlong_22.overflow 
=================================================================
==92310==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f120 at pc 0x000000403238 bp 0x7ffe6888f220 sp 0x7ffe6888f210
READ of size 1 at 0x60200000f120 thread T0
    #0 0x403237 in getlong /root/libdoc/numutils.c:22
    #1 0x404053 in ole_init /root/libdoc/ole.c:176
    #2 0x401d61 in analyze_format /root/libdoc/analyze.c:50
    #3 0x4019a2 in doc2text /root/libdoc/catdoc.c:55
    #4 0x401715 in main /root/libdoc/example/main.c:24
    #5 0x7f082402e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x401498 in _start (/var/asan/bin/doc2txt+0x401498)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libdoc/numutils.c:22 getlong
Shadow bytes around the buggy address:
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 01 fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9e20: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==92310==ABORTING

POC file

libdoc_numutils_getlong_22.zip

CREDIT

Zhao Liang, Huawei Weiran Labs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment