New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A heap-buffer-overflow in reader.c:203 process_file #2

Open
leonzhao7 opened this Issue Dec 25, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@leonzhao7
Copy link

leonzhao7 commented Dec 25, 2018

Test Version

latest version, git clone https://github.com/uvoteam/libdoc

Environment

Ubuntu 16.04-x64, gcc version 5.4.0 20160609

Test Program and command

gcc main.c -o doc2txt -L ../build/ -lasan -fsanitize=address -ggdb ../build/libdoc.a
doc2txt [infile]

Gdb and Backtrace

Reading symbols from doc2txt...done.
(gdb) run libdoc_reader_process_file_203.overflow 
Starting program: /var/normal/bin/doc2txt libdoc_reader_process_file_203.overflow
*** Error in `/var/normal/bin/doc2txt': malloc(): memory corruption: 0x000000000064e1c0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff7a847e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7ffff7a8f13e]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ffff7a91184]
/var/normal/bin/doc2txt[0x402a63]
/var/normal/bin/doc2txt[0x4012fd]
/var/normal/bin/doc2txt[0x400f3d]
/var/normal/bin/doc2txt[0x400e46]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff7a2d830]
/var/normal/bin/doc2txt[0x400c99]
======= Memory map: ========
00400000-0044c000 r-xp 00000000 08:01 526540                             /var/normal/bin/doc2txt
0064b000-0064c000 r--p 0004b000 08:01 526540                             /var/normal/bin/doc2txt
0064c000-0064d000 rw-p 0004c000 08:01 526540                             /var/normal/bin/doc2txt
0064d000-0066e000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff77f7000-7ffff780d000 r-xp 00000000 08:01 1053568                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff780d000-7ffff7a0c000 ---p 00016000 08:01 1053568                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a0c000-7ffff7a0d000 rw-p 00015000 08:01 1053568                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a0d000-7ffff7bcd000 r-xp 00000000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7bcd000-7ffff7dcd000 ---p 001c0000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dcd000-7ffff7dd1000 r--p 001c0000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd1000-7ffff7dd3000 rw-p 001c4000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0 
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 1053502                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fde000-7ffff7fe1000 rw-p 00000000 00:00 0 
7ffff7ff6000-7ffff7ff7000 rw-p 00000000 00:00 0 
7ffff7ff7000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1053502                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1053502                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff7a4402a in __GI_abort () at abort.c:89
#2  0x00007ffff7a847ea in __libc_message (do_abort=2, fmt=fmt@entry=0x7ffff7b9ded8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff7a8f13e in malloc_printerr (ar_ptr=0x7ffff7dd1b20 <main_arena>, ptr=0x64e1c0, str=0x7ffff7b9ad3f "malloc(): memory corruption", action=<optimized out>)
    at malloc.c:5006
#4  _int_malloc (av=av@entry=0x7ffff7dd1b20 <main_arena>, bytes=bytes@entry=200) at malloc.c:3474
#5  0x00007ffff7a91184 in __GI___libc_malloc (bytes=200) at malloc.c:2913
#6  0x0000000000402a63 in ole_readdir (f=0x64d290, ole_params=0x7fffffffe1d0) at /root/libdoc/ole.c:314
#7  0x00000000004012fd in analyze_format (f=0x64d290, out=0x64d010) at /root/libdoc/analyze.c:52
#8  0x0000000000400f3d in doc2text (buf=0x64e250 "", size=41095, buffer_out=0x7fffffffe368) at /root/libdoc/catdoc.c:55
#9  0x0000000000400e46 in main ()

Asan Debug Information

root@leon-virtual-machine:/var/asan/bin# ./doc2txt libdoc_reader_process_file_203.overflow 
=================================================================
==76395==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa2b88fa7fe at pc 0x000000407d19 bp 0x7ffc58dcb2a0 sp 0x7ffc58dcb290
READ of size 2 at 0x7fa2b88fa7fe thread T0
    #0 0x407d18 in process_file /root/libdoc/reader.c:203
    #1 0x402344 in parse_word_header /root/libdoc/analyze.c:123
    #2 0x401e54 in analyze_format /root/libdoc/analyze.c:57
    #3 0x4019a2 in doc2text /root/libdoc/catdoc.c:55
    #4 0x401715 in main /root/libdoc/example/main.c:24
    #5 0x7fa2b748b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x401498 in _start (/var/asan/bin/doc2txt+0x401498)

0x7fa2b88fa7fe is located 2 bytes to the left of 524288-byte region [0x7fa2b88fa800,0x7fa2b897a800)
allocated by thread T0 here:
    #0 0x7fa2b78cd602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x407733 in process_file /root/libdoc/reader.c:111
    #2 0x402344 in parse_word_header /root/libdoc/analyze.c:123
    #3 0x401e54 in analyze_format /root/libdoc/analyze.c:57
    #4 0x4019a2 in doc2text /root/libdoc/catdoc.c:55
    #5 0x401715 in main /root/libdoc/example/main.c:24
    #6 0x7fa2b748b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libdoc/reader.c:203 process_file
Shadow bytes around the buggy address:
  0x0ff4d71174a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff4d71174b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff4d71174c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff4d71174d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff4d71174e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ff4d71174f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0ff4d7117500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff4d7117510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff4d7117520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff4d7117530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff4d7117540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==76395==ABORTING

POC file

libdoc_reader_process_file_203.zip

CREDIT

Zhao Liang, Huawei Weiran Labs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment