XXD Binary EBCDIC Mode Combination Memory Corruption #17939
Description
Steps to reproduce
XXD Binary EBCDIC Mode Combination Memory Corruption
Summary
During fuzzing of the xxd (hex dump) utility, a critical memory corruption vulnerability was discovered in the combined binary and EBCDIC mode processing logic. The vulnerability occurs when xxd processes files with both binary output (-b) and EBCDIC character encoding (-E) flags simultaneously, leading to segmentation faults due to improper memory management during format conversion operations.
Technical Details
- Vulnerability Type: Segmentation Fault / Memory Corruption
- Affected Function:
__memmove_avx_unaligned_erms - Source File:
memmove-vec-unaligned-erms.S - Line Number: 317
- Signal: SIGSEGV (11)
Vulnerability Mechanism and Root Cause
This memory corruption vulnerability occurs in xxd's mode combination logic when binary and EBCDIC modes are used together. The root cause lies in conflicting memory management between binary formatting routines and EBCDIC character conversion routines.
The vulnerability is triggered when:
- xxd processes input file with both
-b(binary output) and-E(EBCDIC encoding) flags - The program attempts to convert binary data to EBCDIC representation while maintaining binary format
- Due to conflicting buffer management between these two modes, memory allocation/deallocation becomes inconsistent
- The binary formatter and EBCDIC converter access overlapping memory regions with different size assumptions
- A subsequent
memmoveoperation attempts to copy data with corrupted buffer parameters - This results in an out-of-bounds memory access at
__memmove_avx_unaligned_erms+317
The memory corruption occurs when xxd tries to format binary output while simultaneously performing EBCDIC character conversion, leading to buffer overflow conditions.
Proof of Concept
The vulnerability can be triggered by executing xxd with combined binary and EBCDIC mode flags on specific input data that exposes the buffer management conflict.
POC Download: POC_xxd_binary_ebcdic_segfault
Reproduction Steps
- Compile xxd with debugging symbols enabled
- Execute:
./xxd -a -b -E -g 256 POC_xxd_binary_ebcdic_segfault - The program will crash with a segmentation fault in memmove operation
Credit
- Xudong Cao (UCAS)
- Meng Xu (UW)
Expected behaviour
Segmentation Fault / Memory Corruption
Version of Vim
vim-9.1.0000 and related xxd versions (latest master branch)
Environment
- Compile xxd with debugging symbols enabled
- clang && asan
Logs and stack traces
## GDB Debug Output
=== PROGRAM_EXECUTION_START ===
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:317
=== PROGRAM_EXECUTION_END ===
=== PRIMARY_CRASH_DETECTION ===
Program status from 'info program':
Using the running image of child Thread 0x7ffff7d81780 (LWP 842231).
Program stopped at 0x7ffff7f247cd.
It stopped with signal SIGSEGV, Segmentation fault.
=== SIGNAL_CRASH_DETECTED ===
Program terminated by signal - this is a genuine crash
=== FRAME_ANALYSIS ===
Valid frame found - program stopped at signal
=== BACKTRACE_ANALYSIS ===
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:317
#1 0x0000555555561a1d in ?? ()
#2 0x000055555555fdb2 in ?? ()
#3 0x00007ffff7dadd90 in __libc_start_call_main (main=main@entry=0x55555555d0b0, argc=argc@entry=7, argv=argv@entry=0x7fffffffe418) at ../sysdeps/nptl/libc_start_call_main.h:58
#4 0x00007ffff7dade40 in __libc_start_main_impl (main=0x55555555d0b0, argc=7, argv=0x7fffffffe418, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe408) at ../csu/libc-start.c:392
#5 0x00005555555593b5 in ?? ()
=== RECURSION_ANALYSIS ===
Extracted 5 function names from stack trace
=== FINAL_STATUS_DETERMINATION ===
CONCLUSION: Program crashed due to signal
This is a genuine crash requiring investigation
317 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.