URL:
<https://savannah.gnu.org/bugs/?65880>
Summary: heap-buffer-overflow in grub-mkrescue.c
Group: GNU GRUB
Submitter: vegorova
Submitted: Пт 14 июн 2024 11:13:08
Category: None
Severity: Major
Priority: 5 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Release: other
Release:
Discussion Lock: Any
Reproducibility: Every Time
Planned Release: None
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Пт 14 июн 2024 11:13:08 By: Victoriia Egorova <vegorova>
Steps to reproduce:
build grub2 (i tried v2.06, but this code part seems almost the same in
v.2.12) with ASAN
run grub-mkrescue with -k or -d opt without additional args:
./grub-mkrescue -k
or
./grub-mkrescue -d
It looks like we're looking for the arg after these flags (-k and -d), but if
we don't have it we also haven't allocated enough memory for argp_argv (we
allocated it only for argc elements, in this case there are only two of them),
but trying to write here in line
argp_argv[argp_argc++] = argv[i];
so it causes a heap-buffer-overflow.
Backtrace:
=================================================================
==264950==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000380 at pc 0x5e64d4e5f556 bp 0x7fff53f3ba30 sp 0x7fff53f3ba28
WRITE of size 8 at 0x602000000380 thread T0
#0 0x5e64d4e5f555 in main ../../util/grub-mkrescue.c:471
#1 0x7cc0f5e04249 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#2 0x7cc0f5e04304 in __libc_start_main_impl ../csu/libc-start.c:360
#3 0x5e64d4e61a20 in _start
(/app/grub/grub2/grub2-2.06/obj/grub-pc/grub-mkrescue+0x4ea20)
0x602000000380 is located 0 bytes to the right of 16-byte region
[0x602000000370,0x602000000380)
allocated by thread T0 here:
#0 0x7cc0f61553b7 in __interceptor_calloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x5e64d4ff5275 in xcalloc ../../grub-core/kern/emu/misc.c:93
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../util/grub-mkrescue.c:471
in main
Shadow bytes around the buggy address:
0x0c047fff8020: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff8030: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff8040: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff8050: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 05 fa
0x0c047fff8060: fa fa 05 fa fa fa 00 fa fa fa fd fd fa fa 00 00
=>0x0c047fff8070:[fa]fa 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==264950==ABORTING
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?65880>
{savane: Include the next line when replying by email.}
{savane: user = bug-grub@gnu.org; tracker = bugs; item = 65880}
_______________________________________________
Сообщение отправлено по Savannah
https://savannah.gnu.org/
