** Attachment added: "This is a POC" https://bugs.launchpad.net/ubuntu/+source/libmatio/+bug/1859149/+attachment/5319068/+files/poc_m00
** Description changed: - lbb@lbb:/matio-1.5.17/build$ ./bin/matdump poc_m00 + Stack-buffer-overflow while running motio-1.5.17. I can not confirm if + this bug is needed to patch. Deatil log as follow: (POC in attachment) + + lbb@lbb: ./bin/matdump poc_m00 InflateRankDims: inflate returned data error ================================================================= ==21267==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff3b36320 at pc 0x7f31a19c7187 bp 0x7ffff3b357f0 sp 0x7ffff3b357e8 READ of size 4 at 0x7ffff3b36320 thread T0 - #0 0x7f31a19c7186 in Mat_VarReadNextInfo5 /matio-1.5.17/src/mat5.c:4856:47 - #1 0x7f31a1a22911 in Mat_VarReadNextInfo /matio-1.5.17/src/mat.c:2311:22 - #2 0x4dd9b3 in main /matio-1.5.17/tools/matdump.c:942:31 - #3 0x7f31a059f82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 - #4 0x435a28 in _start (/matio-1.5.17/build/bin/matdump+0x435a28) + #0 0x7f31a19c7186 in Mat_VarReadNextInfo5 /matio-1.5.17/src/mat5.c:4856:47 + #1 0x7f31a1a22911 in Mat_VarReadNextInfo /matio-1.5.17/src/mat.c:2311:22 + #2 0x4dd9b3 in main /matio-1.5.17/tools/matdump.c:942:31 + #3 0x7f31a059f82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 + #4 0x435a28 in _start (/matio-1.5.17/build/bin/matdump+0x435a28) Address 0x7ffff3b36320 is located in stack of thread T0 at offset 288 in frame - #0 0x7f31a19c4a5f in Mat_VarReadNextInfo5 /matio-1.5.17/src/mat5.c:4753 + #0 0x7f31a19c4a5f in Mat_VarReadNextInfo5 /matio-1.5.17/src/mat5.c:4753 - This frame has 22 object(s): - [32, 40) '' - [64, 72) '' - [96, 100) 'err' - [112, 116) 'data_type' - [128, 132) 'nBytes' - [144, 152) 'fpos' - [176, 184) 'matvar' - [208, 212) 'array_flags' - [224, 288) 'uncomp_buf' <== Memory access at offset 288 overflows this variable - [320, 324) 'nbytes' - [336, 344) 'bytesread' - [368, 376) 'dims' - [400, 404) 'do_clean' - [416, 420) 'j' - [432, 436) 'len' - [448, 452) 'len_pad' - [464, 468) 'len1' - [480, 504) 'buf' - [544, 552) 'readresult' - [576, 580) 'len2' - [592, 596) 'len_pad3' - [608, 612) 'len4' + This frame has 22 object(s): + [32, 40) '' + [64, 72) '' + [96, 100) 'err' + [112, 116) 'data_type' + [128, 132) 'nBytes' + [144, 152) 'fpos' + [176, 184) 'matvar' + [208, 212) 'array_flags' + [224, 288) 'uncomp_buf' <== Memory access at offset 288 overflows this variable + [320, 324) 'nbytes' + [336, 344) 'bytesread' + [368, 376) 'dims' + [400, 404) 'do_clean' + [416, 420) 'j' + [432, 436) 'len' + [448, 452) 'len_pad' + [464, 468) 'len1' + [480, 504) 'buf' + [544, 552) 'readresult' + [576, 580) 'len2' + [592, 596) 'len_pad3' + [608, 612) 'len4' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext - (longjmp and C++ exceptions *are* supported) + (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /matio-1.5.17/src/mat5.c:4856 Mat_VarReadNextInfo5 Shadow bytes around the buggy address: - 0x10007e75ec10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10007e75ec20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10007e75ec30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10007e75ec40: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 04 f2 04 f2 - 0x10007e75ec50: 04 f2 00 f2 f2 f2 00 f2 f2 f2 04 f2 00 00 00 00 + 0x10007e75ec10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10007e75ec20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10007e75ec30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10007e75ec40: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 04 f2 04 f2 + 0x10007e75ec50: 04 f2 00 f2 f2 f2 00 f2 f2 f2 04 f2 00 00 00 00 =>0x10007e75ec60: 00 00 00 00[f2]f2 f2 f2 04 f2 00 f2 f2 f2 00 f2 - 0x10007e75ec70: f2 f2 04 f2 04 f2 04 f2 04 f2 04 f2 00 00 00 f2 - 0x10007e75ec80: f2 f2 f2 f2 00 f2 f2 f2 04 f2 04 f2 04 f3 f3 f3 - 0x10007e75ec90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10007e75eca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10007e75ecb0: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f3 f3 f3 + 0x10007e75ec70: f2 f2 04 f2 04 f2 04 f2 04 f2 04 f2 00 00 00 f2 + 0x10007e75ec80: f2 f2 f2 f2 00 f2 f2 f2 04 f2 04 f2 04 f3 f3 f3 + 0x10007e75ec90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10007e75eca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10007e75ecb0: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f3 f3 f3 Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Partially addressable: 01 02 03 04 05 06 07 - Heap left redzone: fa - Heap right redzone: fb - Freed heap region: fd - Stack left redzone: f1 - Stack mid redzone: f2 - Stack right redzone: f3 - Stack partial redzone: f4 - Stack after return: f5 - Stack use after scope: f8 - Global redzone: f9 - Global init order: f6 - Poisoned by user: f7 - Container overflow: fc - Array cookie: ac - Intra object redzone: bb - ASan internal: fe - Left alloca redzone: ca - Right alloca redzone: cb + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb ==21267==ABORTING -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1859149 Title: Stack-buffer-overflow in matio-1.5.17/src/mat5.c:4856 Mat_VarReadNextInfo5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libmatio/+bug/1859149/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
