Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap Buffer-overflow vulnerability in deco.c #93

Open
Microsvuln opened this issue Apr 29, 2021 · 5 comments
Open

Heap Buffer-overflow vulnerability in deco.c #93

Microsvuln opened this issue Apr 29, 2021 · 5 comments

Comments

@Microsvuln
Copy link

There is a heap buffer overflow vulnerability in deco.c and draw_all_deco function which is occurred by parsing an input file.

output :

=================================================================
==10052==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000009764 at pc 0x0000003f9189 bp 0x7ffdfb16aa90 sp 0x7ffdfb16aa88
READ of size 4 at 0x629000009764 thread T0
    #0 0x3f9188 in draw_all_deco /home/arash/abcm2ps/deco.c:1384:32
    #1 0x5b760c in output_music /home/arash/abcm2ps/music.c:5120:3
    #2 0x6b7a79 in generate /home/arash/abcm2ps/parse.c:1042:2
    #3 0x645f70 in gen_ly /home/arash/abcm2ps/parse.c:1063:2
    #4 0x645f70 in do_tune /home/arash/abcm2ps/parse.c:3643:2
    #5 0x54a1da in abc_eof /home/arash/abcm2ps/abcparse.c:202:2
    #6 0x54a1da in frontend /home/arash/abcm2ps/front.c:905:2
    #7 0x33549c in treat_file /home/arash/abcm2ps/abcm2ps.c:240:2
    #8 0x339393 in main /home/arash/abcm2ps/abcm2ps.c:1041:3
    #9 0x7fcfbe228bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x2868d9 in _start (/home/arash/abcm2ps/abcm2ps.laf.asan+0x2868d9)

0x629000009764 is located 1350 bytes to the right of 16414-byte region [0x629000005200,0x62900000921e)
allocated by thread T0 here:
    #0 0x30094d in malloc (/home/arash/abcm2ps/abcm2ps.laf.asan+0x30094d)
    #1 0x33804d in clrarena /home/arash/abcm2ps/abcm2ps.c:1064:24
    #2 0x33804d in main /home/arash/abcm2ps/abcm2ps.c:687:2
    #3 0x7fcfbe228bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/arash/abcm2ps/deco.c:1384:32 in draw_all_deco
Shadow bytes around the buggy address:
  0x0c527fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff92c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff92d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c527fff92e0: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c527fff92f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==10052==ABORTING

To reproduce :

./abcm2ps poc7

poc7.zip

@moinejf
Copy link
Collaborator

moinejf commented May 3, 2021

I cannot reproduce the problem on my machine ARM 32 bits.
Anyway, there is no relation with the commit 9630392: there is no !trem2! in your source.

@Microsvuln
Copy link
Author

Hi.
The Crash is reproducible in x84-64 Ubuntu 18.04, I didn't test it on ARM.

Thanks.

@hkiel
Copy link
Contributor

hkiel commented May 5, 2021

I cannot reproduce this bug on x64 macOS.

@Microsvuln
Copy link
Author

Can you install an Ubuntu version 18.04? unless I can send you a VM which you can test and reproduce on that box.

@moinejf
Copy link
Collaborator

moinejf commented May 6, 2021

I use VoidLinux, so I have the last versions of the GNU tools (gcc (GCC) 10.2.1 20201203).
About a VM, I think that you were talking about a x84-64 system, but I cannot run Intel binaries, even with qemu: my BananaPi M2+ board is too small (clock 700MHz, RAM 1GB).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants