0000138: crash (heap-buffer-overflow with) with crafted binary magic file - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0000138	file	General	public	2020-02-04 22:30	2020-02-13 17:09

Reporter	gockelhahn	Assigned To	christos
Priority	normal	Severity	crash	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	x86_64	OS	arch linux
Product Version	5.38
Fixed in Version	5.39

Summary	0000138: crash (heap-buffer-overflow with) with crafted binary magic file
Description	fuzzing with stock afl found this: ==14786==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f000000030 at pc 0x7f0c5ad0fd41 bp 0x7ffe3ec50b20 sp 0x7ffe3ec50b10 READ of size 4 at 0x60f000000030 thread T0 #0 0x7f0c5ad0fd40 in mget /home/build/file/src/softmagic.c:1701 0000001 0x7f0c5ad0453a in match /home/build/file/src/softmagic.c:244 0000002 0x7f0c5ad03d37 in file_softmagic /home/build/file/src/softmagic.c:134 0000003 0x7f0c5ad14551 in file_ascmagic_with_encoding /home/build/file/src/ascmagic.c:156 0000004 0x7f0c5ad1405e in file_ascmagic /home/build/file/src/ascmagic.c:95 0000005 0x7f0c5ad2ee56 in file_buffer /home/build/file/src/funcs.c:352 0000006 0x7f0c5acf064c in file_or_fd /home/build/file/src/magic.c:514 0000007 0x7f0c5aceff2f in magic_file /home/build/file/src/magic.c:398 0000008 0x563f499a5a9c in process /home/build/file/src/file.c:542 #9 0x563f499a4f51 in main /home/build/file/src/file.c:413 0000010 0x7f0c5aae5152 in __libc_start_main (/usr/lib/libc.so.6+0x27152) 0000011 0x563f499a43cd in _start (/home/build/file/src/.libs/lt-file+0x53cd) 0x60f000000030 is located 16 bytes to the left of 168-byte region [0x60f000000040,0x60f0000000e8) allocated by thread T0 here: #0 0x7f0c5ae77aca in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:144 0000001 0x7f0c5aaf07de in _nl_intern_locale_data (/usr/lib/libc.so.6+0x327de) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/build/file/src/softmagic.c:1701 in mget Shadow bytes around the buggy address: 0x0c1e7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c1e7fff8000: fa fa fa fa fa fa[fa]fa 00 00 00 00 00 00 00 00 0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa 0x0c1e7fff8020: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c1e7fff8030: 00 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa 0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==14786==ABORTING
Steps To Reproduce	git clone https://github.com/file/file.git cd file export CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" autoreconf -i ./configure --disable-libseccomp make all ./src/.libs/lt-file -m ~/test.mgc /etc/services
Additional Information	master @ 85b214cd422dd2538800c8b6d6e6c383d9ee17bf
Tags	magic

Date Modified	Username	Field	Change
2020-02-04 22:30	gockelhahn	New Issue
2020-02-04 22:30	gockelhahn	File Added: test.mgc
2020-02-04 22:30	gockelhahn	Tag Attached: magic
2020-02-13 17:08	christos	Assigned To	=> christos
2020-02-13 17:08	christos	Status	new => assigned
2020-02-13 17:09	christos	Status	assigned => resolved
2020-02-13 17:09	christos	Resolution	open => fixed
2020-02-13 17:09	christos	Fixed in Version	=> 5.39
2020-02-13 17:09	christos	Note Added: 0003356