View Issue Details

IDProjectCategoryView StatusLast Update
0000138fileGeneralpublic2020-02-13 17:09
Reportergockelhahn Assigned Tochristos  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
Platformx86_64OSarch linux 
Product Version5.38 
Fixed in Version5.39 
Summary0000138: crash (heap-buffer-overflow with) with crafted binary magic file
Descriptionfuzzing with stock afl found this:

    ==14786==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f000000030 at pc 0x7f0c5ad0fd41 bp 0x7ffe3ec50b20 sp 0x7ffe3ec50b10
    READ of size 4 at 0x60f000000030 thread T0
        #0 0x7f0c5ad0fd40 in mget /home/build/file/src/softmagic.c:1701
        0000001 0x7f0c5ad0453a in match /home/build/file/src/softmagic.c:244
        0000002 0x7f0c5ad03d37 in file_softmagic /home/build/file/src/softmagic.c:134
        0000003 0x7f0c5ad14551 in file_ascmagic_with_encoding /home/build/file/src/ascmagic.c:156
        0000004 0x7f0c5ad1405e in file_ascmagic /home/build/file/src/ascmagic.c:95
        0000005 0x7f0c5ad2ee56 in file_buffer /home/build/file/src/funcs.c:352
        0000006 0x7f0c5acf064c in file_or_fd /home/build/file/src/magic.c:514
        0000007 0x7f0c5aceff2f in magic_file /home/build/file/src/magic.c:398
        0000008 0x563f499a5a9c in process /home/build/file/src/file.c:542
        #9 0x563f499a4f51 in main /home/build/file/src/file.c:413
        0000010 0x7f0c5aae5152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
        0000011 0x563f499a43cd in _start (/home/build/file/src/.libs/lt-file+0x53cd)

    0x60f000000030 is located 16 bytes to the left of 168-byte region [0x60f000000040,0x60f0000000e8)
    allocated by thread T0 here:
        #0 0x7f0c5ae77aca in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:144
        0000001 0x7f0c5aaf07de in _nl_intern_locale_data (/usr/lib/libc.so.6+0x327de)

    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/build/file/src/softmagic.c:1701 in mget
    Shadow bytes around the buggy address:
    0x0c1e7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c1e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c1e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c1e7fff8000: fa fa fa fa fa fa[fa]fa 00 00 00 00 00 00 00 00
    0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
    0x0c1e7fff8020: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
    0x0c1e7fff8030: 00 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa
    0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable: 00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone: fa
    Freed heap region: fd
    Stack left redzone: f1
    Stack mid redzone: f2
    Stack right redzone: f3
    Stack after return: f5
    Stack use after scope: f8
    Global redzone: f9
    Global init order: f6
    Poisoned by user: f7
    Container overflow: fc
    Array cookie: ac
    Intra object redzone: bb
    ASan internal: fe
    Left alloca redzone: ca
    Right alloca redzone: cb
    Shadow gap: cc
    ==14786==ABORTING
Steps To Reproduce    git clone https://github.com/file/file.git
    cd file
    export CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer"
    autoreconf -i
    ./configure --disable-libseccomp
    make all
    ./src/.libs/lt-file -m ~/test.mgc /etc/services
Additional Informationmaster @ 85b214cd422dd2538800c8b6d6e6c383d9ee17bf
Tagsmagic

Activities

gockelhahn

2020-02-04 22:30

reporter  

test.mgc (752 bytes)

christos

2020-02-13 17:09

manager   ~0003356

Fixed, thanks!

Issue History

Date Modified Username Field Change
2020-02-04 22:30 gockelhahn New Issue
2020-02-04 22:30 gockelhahn File Added: test.mgc
2020-02-04 22:30 gockelhahn Tag Attached: magic
2020-02-13 17:08 christos Assigned To => christos
2020-02-13 17:08 christos Status new => assigned
2020-02-13 17:09 christos Status assigned => resolved
2020-02-13 17:09 christos Resolution open => fixed
2020-02-13 17:09 christos Fixed in Version => 5.39
2020-02-13 17:09 christos Note Added: 0003356