View Issue Details

IDProjectCategoryView StatusLast Update
0000062file[All Projects] Generalpublic2019-02-19 13:16
ReporterspinpxAssigned Tochristos 
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
PlatformIntelOSDebianOS Version10
Product Version5.35 
Target VersionFixed in Version5.36 
Summary0000062: Stack buffer overflow
DescriptionWe build file with `--disable-libseccomp` by clang 4.0.0 and ASAN.
We ran the program with the input we provide without any other arguments.

The bugs exists in file 5.35 and the newest git version commit 5b9408cbbd401c13873bf944d3085785547e9915 .

ASAN report:
==990598==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffea9a966a0 at pc 0x000000441461 bp 0x7ffea9a931d0 sp 0x7ffea9a92940
READ of size 8167 at 0x7ffea9a966a0 thread T0
    #0 0x441460 in printf_common(void*, char const*, __va_list_tag*) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:544:9
    0000001 0x442140 in vasprintf /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1412:1
    0000002 0x51d538 in file_vprintf /home/chenpeng/data/FuzzingBench/file/file-git/src/funcs.c:62:8
    0000003 0x51da90 in file_printf /home/chenpeng/data/FuzzingBench/file/file-git/src/funcs.c:88:7
    0000004 0x54f602 in do_bid_note /home/chenpeng/data/FuzzingBench/file/file-git/src/readelf.c:569:7
    0000005 0x54d6f9 in donote /home/chenpeng/data/FuzzingBench/file/file-git/src/readelf.c:1185:7
    0000006 0x54814a in dophn_core /home/chenpeng/data/FuzzingBench/file/file-git/src/readelf.c:401:13
    0000007 0x5459d4 in file_tryelf /home/chenpeng/data/FuzzingBench/file/file-git/src/elfclass.h:43:7
    0000008 0x51f29b in file_buffer /home/chenpeng/data/FuzzingBench/file/file-git/src/funcs.c:305:8
    #9 0x4f5b5d in file_or_fd /home/chenpeng/data/FuzzingBench/file/file-git/src/magic.c:508:6
    0000010 0x4f5cd6 in magic_file /home/chenpeng/data/FuzzingBench/file/file-git/src/magic.c:397:9
    0000011 0x4f3fd5 in process /home/chenpeng/data/FuzzingBench/file/file-git/src/file.c:546:9
    0000012 0x4f1c4b in main /home/chenpeng/data/FuzzingBench/file/file-git/src/file.c:416:9
    0000013 0x7fc89d20c09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    0000014 0x41d689 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/file+0x41d689)

Address 0x7ffea9a966a0 is located in stack of thread T0 at offset 8384 in frame
    #0 0x54779f in dophn_core /home/chenpeng/data/FuzzingBench/file/file-git/src/readelf.c:349

  This frame has 3 object(s):
    [32, 64) 'ph32'
    [96, 152) 'ph64'
    [192, 8384) 'nbuf' <== Memory access at offset 8384 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:544:9 in printf_common(void*, char const*, __va_li
st_tag*)
Shadow bytes around the buggy address:
  0x10005534ac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005534ac90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005534aca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005534acb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005534acc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005534acd0: 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x10005534ace0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x10005534acf0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005534ad00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005534ad10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005534ad20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==990598==ABORTING

Steps To Reproducerun:
# file sbo1
TagsNo tags attached.

Activities

spinpx

2019-02-18 08:42

reporter  

sbo1 (8,714 bytes)
sbo1 (8,714 bytes)

christos

2019-02-18 17:32

manager   ~0003211

Should be fixed in
/p/file/cvsroot/file/src/readelf.c,v <-- readelf.c
new revision: 1.160; previous revision: 1.159

Thanks!

spinpx

2019-02-19 08:11

reporter   ~0003215

CVE-2019-8904

Issue History

Date Modified Username Field Change
2019-02-18 08:42 spinpx New Issue
2019-02-18 08:42 spinpx File Added: sbo1
2019-02-18 17:30 christos Assigned To => christos
2019-02-18 17:30 christos Status new => assigned
2019-02-18 17:32 christos Status assigned => feedback
2019-02-18 17:32 christos Note Added: 0003211
2019-02-19 08:11 spinpx Note Added: 0003215
2019-02-19 08:11 spinpx Status feedback => assigned
2019-02-19 13:16 christos Status assigned => resolved
2019-02-19 13:16 christos Resolution open => fixed
2019-02-19 13:16 christos Fixed in Version => 5.36