0000062: Stack buffer overflow - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0000062	file	General	public	2019-02-18 08:42	2019-02-19 13:16

Reporter	spinpx	Assigned To	christos
Priority	urgent	Severity	major	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	Intel	OS	Debian	OS Version	10
Product Version	5.35
Fixed in Version	5.36

Summary	0000062: Stack buffer overflow
Description	We build file with `--disable-libseccomp` by clang 4.0.0 and ASAN. We ran the program with the input we provide without any other arguments. The bugs exists in file 5.35 and the newest git version commit 5b9408cbbd401c13873bf944d3085785547e9915 . ASAN report: ==990598==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffea9a966a0 at pc 0x000000441461 bp 0x7ffea9a931d0 sp 0x7ffea9a92940 READ of size 8167 at 0x7ffea9a966a0 thread T0 #0 0x441460 in printf_common(void, char const, __va_list_tag) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:544:9 0000001 0x442140 in vasprintf /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1412:1 0000002 0x51d538 in file_vprintf /home/chenpeng/data/FuzzingBench/file/file-git/src/funcs.c:62:8 0000003 0x51da90 in file_printf /home/chenpeng/data/FuzzingBench/file/file-git/src/funcs.c:88:7 0000004 0x54f602 in do_bid_note /home/chenpeng/data/FuzzingBench/file/file-git/src/readelf.c:569:7 0000005 0x54d6f9 in donote /home/chenpeng/data/FuzzingBench/file/file-git/src/readelf.c:1185:7 0000006 0x54814a in dophn_core /home/chenpeng/data/FuzzingBench/file/file-git/src/readelf.c:401:13 0000007 0x5459d4 in file_tryelf /home/chenpeng/data/FuzzingBench/file/file-git/src/elfclass.h:43:7 0000008 0x51f29b in file_buffer /home/chenpeng/data/FuzzingBench/file/file-git/src/funcs.c:305:8 #9 0x4f5b5d in file_or_fd /home/chenpeng/data/FuzzingBench/file/file-git/src/magic.c:508:6 0000010 0x4f5cd6 in magic_file /home/chenpeng/data/FuzzingBench/file/file-git/src/magic.c:397:9 0000011 0x4f3fd5 in process /home/chenpeng/data/FuzzingBench/file/file-git/src/file.c:546:9 0000012 0x4f1c4b in main /home/chenpeng/data/FuzzingBench/file/file-git/src/file.c:416:9 0000013 0x7fc89d20c09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) 0000014 0x41d689 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/file+0x41d689) Address 0x7ffea9a966a0 is located in stack of thread T0 at offset 8384 in frame #0 0x54779f in dophn_core /home/chenpeng/data/FuzzingBench/file/file-git/src/readelf.c:349 This frame has 3 object(s): [32, 64) 'ph32' [96, 152) 'ph64' [192, 8384) 'nbuf' <== Memory access at offset 8384 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:544:9 in printf_common(void, char const, __va_li st_tag*) Shadow bytes around the buggy address: 0x10005534ac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005534ac90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005534aca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005534acb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005534acc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10005534acd0: 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 0x10005534ace0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 0x10005534acf0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x10005534ad00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005534ad10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005534ad20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==990598==ABORTING
Steps To Reproduce	run: # file sbo1
Tags	No tags attached.

spinpx 2019-02-18 08:42 reporter	sbo1 (8,714 bytes) ELFH World ��4�͕�X ��pDGo9999999999999999999999999999��̀��999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999899999999999999999999999999999999999yyyyy��W��v�"�y�}[��)��[� �͖6R��::�k�G^k�G^@\|\|\|\|\|tJ;R�O� sbo1 (8,714 bytes)

christos 2019-02-18 17:32 manager ~0003211	Should be fixed in /p/file/cvsroot/file/src/readelf.c,v <-- readelf.c new revision: 1.160; previous revision: 1.159 Thanks!

spinpx 2019-02-19 08:11 reporter ~0003215	CVE-2019-8904

Date Modified	Username	Field	Change
2019-02-18 08:42	spinpx	New Issue
2019-02-18 08:42	spinpx	File Added: sbo1
2019-02-18 17:30	christos	Assigned To	=> christos
2019-02-18 17:30	christos	Status	new => assigned
2019-02-18 17:32	christos	Status	assigned => feedback
2019-02-18 17:32	christos	Note Added: 0003211
2019-02-19 08:11	spinpx	Note Added: 0003215
2019-02-19 08:11	spinpx	Status	feedback => assigned
2019-02-19 13:16	christos	Status	assigned => resolved
2019-02-19 13:16	christos	Resolution	open => fixed
2019-02-19 13:16	christos	Fixed in Version	=> 5.36