0000065: Possible stack corruption - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0000065	file	General	public	2019-02-18 08:53	2019-02-19 13:18

Reporter	spinpx	Assigned To	christos
Priority	urgent	Severity	major	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	x86_64	OS	Debian	OS Version	10
Product Version	5.35
Fixed in Version	5.36

Summary	0000065: Possible stack corruption
Description	We build file with `--disable-libseccomp` by clang 4.0.0. We ran the program with the input we provide without any other arguments. The bugs exists in file 5.35. Stack: Program received signal SIGSEGV, Segmentation fault. "#0 0x000000000043e271 in do_core_note (ms=<optimized out>, nbuf=<optimized out>, type=<optimized out>, swap=<optimized out>, namesz=<optimized out>, descsz=<optimized out>, noff=<optimized out>, doff=<optimized out>, flags=<optimized out>, size=<optimized out>, clazz=<optimized out>) at /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/readelf.c:770", 0000001 donote (ms=<optimized out>, vbuf=<optimized out>, offset=3452, size=<optimized out>, clazz=<optimized out>, swap=<optimized out>, align=<optimized out>, flags=<optimized out>, notecount=<optimized out>, fd=<optimized out>, ph_off=<optimized out>, ph_num=<optimized out>, fsize=<optimized out>) at /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/readelf.c:1194 0000002 0x0000000400001000 in ?? () 0000003 0x080490a4000000a4 in ?? () 0000004 0x00bbeaebd9000000 in ?? () 0000005 0x00200001b8000000 in ?? () 0000006 0x0d1263aa87c56e01 in ?? () 0000007 0x2e8ca4eef0bf9884 in ?? () 0000008 0xf8be17bd0299a906 in ?? () #9 0x4fcacce3342026ed in ?? () 0000010 0x0000000100000012 in ?? () 0000011 0x4274654e00000001 in ?? () 0000012 0xcc45524f432d4453 in ?? () 0000013 0x00008990ba88a2ca in ?? () 0000014 0x80e700000004b800 in ?? () 0000015 0x00000000002058eb in ?? () 0000016 0x0000000000000000 in ?? () We run exploitable: Description: Possible stack corruption Short description: PossibleStackCorruption (7/22) Hash: 457b692b06cd893f7646681b5874c47e.57ada0a7199ae15ca6cc5f54cdbeaa99 Exploitability Classification: EXPLOITABLE Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable. Other tags: AccessViolation (21/22)
Steps To Reproduce	run: # file stack_corruption1
Tags	No tags attached.

spinpx 2019-02-18 08:53 reporter	stack_corruption1 (10,498 bytes) ELFHi World ��4�� (!��d�� nŇ�c ��Pw.��4��O��4��ʢ��$뗅[3 ̜eaϟ�V9 �]��+��7��xq��CORE �� nŇ��P}� ��.��d �� X (!d��$��d��NetBSD-CGRE�ʢ��$뗅[3 ��+��7��xqhnŇ�c ��P}� ��.��4��ONetBSDCORE�ʢ��$뗅[3 ��4��X (��$��d��4��O�NetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d�� nŇ�c ��.�� 4��ONetBSD-CORE�ʢ��X (��X (!��$��d��d �� nŇ�c ��.�� 4��O��X (!��$��d�� +��7��xqhnŇ�c ��P}� ��.�� nŇ�c ��.�� 4��ONetBSD-CORE�ʢ��X (!��$��d��d ��ONetBSD-CGRE�ʢ��$뗅[3 ��+��7��xqhnŇ�c ��P}� ��.��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d�� nŇ�c ��.��ONetBSD-C�RE�ʢ��X (!��d �� X (!��$��d��d'��4��X (��$��d��4��O�NetBSD-CORE�ʢ��$뗅[3��4��X (��$��d�� nŇ�c ��.��& 4��ONetBSD-CORE�ʢ��X ��d �� nŇ�c ��.�� 4��O��X (!��$��d�� +��7��xqhnŇ�c ��P}� ��.��^��}�==�}��@��}��=�}�@�� d�xqhnŇ�c ��P}� ��.��d �� X (!��$��d��dd��ONetBSD-CGRE�ʢ��$뗅[3 ��+��7��xqhnŇ�c ��P}� ��.��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d��4��O�NetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d�� nŇ�c ��.��& 4��ON�� (!��d�� nŇ�c ��Pw.��4��O��4��ʢ��$뗅[3 ̜eaϟ�V9 �]��+��7��xq��CORE �� nŇ��P}� ��.��d �� X (!��$��d��NetBSD-CGRE�ʢ��$뗅[3 ��+��7��xqhnŇ�c ��P}� ��.��4��ONetBSDCORE�ʢ��$뗅[3 ��4��X (��$��d��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d�� nŇ�c ��.�� 4��ONetBSD-CORE�ʢ��X (��X (!��$��d��d �� nŇ�c ��.�� 4��O��X (!��$��d�� +��7��xqhnŇ�c ��P}� ��.�� nŇ�c ��.�� 4��ONetBSD-CORE�ʢ��X (!��$��d��d ��ONetBSD-CGRE�ʢ��.��}��@�O^��}�=�}��z� @��}��=�}�D��}�==�}�}�� @��d��}�==�}@�� @� RE�ʢ��X (��X (�!��$��d��d �� nŇ�c ��.�� 4��O��X (!��$��d�� +��7��xqhnŇ�c ��P}� ��.��d �� nŇ�c ��.�� 4��ONetBSD-CORE�ʢ��X (!��$��d��d ��ONetBSD-CGRE�ʢ��$뗅[3 ��+��7��xqhnŇ�c ��P}� ��.��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d�� nŇ�c ��.��ONetBSD-CORE�ʢ��X (!��d �� X (�!��$��d��d ��4��X (��$��d��4��O�NetBSD-CORE�ʢ��$뗅[3 ��4��GGGGGGGGGGGGG��}��=��}�==�}@�#�� P}� ��.��E��@� RE�ʢ��X (��X (�!��$��d��d �� nŇ�c ��.�� 4��O��X (!��$��d�� +��7��xqhnŇ�c �i��P}� ��.��d �� nŇ�c ��.�� 4��ONetBSD-CORE�ʢ��X (!��$��d��d ��ONetBSD-CGRE�ʢ��$뗅[3 ��+��7��xqhnŇ�c ��P}� ��.��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d�� nŇ�c ��.��ONetBSD-CORE�ʢ��X (!��d �� X (��}�@�^��}�=�}��d� @��>:��}��=�}��@ �GGGGGGGGGGGGG stack_corruption1 (10,498 bytes)

christos 2019-02-18 18:07 manager ~0003214	I think this is the same as the other note ones. Can you please try to see if the fix for PR/63 fixed it?

spinpx 2019-02-19 08:16 reporter ~0003218	CVE-2019-8907 I verified it with newest git version. It fixed now!

Date Modified	Username	Field	Change
2019-02-18 08:53	spinpx	New Issue
2019-02-18 08:53	spinpx	File Added: stack_corruption1
2019-02-18 18:06	christos	Assigned To	=> christos
2019-02-18 18:06	christos	Status	new => assigned
2019-02-18 18:07	christos	Status	assigned => feedback
2019-02-18 18:07	christos	Note Added: 0003214
2019-02-19 08:16	spinpx	Note Added: 0003218
2019-02-19 08:16	spinpx	Status	feedback => assigned
2019-02-19 13:18	christos	Status	assigned => resolved
2019-02-19 13:18	christos	Resolution	open => fixed
2019-02-19 13:18	christos	Fixed in Version	=> 5.36