|
From: | wcventure |
Subject: | [bug-cflow] A heap-buffer-overflow problem in nexttoken function in /src/parser.c in cflow 1.6 the lastest release version |
Date: | Mon, 1 Apr 2019 14:19:50 +0800 (CST) |
Hi there,
I have found a heap-buffer-overflow problem in nexttoken function in /src/parser.c in cflow 1.6 the lastest release version. This bug can also reproduce in cflow 1.5. I have confirmed them with address sanitizer too.
Here are the POC files. Please use the "./cflow $POC" to reproduce the bug.
The ASAN dumps the stack trace as follows:
=================================================================
==8202==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000c80 at pc 0x0000004d9762 bp 0x7ffe9d88e430 sp 0x7ffe9d88dbe0
READ of size 24 at 0x61f000000c80 thread T0
#0 0x4d9761 in __asan_memcpy /llvm-6.0.1/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23
#1 0x549214 in nexttoken /cflow-1.6/src/parser.c:302:12
#2 0x54f134 in parse_function_declaration /cflow-1.6/src/parser.c:673:9
#3 0x54ea79 in parse_declaration /cflow-1.6/src/parser.c:578:4
#4 0x54de68 in yyparse /cflow-1.6/src/parser.c:528:9
#5 0x53b254 in main /cflow-1.6/src/main.c:812:7
#6 0x7f54ee2e882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x41a978 in _start (/cflow-1.6/build/bin/cflow+0x41a978)
0x61f000000c80 is located 0 bytes to the right of 3072-byte region [0x61f000000080,0x61f000000c80)
allocated by thread T0 here:
#0 0x4dad20 in realloc /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107
#1 0x5bde5f in xrealloc /cflow-1.6/gnu/xmalloc.c:63:7
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c3e7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3e7fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3e7fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3e7fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3e7fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3e7fff8190:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8202==ABORTING
Aborted
If you have any question, please let me know.
POC_bufferoverflow.zip
Description: Zip compressed data
[Prev in Thread] | Current Thread | [Next in Thread] |