During a fuzzing experiment, we found another global buffer overflow bug in parse_level_string:
Command to Reproduce
Please refer the uploaded POC shell script. I tried to reduce it, but it's still complicated to write down in text.
Stack Trace
==23688==ERROR: AddressSanitizer: global-buffer-overflow on address 0x556d271ec5b8 at pc 0x556d27192025 bp 0x7ffed8f273b0 sp 0x7ffed8f273a0
READ of size 1 at 0x556d271ec5b8 thread T0
#0 0x556d27192024 in parse_level_string (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1f024)
#1 0x556d2719241c in set_level_indent (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1f41c)
#2 0x556d27192a0a in parse_opt (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1fa0a)
#3 0x556d271bce84 in group_parse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x49e84)
#4 0x556d271bfdf6 in parser_parse_opt (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4cdf6)
#5 0x556d271c08db in parser_parse_next (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4d8db)
#6 0x556d271c0dfd in argp_parse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4ddfd)
#7 0x556d271934fa in main (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x204fa)
#8 0x7fb0bb553c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#9 0x556d27183699 in _start (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x10699)
Environment
- OS: Ubuntu 18.04.1
- gcc 7.5.0
- cflow: 1.7
Note that we configured cflow with address sanitizer.
CFLAGS="-fsanitize=address" ./configure
make -j
Many Thanks,
Youngseok Choi
poc.zip