[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'.
From: |
Joshua Rogers |
Subject: |
[bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'. |
Date: |
Tue, 02 Dec 2014 19:49:01 +1100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 |
Hi,
`mail' is vulnerable to a heap based buffer overflow, according to
AddressSanitizer, using the testcase https://internot.info/docs/mail-test
In 'mail'(compiled with address sanitizer), if you press enter after it
being opened, it will malloc off by one.
AS output:
> =================================================================
> ==39802==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x602000004aef at pc 0x438498 bp 0x7fffc4d5b840 sp 0x7fffc4d5b838
> READ of size 1 at 0x602000004aef thread T0
> #0 0x438497 in mail_mainloop
> /root/srcs/mailutils-2.2+dfsg1/mail/mail.c:531
> #1 0x40c66f in main /root/srcs/mailutils-2.2+dfsg1/mail/mail.c:512
> #2 0x7fecc9cca76c in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
> #3 0x40ef04 (/usr/bin/mail+0x40ef04)
>
> 0x602000004aef is located 1 bytes to the left of 1-byte region
> [0x602000004af0,0x602000004af1)
> allocated by thread T0 here:
> #0 0x7feccbd1978f in malloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5778f)
> #1 0x7fecca2b1618 in xmalloc
> (/lib/x86_64-linux-gnu/libreadline.so.6+0x2c618)
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> /root/srcs/mailutils-2.2+dfsg1/mail/mail.c:531 mail_mainloop
> Shadow bytes around the buggy address:
> 0x0c047fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c047fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]01 fa
> 0x0c047fff8960: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
> 0x0c047fff8970: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
> 0x0c047fff8980: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
> 0x0c047fff8990: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
> 0x0c047fff89a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Contiguous container OOB:fc
> ASan internal: fe
> ==39802==ABORTING
Thanks,
--
-- Joshua Rogers <https://internot.info/>
signature.asc
Description: OpenPGP digital signature
- [bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'.,
Joshua Rogers <=