[bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'.

bug-mailutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'.

From:	Joshua Rogers
Subject:	[bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'.
Date:	Tue, 02 Dec 2014 19:49:01 +1100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0

Hi,

`mail' is vulnerable to a heap based buffer overflow, according to
AddressSanitizer, using the testcase https://internot.info/docs/mail-test

In 'mail'(compiled with address sanitizer), if you press enter after it
being opened, it will malloc off by one.

AS output:

> =================================================================
> ==39802==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x602000004aef at pc 0x438498 bp 0x7fffc4d5b840 sp 0x7fffc4d5b838
> READ of size 1 at 0x602000004aef thread T0
>     #0 0x438497 in mail_mainloop
> /root/srcs/mailutils-2.2+dfsg1/mail/mail.c:531
>     #1 0x40c66f in main /root/srcs/mailutils-2.2+dfsg1/mail/mail.c:512
>     #2 0x7fecc9cca76c in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
>     #3 0x40ef04 (/usr/bin/mail+0x40ef04)
>
> 0x602000004aef is located 1 bytes to the left of 1-byte region
> [0x602000004af0,0x602000004af1)
> allocated by thread T0 here:
>     #0 0x7feccbd1978f in malloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5778f)
>     #1 0x7fecca2b1618 in xmalloc
> (/lib/x86_64-linux-gnu/libreadline.so.6+0x2c618)
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> /root/srcs/mailutils-2.2+dfsg1/mail/mail.c:531 mail_mainloop
> Shadow bytes around the buggy address:
>   0x0c047fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c047fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]01 fa
>   0x0c047fff8960: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
>   0x0c047fff8970: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
>   0x0c047fff8980: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
>   0x0c047fff8990: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
>   0x0c047fff89a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Contiguous container OOB:fc
>   ASan internal:           fe
> ==39802==ABORTING



Thanks,
-- 
-- Joshua Rogers <https://internot.info/>

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'., Joshua Rogers <=
- Re: [bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'., Sergey Poznyakoff, 2014/12/03

Next by Date: Re: [bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'.
Next by thread: Re: [bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'.
Index(es):
- Date
- Thread