Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-based buffer overflow in FilePOSIX::read #48

Open
insuyun opened this issue Aug 20, 2017 · 0 comments
Open

heap-based buffer overflow in FilePOSIX::read #48

insuyun opened this issue Aug 20, 2017 · 0 comments

Comments

@insuyun
Copy link

insuyun commented Aug 20, 2017

https://github.com/jakkdu/poc/blob/master/000011-audiofile-heapovfl-FilePOSIX_read

./sfconvert $FILE out.mp3 format aiff

=================================================================
==9146==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ebf1 at pc 0x7f0d4c7d4e55 bp 0x7ffffdd041a0 sp 0x7ffffdd03948
WRITE of size 156 at 0x60200000ebf1 thread T0
    #0 0x7f0d4c7d4e54  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x45e54)
    #1 0x43d865 in read /usr/include/x86_64-linux-gnu/bits/unistd.h:44
    #2 0x43d865 in FilePOSIX::read(void*, unsigned long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/File.cpp:126
    #3 0x40ef02 in FileModule::read(void*, unsigned long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/FileModule.cpp:42
    #4 0x41e839 in PCM::runPull() /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/PCM.cpp:166
    #5 0x41475e in Module::pull(unsigned long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/Module.cpp:71
    #6 0x4209a4 in SimpleModule::runPull() /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/SimpleModule.cpp:28
    #7 0x4074ef in afReadFrames /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/data.cpp:222
    #8 0x402287 in copyaudiodata /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:370
    #9 0x402f4d in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:275
    #10 0x7f0d4bd5a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x401f48 in _start (/home/insu/projects/qsym-eval/apps/audiofile/out/build-asan/sfconvert+0x401f48)

0x60200000ebf1 is located 0 bytes to the right of 1-byte region [0x60200000ebf0,0x60200000ebf1)
allocated by thread T0 here:
    #0 0x7f0d4c828532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x419243 in Chunk::allocate(unsigned long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/Module.h:59
    #2 0x419243 in ModuleState::setup(_AFfilehandle*, Track*) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/ModuleState.cpp:174
    #3 0x407f74 in afGetFrameCount /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/format.cpp:205
    #4 0x402252 in copyaudiodata /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:359
    #5 0x402f4d in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:275
    #6 0x7f0d4bd5a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
  0x0c047fff9d80: fa fa 01 fa fa fa 00 00 fa fa fd fd fa fa fd fa
  0x0c047fff9d90: fa fa fd fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
  0x0c047fff9da0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
  0x0c047fff9db0: fa fa 01 fa fa fa 00 01 fa fa fd fa fa fa fd fa
  0x0c047fff9dc0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==9146==ABORTING
@insuyun insuyun changed the title heap-based buffer overflow in heap-based buffer overflow in FilePOSIX::read Aug 20, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@insuyun