--- Begin Message ---
Subject: |
Bugs in PTX Utility |
Date: |
Thu, 24 Nov 2016 16:57:54 +0800 |
Dear all,
The following produces a crash for the version in trunk and preinstalled
version 8.21 on Ubuntu 14.04 x86_64.
Below is also heap-buffer-overflow that doesn’t actually crash but is flagged
by ASAN as an invalid read of size 1.
Both bugs were found by AFLFast, a fork of AFL. Thanks goes out to Van-Thuan
Pham.
$ ptx ptx ptx > /dev/null
Segmentation fault
ASAN says:
==47034==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f2b49433093
at pc 0x000000407b8b bp 0x7ffcfc738bb0 sp 0x7ffcfc738ba8
READ of size 1 at 0x7f2b49433093 thread T0
#0 0x407b8a in define_all_fields ../src/ptx.c:1432
#1 0x407b8a in generate_all_output ../src/ptx.c:1778
#2 0x407b8a in main ../src/ptx.c:2153
#3 0x7f2b4db9af44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#4 0x409379 (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379)
0x7f2b49433093 is located 10387 bytes inside of 8388576-byte region
[0x7f2b49430800,0x7f2b49c307e0)
freed by thread T0 here:
#0 0x7f2b4ed17710 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710)
#1 0x414a75 in xrealloc ../lib/xmalloc.c:61
previously allocated by thread T0 here:
#0 0x7f2b4ed17710 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710)
#1 0x414a75 in xrealloc ../lib/xmalloc.c:61
SUMMARY: AddressSanitizer: heap-use-after-free ../src/ptx.c:1432 in
define_all_fields
This is the other one:
$ echo a > ~/a
$ ptx -w1 -A ~/a
=================================================================
==44013==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000e818 at pc 0x0000004085cd bp 0x7ffc327adb70 sp 0x7ffc327adb68
READ of size 1 at 0x60200000e818 thread T0
#0 0x4085cc in define_all_fields ../src/ptx.c:1411
#1 0x4085cc in generate_all_output ../src/ptx.c:1778
#2 0x4085cc in main ../src/ptx.c:2153
#3 0x7f9ef7044f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#4 0x409379 (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379)
0x60200000e818 is located 5 bytes to the right of 3-byte region
[0x60200000e810,0x60200000e813)
allocated by thread T0 here:
#0 0x7f9ef81c13a8 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
#1 0x4121ed in fread_file ../lib/read-file.c:73
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/ptx.c:1411 in
define_all_fields
Best regards,
- Marcel
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#25011: Bugs in PTX Utility |
Date: |
Thu, 24 Nov 2016 15:04:46 +0000 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 |
On 24/11/16 08:57, Marcel Böhme wrote:
> Dear all,
>
> The following produces a crash for the version in trunk and preinstalled
> version 8.21 on Ubuntu 14.04 x86_64.
> Below is also heap-buffer-overflow that doesn’t actually crash but is flagged
> by ASAN as an invalid read of size 1.
>
> Both bugs were found by AFLFast, a fork of AFL. Thanks goes out to Van-Thuan
> Pham.
>
>
> $ ptx ptx ptx > /dev/null
> Segmentation fault
>
> ASAN says:
> ==47034==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x7f2b49433093 at pc 0x000000407b8b bp 0x7ffcfc738bb0 sp 0x7ffcfc738ba8
> READ of size 1 at 0x7f2b49433093 thread T0
> #0 0x407b8a in define_all_fields ../src/ptx.c:1432
> #1 0x407b8a in generate_all_output ../src/ptx.c:1778
> #2 0x407b8a in main ../src/ptx.c:2153
> #3 0x7f2b4db9af44 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
> #4 0x409379 (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379)
>
> 0x7f2b49433093 is located 10387 bytes inside of 8388576-byte region
> [0x7f2b49430800,0x7f2b49c307e0)
> freed by thread T0 here:
> #0 0x7f2b4ed17710 in __interceptor_realloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710)
> #1 0x414a75 in xrealloc ../lib/xmalloc.c:61
>
> previously allocated by thread T0 here:
> #0 0x7f2b4ed17710 in __interceptor_realloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710)
> #1 0x414a75 in xrealloc ../lib/xmalloc.c:61
>
> SUMMARY: AddressSanitizer: heap-use-after-free ../src/ptx.c:1432 in
> define_all_fields
>
>
> This is the other one:
> $ echo a > ~/a
> $ ptx -w1 -A ~/a
> =================================================================
> ==44013==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60200000e818 at pc 0x0000004085cd bp 0x7ffc327adb70 sp 0x7ffc327adb68
> READ of size 1 at 0x60200000e818 thread T0
> #0 0x4085cc in define_all_fields ../src/ptx.c:1411
> #1 0x4085cc in generate_all_output ../src/ptx.c:1778
> #2 0x4085cc in main ../src/ptx.c:2153
> #3 0x7f9ef7044f44 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
> #4 0x409379 (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379)
>
> 0x60200000e818 is located 5 bytes to the right of 3-byte region
> [0x60200000e810,0x60200000e813)
> allocated by thread T0 here:
> #0 0x7f9ef81c13a8 in __interceptor_malloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
> #1 0x4121ed in fread_file ../lib/read-file.c:73
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/ptx.c:1411 in
> define_all_fields
Right, line_width can go negative.
I'll clean up something like this and push.
thanks!
diff --git a/src/ptx.c b/src/ptx.c
index c3b60df..d189678 100644
--- a/src/ptx.c
+++ b/src/ptx.c
@@ -1235,6 +1235,8 @@ fix_output_parameters (void)
if ((auto_reference || input_reference) && !right_reference)
line_width -= reference_max_width + gap_size;
+ if (line_width < 0)
+ line_width = 0;
/* The output lines, minimally, will contain from left to right a left
context, a gap, and a keyword followed by the right context with no
--- End Message ---