[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bug: heap-buffer-overflow in dump_entry.c
From: |
puppet |
Subject: |
Bug: heap-buffer-overflow in dump_entry.c |
Date: |
Tue, 26 May 2020 00:36:29 +0800 (GMT+08:00) |
Version: ncurses 6.2.20200212
OS: Ubuntu 16.04 LTS
POC: https://github.com/puppet-meteor/NLP_POC/blob/master/infotocap/POC_11_000092
cmd: ./infotocap POC
ASAN log:
=================================================================
==19468==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffffffebee4 at pc 0x00000041b9a0 bp 0x7ffffffead70 sp 0x7ffffffead60
WRITE of size 1 at 0x7ffffffebee4 thread T0
#0 0x41b99f in fmt_entry ../../progs/dump_entry.c:1144
#1 0x41da5c in dump_entry ../../progs/dump_entry.c:1542
#2 0x405e5e in main ../../progs/tic.c:1041
#3 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x4024e8 in _start (/data3/ASAN/ncurses-6.2/ASAN/infotocap+0x4024e8)
Address 0x7ffffffebee4 is located in stack of thread T0 at offset 4212 in frame
#0 0x419ab6 in fmt_entry ../../progs/dump_entry.c:907
This frame has 2 object(s):
[32, 43) 'boxchars'
[96, 4212) 'buffer' <== Memory access at offset 4212 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../progs/dump_entry.c:1144 fmt_entry
Shadow bytes around the buggy address:
0x10007fff5780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff57a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff57b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff57c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff57d0: 00 00 00 00 00 00 00 00 00 00 00 00[04]f4 f3 f3
0x10007fff57e0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff57f0: 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2
0x10007fff5800: 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x10007fff5810: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x10007fff5820: 00 00 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==19468==ABORTING
From ZJU NESA Lab
- Bug: heap-buffer-overflow in dump_entry.c,
puppet <=