[patch] fix out of bounds memory read in forward_to_info

bug-texinfo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[patch] fix out of bounds memory read in forward_to_info_syntax() / info

From:	Hanno Böck
Subject:	[patch] fix out of bounds memory read in forward_to_info_syntax() / info-utils.c
Date:	Sun, 10 Jul 2016 12:47:35 +0200

Hi,

There is an out of bounds invalid memory read in the function
forward_to_info_syntax().

This is the code (info-utils.c):
      if (looking_at_string (contents, INFO_MENU_ENTRY_LABEL)
          || looking_at_string (contents, INFO_XREF_LABEL)
          || !memcmp (contents, "\0\b[", 3))

The problem is the memcmp, contents can be a string shorter than 3
bytes. To fix this one can use strncmp instead of memcmp, then the
comparison will stop in that case. See attached patch. The patch is
against 6.1, but it also applies against latest svn.

This bug can be seen by using address sanitizer and simply running
ginfo. To reproduce:
./configure CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"
make
info/ginfo

Full address sanitizer error log:

==18560==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x633000018eb2 at pc 0x41d452 bp 0x7ffe4a8fdb20 sp 0x7ffe4a8fdb18
READ of size 3 at 0x633000018eb2 thread T0
    #0 0x41d451 in forward_to_info_syntax 
/mnt/ram/v/texinfo-svn/info/info-utils.c:1585
    #1 0x41ddf9 in scan_node_contents 
/mnt/ram/v/texinfo-svn/info/info-utils.c:1661
    #2 0x403bbc in build_dir_node /mnt/ram/v/texinfo-svn/info/dir.c:142
    #3 0x40322e in get_dir_node /mnt/ram/v/texinfo-svn/info/dir.c:51
    #4 0x435ec4 in info_get_node_with_defaults 
/mnt/ram/v/texinfo-svn/info/nodes.c:932
    #5 0x4363c3 in info_get_node /mnt/ram/v/texinfo-svn/info/nodes.c:1010
    #6 0x44b3e1 in dump_node_to_stream 
/mnt/ram/v/texinfo-svn/info/session.c:3765
    #7 0x44b262 in dump_nodes_to_file /mnt/ram/v/texinfo-svn/info/session.c:3728
    #8 0x423ce2 in main /mnt/ram/v/texinfo-svn/info/info.c:1029
    #9 0x7f26f681578f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #10 0x403148 in _start (/mnt/ram/v/texinfo-svn/info/ginfo+0x403148)

0x633000018eb4 is located 0 bytes to the right of 100020-byte region 
[0x633000000800,0x633000018eb4)
allocated by thread T0 here:
    #0 0x7f26f6e409af in malloc 
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x549af)
    #1 0x4650cb in xmalloc /mnt/ram/v/texinfo-svn/gnulib/lib/xmalloc.c:41
    #2 0x404376 in insert_text_into_node /mnt/ram/v/texinfo-svn/info/dir.c:240
    #3 0x40423b in add_menu_to_node /mnt/ram/v/texinfo-svn/info/dir.c:228
    #4 0x403abc in build_dir_node /mnt/ram/v/texinfo-svn/info/dir.c:132
    #5 0x40322e in get_dir_node /mnt/ram/v/texinfo-svn/info/dir.c:51
    #6 0x435ec4 in info_get_node_with_defaults 
/mnt/ram/v/texinfo-svn/info/nodes.c:932
    #7 0x4363c3 in info_get_node /mnt/ram/v/texinfo-svn/info/nodes.c:1010
    #8 0x44b3e1 in dump_node_to_stream 
/mnt/ram/v/texinfo-svn/info/session.c:3765
    #9 0x44b262 in dump_nodes_to_file /mnt/ram/v/texinfo-svn/info/session.c:3728
    #10 0x423ce2 in main /mnt/ram/v/texinfo-svn/info/info.c:1029
    #11 0x7f26f681578f in __libc_start_main (/lib64/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/mnt/ram/v/texinfo-svn/info/info-utils.c:1585 forward_to_info_syntax
Shadow bytes around the buggy address:
  0x0c667fffb180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb1d0: 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa fa
  0x0c667fffb1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==18560==ABORTING


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: address@hidden
GPG: BBB51E42

texinfo-oob-memcmp-strncmp-forward_to_info_syntax.diff
Description: Text Data

pgpBJmOpqG9ca.pgp
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[patch] fix out of bounds memory read in forward_to_info_syntax() / info-utils.c, Hanno Böck <=
- Re: [patch] fix out of bounds memory read in forward_to_info_syntax() / info-utils.c, Gavin Smith, 2016/07/10
  - Re: [patch] fix out of bounds memory read in forward_to_info_syntax() / info-utils.c, Hanno Böck, 2016/07/10

Prev by Date: Re: @-commands in @errormsg
Next by Date: Re: @-commands in @errormsg
Previous by thread: patch to reduce the length of line in filesys.c
Next by thread: Re: [patch] fix out of bounds memory read in forward_to_info_syntax() / info-utils.c
Index(es):
- Date
- Thread