[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Crash due to out of bounds read in skip_whitespace() with malformed inpu
|
From: |
Hanno Böck |
|
Subject: |
Crash due to out of bounds read in skip_whitespace() with malformed input |
|
Date: |
Thu, 6 Oct 2016 16:34:04 +0200 |
Hi,
The attached file will crash texinfo when passed to info -f [infile].
I tried to find out why, but I'm not familiar with the code. It seems
the function skip_whitespace gets called with a string pointer that
points past the end of an allocated buffer.
This was found with the fuzzing tool american fuzzy lop.
Here's a stack trace from Address Sanitizer:
==20380==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000dfbc at pc 0x000000544501 bp 0x7fffda91bdd0 sp 0x7fffda91bdc8
READ of size 1 at 0x60200000dfbc thread T0
#0 0x544500 in skip_whitespace /mnt/ram/texinfo-6.3/info/search.c:419:25
#1 0x516cc3 in parse_top_node_line
/mnt/ram/texinfo-6.3/info/info-utils.c:1114:14
#2 0x516cc3 in scan_node_contents
/mnt/ram/texinfo-6.3/info/info-utils.c:1647
#3 0x5407c9 in info_node_of_tag_ext
/mnt/ram/texinfo-6.3/info/nodes.c:1442:11
#4 0x53ea8a in info_node_of_tag /mnt/ram/texinfo-6.3/info/nodes.c:1483:10
#5 0x53ea8a in info_get_node_of_file_buffer
/mnt/ram/texinfo-6.3/info/nodes.c:1107
#6 0x53e239 in info_get_node_with_defaults
/mnt/ram/texinfo-6.3/info/nodes.c:988:14
#7 0x5620d1 in dump_node_to_stream
/mnt/ram/texinfo-6.3/info/session.c:3765:10
#8 0x561de2 in dump_nodes_to_file
/mnt/ram/texinfo-6.3/info/session.c:3728:11
#9 0x5259fb in main /mnt/ram/texinfo-6.3/info/info.c:1029:7
#10 0x7f3fb738b6ff in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
#11 0x41ab98 in _start (/mnt/ram/texinfo-6.3/info/ginfo+0x41ab98)
0x60200000dfbc is located 0 bytes to the right of 12-byte region
[0x60200000dfb0,0x60200000dfbc)
allocated by thread T0 here:
#0 0x4c2ab8 in __interceptor_malloc
(/mnt/ram/texinfo-6.3/info/ginfo+0x4c2ab8)
#1 0x5856fe in xmalloc /mnt/ram/texinfo-6.3/gnulib/lib/xmalloc.c:41:13
#2 0x50a414 in filesys_read_info_file
/mnt/ram/texinfo-6.3/info/filesys.c:321:18
#3 0x53ca57 in info_load_file /mnt/ram/texinfo-6.3/info/nodes.c:723:14
#4 0x53c8a7 in info_find_file /mnt/ram/texinfo-6.3/info/nodes.c:660:17
#5 0x53e209 in info_get_node_with_defaults
/mnt/ram/texinfo-6.3/info/nodes.c:983:19
#6 0x5620d1 in dump_node_to_stream
/mnt/ram/texinfo-6.3/info/session.c:3765:10
#7 0x561de2 in dump_nodes_to_file
/mnt/ram/texinfo-6.3/info/session.c:3728:11
#8 0x5259fb in main /mnt/ram/texinfo-6.3/info/info.c:1029:7
#9 0x7f3fb738b6ff in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
#10 0x41ab98 in _start (/mnt/ram/texinfo-6.3/info/ginfo+0x41ab98)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/mnt/ram/texinfo-6.3/info/search.c:419:25 in skip_whitespace
Shadow bytes around the buggy address:
0x0c047fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9bd0: fa fa fa fa fa fa fd fa fa fa 00 fa fa fa fd fa
0x0c047fff9be0: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa fd fd
=>0x0c047fff9bf0: fa fa fd fd fa fa 00[04]fa fa 04 fa fa fa 04 fa
0x0c047fff9c00: fa fa fd fd fa fa 00 00 fa fa 00 04 fa fa 00 04
0x0c047fff9c10: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff9c20: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff9c30: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff9c40: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20380==ABORTING
--
Hanno Böck
https://hboeck.de/
mail/jabber: address@hidden
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
texinfo-oob-skip_whitespace.info
Description: Binary data
pgpbdFGJRmYqY.pgp
Description: OpenPGP digital signature
- Crash due to out of bounds read in skip_whitespace() with malformed input,
Hanno Böck <=