[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-enscript] [bug #53582] stack-buffer-overflow ub mkafmmap
From: |
Vincent Ulitzsch |
Subject: |
[bug-enscript] [bug #53582] stack-buffer-overflow ub mkafmmap |
Date: |
Sat, 7 Apr 2018 14:36:58 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 |
URL:
<http://savannah.gnu.org/bugs/?53582>
Summary: stack-buffer-overflow ub mkafmmap
Project: GNU Enscript
Submitted by: viniul
Submitted on: Sat 07 Apr 2018 06:36:57 PM UTC
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Private
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
Dear Enscript Team,
During my research, I have found a heap-buffer-overflow in your program
"mkafmmap", from your program "enscript" (version 1.6.6). I've attached the
crashing input. Find below the output of
AddressSanitizer.
Best,
Vincent
mkafmmap mkafcrash
file=font.map
mkafcrash...
=================================================================
==1596==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffdc30cdfe0 at pc 0x5620ecae914e bp 0x7ffdc30cddc0 sp 0x7ffdc30cd570
WRITE of size 259 at 0x7ffdc30cdfe0 thread T0
#0 0x5620ecae914d in vsprintf (/usr/bin/mkafmmap+0xa514d)
#1 0x5620ecae9487 in __interceptor_sprintf (/usr/bin/mkafmmap+0xa5487)
#2 0x5620ecbc74f5 (/usr/bin/mkafmmap+0x1834f5)
#3 0x5620ecbbefd3 (/usr/bin/mkafmmap+0x17afd3)
#4 0x5620ecbbb00d (/usr/bin/mkafmmap+0x17700d)
#5 0x5620ecbb881a (/usr/bin/mkafmmap+0x17481a)
#6 0x7f55bfe9cf49 in __libc_start_main (/usr/lib/libc.so.6+0x20f49)
#7 0x5620ecabb739 in pthread_getattr_np (/usr/bin/mkafmmap+0x77739)
Address 0x7ffdc30cdfe0 is located in stack of thread T0 at offset 288 in
frame
#0 0x5620ecbc722f (/usr/bin/mkafmmap+0x18322f)
This frame has 1 object(s):
[32, 288) 'msg' (line 623) <== Memory access at offset 288 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/bin/mkafmmap+0xa514d)
in vsprintf
Shadow bytes around the buggy address:
0x100038611ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100038611bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100038611bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100038611bd0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x100038611be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100038611bf0: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
0x100038611c00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100038611c10: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100038611c20: f8 f2 f8 f2 f8 f2 f8 f2 f8 f8 f8 f8 f8 f8 f8 f8
0x100038611c30: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x100038611c40: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1596==ABORTING
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Sat 07 Apr 2018 06:36:57 PM UTC Name: mkafcrash Size: 243B By:
viniul
This is the crashing input for mkafmmap.
<http://savannah.gnu.org/bugs/download.php?file_id=43834>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?53582>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug-enscript] [bug #53582] stack-buffer-overflow ub mkafmmap,
Vincent Ulitzsch <=