Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.utils.bug > #2230
| From | nafiez <nafiez.skins@gmail.com> |
|---|---|
| Newsgroups | gnu.utils.bug |
| Subject | Vulnerability Report: Heap-Buffer-Overflow on Sharutils (unshar) 4.15.2 |
| Date | 2018-02-21 15:17 +0800 |
| Message-ID | <mailman.9561.1519222136.27995.bug-gnu-utils@gnu.org> (permalink) |
[Multipart message — attachments visible in raw view] - view raw
Hi, Another issue found was heap-buffer-overflow on Sharutils (unshar) 4.15.2. Attached is the fuzzed file. Below are the ASAN output: john@fuzzing:~/sharutils-4.15.2/src$ ./unshar out/crashes/id:000000,sig:06,src:000005+000030,op:splice,rep:4 ================================================================= ==11164==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5901100 at pc 0x0804c695 bp 0xbfe86f28 sp 0xbfe86f18 READ of size 1 at 0xb5901100 thread T0 #0 0x804c694 in looks_like_c_code /home/john/sharutils-4.15.2/src/unshar.c:75 #1 0x804c694 in find_archive /home/john/sharutils-4.15.2/src/unshar.c:253 #2 0x804c694 in unshar_file /home/john/sharutils-4.15.2/src/unshar.c:379 #3 0x804a2f4 in validate_fname /home/john/sharutils-4.15.2/src/unshar-opts.c:604 #4 0x804a2f4 in main /home/john/sharutils-4.15.2/src/unshar-opts.c:639 #5 0xb70ab636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #6 0x804ab95 (/home/john/sharutils-4.15.2/src/unshar+0x804ab95) 0xb5901100 is located 0 bytes to the right of 4096-byte region [0xb5900100,0xb5901100) allocated by thread T0 here: #0 0xb72dfdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee) #1 0x804c9e4 in init_unshar /home/john/sharutils-4.15.2/src/unshar.c:450 #2 0xb70ab636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/john/sharutils-4.15.2/src/unshar.c:75 looks_like_c_code Shadow bytes around the buggy address: 0x36b201d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36b201e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36b201f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36b20200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36b20210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x36b20220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b20230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b20240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b20250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b20260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b20270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==11164==ABORTING Thanks, Nafiez
Back to gnu.utils.bug | Previous | Next | Find similar
Vulnerability Report: Heap-Buffer-Overflow on Sharutils (unshar) 4.15.2 nafiez <nafiez.skins@gmail.com> - 2018-02-21 15:17 +0800
csiph-web