Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > gnu.utils.bug > #2230

Vulnerability Report: Heap-Buffer-Overflow on Sharutils (unshar) 4.15.2

Show key headers only | View raw

[Multipart message — attachments visible in raw view] - view raw

Hi,

Another issue found was heap-buffer-overflow on Sharutils (unshar)
4.15.2. Attached is the fuzzed file.

Below are the ASAN output:

john@fuzzing:~/sharutils-4.15.2/src$ ./unshar
out/crashes/id:000000,sig:06,src:000005+000030,op:splice,rep:4
=================================================================
==11164==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xb5901100 at pc 0x0804c695 bp 0xbfe86f28 sp 0xbfe86f18
READ of size 1 at 0xb5901100 thread T0
    #0 0x804c694 in looks_like_c_code
/home/john/sharutils-4.15.2/src/unshar.c:75
    #1 0x804c694 in find_archive
/home/john/sharutils-4.15.2/src/unshar.c:253
    #2 0x804c694 in unshar_file /home/john/sharutils-4.15.2/src/unshar.c:379
    #3 0x804a2f4 in validate_fname
/home/john/sharutils-4.15.2/src/unshar-opts.c:604
    #4 0x804a2f4 in main /home/john/sharutils-4.15.2/src/unshar-opts.c:639
    #5 0xb70ab636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)
    #6 0x804ab95  (/home/john/sharutils-4.15.2/src/unshar+0x804ab95)

0xb5901100 is located 0 bytes to the right of 4096-byte region
[0xb5900100,0xb5901100)
allocated by thread T0 here:
    #0 0xb72dfdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x804c9e4 in init_unshar /home/john/sharutils-4.15.2/src/unshar.c:450
    #2 0xb70ab636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/john/sharutils-4.15.2/src/unshar.c:75 looks_like_c_code
Shadow bytes around the buggy address:
  0x36b201d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36b201e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36b201f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36b20200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36b20210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36b20220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3

  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==11164==ABORTING

Thanks,

Nafiez

Back to gnu.utils.bug | Previous | Next | Find similar

Thread

Vulnerability Report: Heap-Buffer-Overflow on Sharutils (unshar) 4.15.2 nafiez <nafiez.skins@gmail.com> - 2018-02-21 15:17 +0800

csiph-web