Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A heap-buffer-overflow vulnerability was discovered #83

Closed
MageWeiG opened this issue Jun 11, 2024 · 3 comments
Closed

A heap-buffer-overflow vulnerability was discovered #83

MageWeiG opened this issue Jun 11, 2024 · 3 comments
Assignees
@michaelrsweet
Labels
bug Something isn't working priority-low
Milestone
v3.0

Comments

@MageWeiG
Copy link

While testing fuzzipp, I found a stack overflow vulnerability located in the ippWriteIO function in the /src/libcups/cups/ipp.c file.
In line 5263 of the function, an irregular use of the memcpy function causes a heap overflow vulnerability.

The crash information is as follows:

=================================================================
==14==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000006a78 at pc 0x5616b8dea6da bp 0x7ffcac3a7010 sp 0x7ffcac3a67d0
READ of size 27252 at 0x502000006a78 thread T0
SCARINESS: 26 (multi-byte-read-heap-buffer-overflow)
    #0 0x5616b8dea6d9 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3
    #1 0x5616b8e646ba in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
    #2 0x5616b8e646ba in ippWriteIO /src/libcups/cups/ipp.c:5263:7
    #3 0x5616b8e62633 in ippWriteIO /src/libcups/cups/ipp.c:5199:9
    #4 0x5616b8e2baba in LLVMFuzzerTestOneInput /src/libcups/ossfuzz/fuzzipp.c:119:15
    #5 0x5616b8cde080 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #6 0x5616b8cdd8a5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
    #7 0x5616b8cdf075 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:760:19
    #8 0x5616b8cdfe65 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:905:5
    #9 0x5616b8cce176 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
    #10 0x5616b8cfa6a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7fcd6234d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #12 0x5616b8cbf2ed in _start (/out/fuzzipp+0x9a2ed)

DEDUP_TOKEN: __asan_memcpy--memcpy--ippWriteIO
0x502000006a78 is located 0 bytes after 8-byte region [0x502000006a70,0x502000006a78)
allocated by thread T0 here:
    #0 0x5616b8dec808 in calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
    #1 0x5616b8e7185c in _cupsStrAlloc /src/libcups/cups/string.c:548:29
    #2 0x5616b8e59ffa in ippReadIO /src/libcups/cups/ipp.c:2981:28
    #3 0x5616b8e59997 in ippReadIO /src/libcups/cups/ipp.c:3008:7
    #4 0x5616b8e59997 in ippReadIO /src/libcups/cups/ipp.c:3008:7
    #5 0x5616b8e2ba69 in LLVMFuzzerTestOneInput /src/libcups/ossfuzz/fuzzipp.c:107:15
    #6 0x5616b8cde080 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #7 0x5616b8cdd8a5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
    #8 0x5616b8cdf075 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:760:19
    #9 0x5616b8cdfe65 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:905:5
    #10 0x5616b8cce176 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
    #11 0x5616b8cfa6a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #12 0x7fcd6234d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

DEDUP_TOKEN: ___interceptor_calloc--_cupsStrAlloc--ippReadIO
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x502000006780: fa fa 00 07 fa fa 04 fa fa fa fa fa fa fa fa fa
  0x502000006800: fa fa 04 fa fa fa fa fa fa fa 00 fa fa fa 04 fa
  0x502000006880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 04
  0x502000006900: fa fa 00 fa fa fa 04 fa fa fa fa fa fa fa 04 fa
  0x502000006980: fa fa 04 fa fa fa 00 04 fa fa fd fd fa fa 00 fa
=>0x502000006a00: fa fa fd fd fa fa 00 fa fa fa fd fd fa fa 00[fa]
  0x502000006a80: fa fa fa fa fa fa fa fa fa fa 04 fa fa fa fd fd
  0x502000006b00: fa fa fa fa fa fa fd fa fa fa 04 fa fa fa fd fd
  0x502000006b80: fa fa 00 fa fa fa 04 fa fa fa 00 00 fa fa fd fd
  0x502000006c00: fa fa 00 01 fa fa 04 fa fa fa 00 00 fa fa fd fd
  0x502000006c80: fa fa fa fa fa fa 00 fa fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14==ABORTING
@michaelrsweet michaelrsweet self-assigned this Jun 11, 2024
@michaelrsweet michaelrsweet added the investigating Investigating the issue label Jun 11, 2024
@michaelrsweet
Copy link
Member

Do you have the "corpus" that caused the issue?

@MageWeiG
Copy link
Author

Ok, I've attached the corpus。
crash-d8616e43ff1db1b8e21f333287caa47d88d6a8fa.zip

@michaelrsweet
Copy link
Member

[master a7a28e6] Error out if an attribute conversion is unsuccessful.

@michaelrsweet michaelrsweet added bug Something isn't working priority-low and removed investigating Investigating the issue labels Jun 14, 2024
@michaelrsweet michaelrsweet added this to the v3.0 milestone Jun 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelrsweet michaelrsweet

Labels
bug Something isn't working priority-low
Projects
None yet
Milestone
v3.0
Development

No branches or pull requests
2 participants
@michaelrsweet @MageWeiG