Hi, `mail' is vulnerable to a heap based buffer overflow, according to AddressSanitizer, using the testcase https://internot.info/docs/mail-test
In 'mail'(compiled with address sanitizer), if you press enter after it being opened, it will malloc off by one. AS output: > ================================================================= > ==39802==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x602000004aef at pc 0x438498 bp 0x7fffc4d5b840 sp 0x7fffc4d5b838 > READ of size 1 at 0x602000004aef thread T0 > #0 0x438497 in mail_mainloop > /root/srcs/mailutils-2.2+dfsg1/mail/mail.c:531 > #1 0x40c66f in main /root/srcs/mailutils-2.2+dfsg1/mail/mail.c:512 > #2 0x7fecc9cca76c in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2176c) > #3 0x40ef04 (/usr/bin/mail+0x40ef04) > > 0x602000004aef is located 1 bytes to the left of 1-byte region > [0x602000004af0,0x602000004af1) > allocated by thread T0 here: > #0 0x7feccbd1978f in malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5778f) > #1 0x7fecca2b1618 in xmalloc > (/lib/x86_64-linux-gnu/libreadline.so.6+0x2c618) > > SUMMARY: AddressSanitizer: heap-buffer-overflow > /root/srcs/mailutils-2.2+dfsg1/mail/mail.c:531 mail_mainloop > Shadow bytes around the buggy address: > 0x0c047fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > =>0x0c047fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]01 fa > 0x0c047fff8960: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa > 0x0c047fff8970: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa > 0x0c047fff8980: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa > 0x0c047fff8990: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa > 0x0c047fff89a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Contiguous container OOB:fc > ASan internal: fe > ==39802==ABORTING Thanks, -- -- Joshua Rogers <https://internot.info/>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Bug-mailutils mailing list [email protected] https://lists.gnu.org/mailman/listinfo/bug-mailutils
