Public bug reported: stack-buffer-overflow on matio-1.5.28/src/io.c:66:5 strdup_vprintf when we run matio-1.5.28/tools/matdump poc.
root@6:/fuzz# ./matio/matio/tools/matdump crashes/crash-105 ================================================================= ==89595==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe8f9a91c8 at pc 0x5aa6adae6777 bp 0x7ffe8f9a9190 sp 0x7ffe8f9a8960 READ of size 24 at 0x7ffe8f9a91c8 thread T0 #0 0x5aa6adae6776 in __asan_memcpy (/fuzz/matio/matio/tools/matdump+0x285776) (BuildId: e34e800b971642544d5a9d04df857d55d0b848d8) #1 0x5aa6adb2c1fd in strdup_vprintf /fuzz/matio/matio/src/io.c:66:5 #2 0x5aa6adb2ae49 in mat_log /fuzz/matio/matio/src/io.c:183:14 #3 0x5aa6adb2ad6f in Mat_Message /fuzz/matio/matio/src/io.c:312:5 #4 0x5aa6adb231e0 in print_default /fuzz/matio/matio/tools/matdump.c:758:17 #5 0x5aa6adb22e8f in main /fuzz/matio/matio/tools/matdump.c:947:17 #6 0x713e4d2a5d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x713e4d2a5e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #8 0x5aa6ada64604 in _start (/fuzz/matio/matio/tools/matdump+0x203604) (BuildId: e34e800b971642544d5a9d04df857d55d0b848d8) Address 0x7ffe8f9a91c8 is located in stack of thread T0 at offset 40 in frame #0 0x5aa6adb2c0ef in strdup_vprintf /fuzz/matio/matio/src/io.c:61 This frame has 2 object(s): [32, 40) 'ap.addr' <== Memory access at offset 40 overflows this variable [64, 88) 'ap2' (line 62) <== Memory access at offset 40 underflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/fuzz/matio/matio/tools/matdump+0x285776) (BuildId: e34e800b971642544d5a9d04df857d55d0b848d8) in __asan_memcpy Shadow bytes around the buggy address: 0x100051f2d1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100051f2d1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100051f2d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100051f2d210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100051f2d220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x100051f2d230: 00 00 00 00 f1 f1 f1 f1 00[f2]f2 f2 00 00 00 f3 0x100051f2d240: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x100051f2d250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100051f2d260: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 0x100051f2d270: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x100051f2d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==89595==ABORTING ** Affects: ubuntu Importance: Undecided Status: New ** Attachment added: "crash-105" https://bugs.launchpad.net/bugs/2095083/+attachment/5852068/+files/crash-105 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2095083 Title: stack-buffer-overflow on matio-1.5.28/src/io.c:66:5 strdup_vprintf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/2095083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs