#6 Stack-based buffer overflow in the fileio_openin() function

[Frederic Cambus]

Hi,

While fuzzing Brandy with American Fuzzy Lop, I found a stack-based buffer overflow in the fileio_openin() function, in src/fileio.c L478.

Attaching a reproducer, issue can be reproduced by running:

brandy test01

=================================================================
==20536==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe88bbc270 at pc 0x7f3207452d82 bp 0x7ffe88bbc120 sp 0x7ffe88bbb8c8
WRITE of size 478 at 0x7ffe88bbc270 thread T0
    #0 0x7f3207452d81 in __interceptor_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ad81)
    #1 0x560fdf3ffe19 in fileio_openin src/fileio.c:478
    #2 0x560fdf3fbb48 in fn_openin src/functions.c:1048
    #3 0x560fdf3ffba3 in exec_function src/functions.c:1777
    #4 0x560fdf41aa8e in expression src/evaluate.c:3495
    #5 0x560fdf406d83 in do_arrayref src/evaluate.c:670
    #6 0x560fdf408714 in do_xvar src/evaluate.c:845
    #7 0x560fdf41ac1e in expression src/evaluate.c:3499
    #8 0x560fdf430dd5 in exec_assignment src/assign.c:897
    #9 0x560fdf3c6b35 in exec_statements src/statement.c:397
    #10 0x560fdf3c6ead in run_program src/statement.c:436
    #11 0x560fdf428e9e in run_interpreter src/brandy.c:326
    #12 0x560fdf427f6c in main src/brandy.c:71
    #13 0x7f3206c6ab96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #14 0x560fdf3b3799 in _start (/home/fcambus/brandy-rep/tbrandy+0x1d799)

Address 0x7ffe88bbc270 is located in stack of thread T0 at offset 288 in frame
    #0 0x560fdf3ffcd4 in fileio_openin src/fileio.c:472

  This frame has 1 object(s):
    [32, 288) 'filename' <== Memory access at offset 288 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ad81) in __interceptor_memmove
Shadow bytes around the buggy address:
  0x10005116f7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005116f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005116f810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005116f820: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
  0x10005116f830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005116f840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3
  0x10005116f850: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10005116f860: f1 f1 00 00 f2 f2 f3 f3 f3 f3 00 00 00 00 00 00
  0x10005116f870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005116f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10005116f890: f1 f1 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20536==ABORTING

[Frederic Cambus]

This issue has been assigned CVE-2019-14663.

[Michael McConnell]

Fixed downstream on the Matrix Brandy fork.