Menu
▾
▴
1 Attachments
#586 Stack-based buffer overflow in the cb_name() function
Hi,
While fuzzing gnucobol with Honggfuzz, I found a stack-based buffer overflow in the cb_name() function, in cobc/tree.c.
Attaching a reproducer, issue can be reproduced by running:
cobc test05.cob
I have been able to reproduce this issue on both GnuCOBOL 2.2 and with the latest SVN trunk version.
=================================================================
==30185==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc6f8a6040 at pc 0x0000004432fe bp 0x7ffc6f8a5230 sp 0x7ffc6f8a49b8
WRITE of size 8194 at 0x7ffc6f8a6040 thread T0
attempt to reference unallocated memory (signal SIGSEGV)
cobc: aborting compile of issue05.cob at line 50 (PROGRAM-ID: tutorial)
cobc: Please report this!
==10264== Memcheck, a memory error detector
==10264== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==10264== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==10264== Command: cobc issue05.cob
==10264==
issue05.cob:51: error: continuation character expected
issue05.cob:224: error: invalid indicator 'f' at column 7
issue05.cob:248: warning: line not terminated by a newline
issue05.cob:45: error: PROCEDURE DIVISION header missing
issue05.cob: in section 'set-keydefinitions':
issue05.cob:50: error: invalid literal: 'vove length of ex-keydef to key2len...'
issue05.cob:50: error: literal length exceeds 8191 characters
*** stack smashing detected ***: <unknown> terminated
==10264==
==10264== Process terminating with default action of signal 6 (SIGABRT)
==10264== at 0x491BED7: raise (raise.c:51)
==10264== by 0x48FD534: abort (abort.c:79)
==10264== by 0x4964725: __libc_message (libc_fatal.c:181)
==10264== by 0x4A07260: __fortify_fail_abort (fortify_fail.c:33)
==10264== by 0x4A07221: __stack_chk_fail (stack_chk_fail.c:29)
==10264== by 0x174B55: cb_name (tree.c:1170)
==10264== by 0x6C617620326C6F61: ???
==10264== by 0x37200A2E33206574: ???
==10264== by 0x662D2D6463662037: ???
==10264== by 0x64692D74616D726E: ???
==10264== by 0x65756C6176203477: ???
==10264== by 0x203837200A2E341F: ???
==10264==
==10264== HEAP SUMMARY:
==10264== in use at exit: 538,364 bytes in 4,182 blocks
==10264== total heap usage: 6,646 allocs, 2,464 frees, 973,995 bytes allocated
==10264==
==10264== LEAK SUMMARY:
==10264== definitely lost: 0 bytes in 0 blocks
==10264== indirectly lost: 0 bytes in 0 blocks
==10264== possibly lost: 0 bytes in 0 blocks
==10264== still reachable: 538,364 bytes in 4,182 blocks
==10264== suppressed: 0 bytes in 0 blocks
==10264== Rerun with --leak-check=full to see details of leaked memory
==10264==
==10264== For counts of detected and suppressed errors, rerun with: -v
==10264== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
This issue has been assigned CVE-2019-16395.
Thank you for reporting this! Fuzzing cobc is very helpful.
Fixed in [r3346].