Menu

#1933 Memory Corruption Vulnerability in gnuplot 5.2.rc1

None
closed-fixed
Ethan Merritt
None
2017-09-04
2017-06-15
Abago Forgans
No

Version
gnuplot 5.2.rc1

PoC (also in the attachment)

unset size
set ttics ""

$ gnuplot poc

set ttics ""
Segmentation fault (core dumped)

GDB backtrace

#0  print_line_with_error (t_num=t_num@entry=0x8485960) at util.c:1056
#1  0x083d1138 in int_error (t_num=0x8485960, str=0x83fed0a "increment must be positive") at util.c:1137
#2  0x082a8d60 in load_tic_series (this_axis=0x8477160 <THETA_AXIS>) at set.c:6150
#3  load_tics (this_axis=<optimized out>) at set.c:6009
#4  set_tic_prop (this_axis=0x8477160 <THETA_AXIS>) at set.c:5697
#5  0x082b4716 in set_command () at set.c:562
#6  0x0807c8f0 in command () at command.c:633
#7  do_line () at command.c:423
#8  0x081c90dc in load_file (fp=0x84880b0, name=0x8487fb0 "poc", calltype=0x4) at misc.c:410
#9  0x0804cf36 in main (argc=0x1, argv=0xbffff138) at plot.c:653
#10 0xb7daa637 in __libc_start_main (main=0x804b170 <main>, argc=0x2, argv=0xbffff134, 
    init=0x83f2320 <__libc_csu_init>, fini=0x83f2380 <__libc_csu_fini>, 
    rtld_fini=0xb7fea780 <_dl_fini>, stack_end=0xbffff12c) at ../csu/libc-start.c:291
#11 0x0804d44d in _start ()

Crash in Win x64/x32 as well.

(2418.1658): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\gnuplot22\bin\wgnuplot.exe
eax=0d96c180 ebx=abbf8a70 ecx=00000100 edx=00000000 esi=0d96ac00 edi=00000000
eip=00479e32 esp=0083f9e0 ebp=00000020 iopl=0         ov up ei ng nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010a82
wgnuplot+0x79e32:
00479e32 8b441820        mov     eax,dword ptr [eax+ebx+20h] ds:002b:b9564c10=????????
0:000> k
 # ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0083fa08 0047a685 wgnuplot+0x79e32
01 0083fa0c 77b01ba7 wgnuplot+0x7a685
02 0083fb78 004b0f3a ntdll!RtlpFreeHeap+0xd87
03 00000000 00000000 wgnuplot+0xb0f3a
1 Attachments
poc

Discussion

  • Abago Forgans

    Abago Forgans - 2017-06-15
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -1,3 +1,6 @@
+**Version**
+gnuplot 5.2.rc1
+
 **PoC (also in the attachment)**
 ~~~
 unset size
@@ -25,6 +28,7 @@
     rtld_fini=0xb7fea780 <_dl_fini>, stack_end=0xbffff12c) at ../csu/libc-start.c:291
 #11 0x0804d44d in _start ()

+
 ~~~
 **Crash in Win x64/x32 as well.**
 ~~~
    • Group: -->
    • Priority: -->
     

  • Ethan Merritt

    Ethan Merritt - 2017-06-15

    Thank you. The trace was helpful, and points to an unitialized variable in load_tic_series().
    This doesn't seem to cause a fault on my test system, or fuzz-testing would probably have caught it earlier.

    Compiling with -Wuninitialized does flag this one, but it's lost in a sea of false positives.
    For -rc2 I will fix this instance and a few others where I'm not 100% sure that the compiler warning is a false positive. Patch attached if you want to confirm the fix.

     
    uninitialized_variables_(Bug1933).patch

  • Abago Forgans

    Abago Forgans - 2017-06-15

    Fix confirmed.
    Nice work, bro.

     

  • Ethan Merritt

    Ethan Merritt - 2017-06-15
    • status: open --> pending-fixed
     

  • Ethan Merritt

    Ethan Merritt - 2017-09-04
    • Status: pending-fixed --> closed-fixed
     

Log in to post a comment.