Menu
▾
▴
1 Attachments
#2009 heap-buffer-overflow in f_strftime
Hello.
I found a heap-buffer-overflow bug in gnuplot.
Please confirm.
Thanks.
=================================================================
==27149==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb1f02512 at pc 0x080b76be bp 0xbfbb5178 sp 0xbfbb4d50
WRITE of size 101 at 0xb1f02512 thread T0
#0 0x80b76bd in vsprintf (/home/karas/gnuplot-gnuplot-main/src/gnuplot+0x80b76bd)
#1 0x80b778b in __interceptor_sprintf (/home/karas/gnuplot-gnuplot-main/src/gnuplot+0x80b778b)
#2 0x8584db1 in xstrftime /home/karas/gnuplot-gnuplot-main/src/time.c:589:4
#3 0x858329b in gstrftime /home/karas/gnuplot-gnuplot-main/src/time.c:387:12
#4 0x82da68f in f_strftime /home/karas/gnuplot-gnuplot-main/src/internal.c:1646:14
#5 0x82db039 in f_time /home/karas/gnuplot-gnuplot-main/src/internal.c:1750:6
#6 0x81e1630 in execute_at /home/karas/gnuplot-gnuplot-main/src/eval.c:675:2
#7 0x81e1630 in evaluate_at /home/karas/gnuplot-gnuplot-main/src/eval.c:698
#8 0x8333c46 in const_express /home/karas/gnuplot-gnuplot-main/src/parse.c:169:5
#9 0x8333ea3 in const_string_express /home/karas/gnuplot-gnuplot-main/src/parse.c:153:5
#10 0x85a6cc3 in try_to_get_string /home/karas/gnuplot-gnuplot-main/src/util.c:367:5
#11 0x8432af2 in load_tic_user /home/karas/gnuplot-gnuplot-main/src/set.c:6160:13
#12 0x8432af2 in load_tics /home/karas/gnuplot-gnuplot-main/src/set.c:6122
#13 0x8432af2 in set_tic_prop /home/karas/gnuplot-gnuplot-main/src/set.c:5812
#14 0x83e9fe6 in set_command /home/karas/gnuplot-gnuplot-main/src/set.c:572:6
#15 0x818618a in command /home/karas/gnuplot-gnuplot-main/src/command.c:631:2
#16 0x818618a in do_line /home/karas/gnuplot-gnuplot-main/src/command.c:420
#17 0x82fedb4 in load_file /home/karas/gnuplot-gnuplot-main/src/misc.c:405:10
#18 0x83469c2 in main /home/karas/gnuplot-gnuplot-main/src/plot.c:652:3
#19 0xb606d636 in __libc_start_main /build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
#20 0x806f21d in _start (/home/karas/gnuplot-gnuplot-main/src/gnuplot+0x806f21d)
0xb1f02512 is located 0 bytes to the right of 98-byte region [0xb1f024b0,0xb1f02512)
allocated by thread T0 here:
#0 0x8113554 in __interceptor_malloc (/home/karas/gnuplot-gnuplot-main/src/gnuplot+0x8113554)
#1 0x81458b2 in gp_alloc /home/karas/gnuplot-gnuplot-main/src/alloc.c:70:6
#2 0x82db039 in f_time /home/karas/gnuplot-gnuplot-main/src/internal.c:1750:6
#3 0x81e1630 in execute_at /home/karas/gnuplot-gnuplot-main/src/eval.c:675:2
#4 0x81e1630 in evaluate_at /home/karas/gnuplot-gnuplot-main/src/eval.c:698
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/karas/gnuplot-gnuplot-main/src/gnuplot+0x80b76bd) in vsprintf
Shadow bytes around the buggy address:
0x363e0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x363e0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x363e0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x363e0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x363e0490: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
=>0x363e04a0: 00 00[02]fa fa fa fa fa fa fa fa fa 00 00 00 00
0x363e04b0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
0x363e04c0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x363e04d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x363e04e0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
0x363e04f0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27149==ABORTING
(gdb) bt full
#0 __memset_sse2_rep () at ../sysdeps/i386/i686/multiarch/memset-sse2-rep.S:325
No locals.
#1 0x0812ae69 in memset (__len=4294967294, __ch=0, __dest=0x81e51ac) at /usr/include/i386-linux-gnu/bits/string3.h:90
No locals.
#2 xstrftime (str=str@entry=0x81e51ac "", bsz=4294967294, fmt=0x81715bf "%m/%d/%y", tm=0xbfffebd0, usec=0, fulltime=246.74323201179504) at time.c:405
l = 0
incr = 0
s = 0x81e51ac ""
sign_printed = false
#3 0x0812b231 in xstrftime (str=str@entry=0x81e5148 '0' <repeats 94 times>, "420995", bsz=bsz@entry=98, fmt=0x81e5140 " ", fmt@entry=0x81e5138 "%100tH%D ", tm=0xbfffebd0, usec=0.74323201179504395,
fulltime=246.74323201179504) at time.c:565
w = <optimized out>
z = 0
p = 0
l = <optimized out>
incr = <optimized out>
s = 0x81e51ac ""
sign_printed = true
#4 0x0812c650 in gstrftime (s=0x81e5148 '0' <repeats 94 times>, "420995", bsz=98, fmt=0x81e5138 "%100tH%D ", l_clock=1515582246.743232) at time.c:387
tm = {tm_sec = 6, tm_min = 4, tm_hour = 11, tm_mday = 10, tm_mon = 0, tm_year = 2018, tm_wday = 3, tm_yday = 9, tm_isdst = 135577293, tm_gmtoff = 136204600,
tm_zone = 0x9 <error: Cannot access memory at address 0x9>}
usec = <optimized out>
#5 0x0809762f in f_strftime (arg=0x81e2f50) at internal.c:1646
fmt = {type = STRING, v = {int_val = 136204584, cmplx_val = {real = 6.7294005760498316e-316, imag = 0}, string_val = 0x81e5128 "%100tH%D", data_array = 0x81e5128, value_array = 0x81e5128}}
val = {type = CMPLX, v = {int_val = -911240931, cmplx_val = {real = 1515582246.743232, imag = 0}, string_val = 0xc9af911d <error: Cannot access memory at address 0xc9af911d>,
data_array = 0xc9af911d, value_array = 0xc9af911d}}
fmtstr = 0x81e5138 "%100tH%D "
buffer = 0x81e5148 '0' <repeats 94 times>, "420995"
fmtlen = <optimized out>
buflen = 98
length = <optimized out>
#6 0x080978d5 in f_time (arg=0x81e2f50) at internal.c:1750
val = {type = STRING, v = {int_val = 136204568, cmplx_val = {real = 6.7293997855447982e-316, imag = 0}, string_val = 0x81e5118 "%100tH%D", data_array = 0x81e5118, value_array = 0x81e5118}}
val2 = {type = CMPLX, v = {int_val = -911240931, cmplx_val = {real = 1515582246.743232, imag = 0}, string_val = 0xc9af911d <error: Cannot access memory at address 0xc9af911d>,
data_array = 0xc9af911d, value_array = 0xc9af911d}}
time_now = 1515582246.743232
tp = {tv_sec = 1515582246, tv_usec = 743232}
#7 0x0806c7f1 in execute_at (at_ptr=0x81e2f18) at eval.c:675
instruction_index = 2
operator = 120
count = 3
saved_jump_offset = 0
#8 0x0806c8ae in evaluate_at (at_ptr=0x81e2f18, val_ptr=0xbfffedb8) at eval.c:698
No locals.
#9 0x080a9555 in const_express (valptr=0xbfffedb8) at parse.c:169
tkn = 3
#10 0x080a9645 in const_string_express (valptr=0xbfffedb8) at parse.c:153
No locals.
#11 0x08130135 in try_to_get_string () at util.c:367
newstring = 0x0
a = {type = 0, v = {int_val = 136072352, cmplx_val = {real = 6.7228674472017436e-316, imag = 6.7228674472017436e-316}, string_val = 0x81c4ca0 <THETA_AXIS> "",
data_array = 0x81c4ca0 <THETA_AXIS>, value_array = 0x81c4ca0 <THETA_AXIS>}}
save_token = 3
#12 0x080d1b0b in load_tic_user (this_axis=0x81c4ca0 <THETA_AXIS>) at set.c:6160
ticlevel = 0
save_token = 3
ticlabel = <optimized out>
---Type <return> to continue, or q <return> to quit---
ticposition = <optimized out>
#13 load_tics (this_axis=0x81c4ca0 <THETA_AXIS>) at set.c:6122
No locals.
#14 set_tic_prop (this_axis=0x81c4ca0 <THETA_AXIS>) at set.c:5812
axisset = false
mirror_opt = false
match = 1
nocmd = "\001\000\000\000\245\210\025\b\275\340\035\b"
cmdptr = <optimized out>
sfxptr = 0x0
axis = THETA_index
#15 0x080d5526 in set_command () at set.c:572
save_token = 1
#16 0x0805f2ba in command () at command.c:631
No locals.
#17 do_line () at command.c:420
inlptr = <optimized out>
#18 0x0809ca2d in load_file (fp=0x81e3d30, name=0x81e2e08 "xstrftime", calltype=4) at misc.c:405
len = <optimized out>
start = <optimized out>
left = <optimized out>
more = 0
stop = <optimized out>
gpval_lineno = 0x81e26d0
#19 0x0804e47f in main (argc=1, argv=0xbffff068) at plot.c:652
i = <optimized out>
That one is a real bug. Thanks.
Fixed for 5.2 and 5.3