Menu
▾
▴
1 Attachments
#2089 Buffer overflow in setfont of pngcairo terminal
Version:
gnuplot 5.2 patchlevel 5
Description:
Arbitrary long font names are copied into a fixed-size global buffer when
initializing the pngcairo terminal.
As the length of the fontname is unconstrained, an attacker might use this
flaw to overflow important data to hijack the control flow.
Steps to reproduce (payload is attached):
gnuplot <payload>
ASAN-Report:
-------- STDERR --------
=================================================================
==11541==ERROR: AddressSanitizer: global-buffer-overflow on address 0x557d5c558b88 at pc 0x7f506283679f bp 0x7ffd6d11c4b0 sp 0x7ffd6d11bc58
WRITE of size 89 at 0x557d5c558b88 thread T0
#0 0x7f506283679e in __interceptor_strncpy /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cc:436
#1 0x557d5c3b3373 in cairotrm_options ../term/cairo.trm:299
#2 0x557d5c2d46df in set_terminal /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/set.c:4948
#3 0x557d5c2a8d25 in set_command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/set.c:466
#4 0x557d5c11c60d in command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:629
#5 0x557d5c11b4fe in do_line /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:419
#6 0x557d5c20cf22 in load_file /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/misc.c:447
#7 0x557d5c23bde7 in main /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot.c:654
#8 0x7f505fab3222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
#9 0x557d5c0f00ed in _start (/home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/gnuplot+0xf20ed)
0x557d5c558b88 is located 0 bytes to the right of global variable 'cairopng_params' defined in '../term/cairo.trm:157:23' (0x557d5c558b00) of size 136
0x557d5c558b88 is located 56 bytes to the left of global variable 'cairo_epslatex_params' defined in '../term/cairo.trm:165:20' (0x557d5c558bc0) of size 160
SUMMARY: AddressSanitizer: global-buffer-overflow /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cc:436 in __interceptor_strncpy
Shadow bytes around the buggy address:
0x0ab02b8a3120: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0ab02b8a3130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab02b8a3140: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ab02b8a3150: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0ab02b8a3160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ab02b8a3170: 00[f9]f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ab02b8a3180: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0ab02b8a3190: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ab02b8a31a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab02b8a31b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab02b8a31c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11541==ABORTING
-------- STDOUT --------
Credits:
Tim Blazytko
Cornelius Aschermann
Sergej Schumilo
Nils Bars
Diff:
Diff:
Fixed in 5.2 (cairo.trm code in 5.3 has changed)
Same code pattern appears in metapost.trm and tgif.trm (fixed in 5.2 and 5.3)