Menu
▾
▴
1 Attachments
#2092 Out-of-bounds read caused by strlen call on non null terminated string
Version:
gnuplot 5.2 patchlevel 5
Description:
Out-of-bounds read caused by strlen call on non null terminated string.
Steps to reproduce (payload is attached):
gnuplot <payload>
ASAN-Report:
-------- STDERR --------
=================================================================
==15138==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5645a3359080 at pc 0x7fc6fdf61681 bp 0x7ffce238f7f0 sp 0x7ffce238ef98
READ of size 33 at 0x5645a3359080 thread T0
#0 0x7fc6fdf61680 in __interceptor_strlen /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:301
#1 0x5645a31377bc in CGM_options ../term/cgm.trm:459
#2 0x5645a30d86df in set_terminal /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/set.c:4948
#3 0x5645a30acd25 in set_command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/set.c:466
#4 0x5645a2f2060d in command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:629
#5 0x5645a2f1f4fe in do_line /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:419
#6 0x5645a3010f22 in load_file /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/misc.c:447
#7 0x5645a303fde7 in main /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot.c:654
#8 0x7fc6fb193222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
#9 0x5645a2ef40ed in _start (/home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/gnuplot+0xf20ed)
0x5645a3359080 is located 0 bytes to the right of global variable 'cgm_font' defined in '../term/cgm.trm:269:13' (0x5645a3359060) of size 32
0x5645a3359080 is located 32 bytes to the left of global variable 'cgm_fontsize' defined in '../term/cgm.trm:270:21' (0x5645a33590a0) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:301 in __interceptor_strlen
Shadow bytes around the buggy address:
0x0ac9346631c0: 01 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0ac9346631d0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0ac9346631e0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0ac9346631f0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
0x0ac934663200: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x0ac934663210:[f9]f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
0x0ac934663220: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
0x0ac934663230: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
0x0ac934663240: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
0x0ac934663250: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
0x0ac934663260: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15138==ABORTING
-------- STDOUT --------
Credits:
Tim Blazytko
Cornelius Aschermann
Sergej Schumilo
Nils Bars
Diff:
fixed in 5.2 and 5.3
same code pattern in context.trm emf.trm