Menu

#2093 Buffer overflow in plot range option

None
closed-fixed
nobody
None
2019-01-02
2018-11-19
Nils Bars
No

Version:
gnuplot 5.2 patchlevel 5

Description:
Using a long string as right bound of the range option passed to the plot function, cause
a heap overflow due to missing size checks.

As the length of the range value is unconstrained, an attacker might use this
flaw to overflow important data to hijack the control flow.

Steps to reproduce (payload is attached):

gnuplot <payload>

ASAN-Report:

-------- STDERR --------
"/tmp/tmpz6ejmz84/b66d324c5eec5516", line 2: warning: Cannot find or open file ""
=================================================================
==18181==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000620 at pc 0x7f52942961d3 bp 0x7fff4f14b9f0 sp 0x7fff4f14b180
WRITE of size 236 at 0x60e000000620 thread T0
    #0 0x7f52942961d2 in __interceptor_vsprintf /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1522
    #1 0x7f529429655f in __interceptor_sprintf /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1553
    #2 0x55ea8e962b7a in df_generate_ascii_array_entry /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/datafile.c:5626
    #3 0x55ea8e943b41 in df_gets /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/datafile.c:612
    #4 0x55ea8e94d9d2 in df_readascii /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/datafile.c:1823
    #5 0x55ea8e94a6cb in df_readline /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/datafile.c:1792
    #6 0x55ea8ea5ae09 in get_data /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot2d.c:654
    #7 0x55ea8ea72ef5 in eval_plots /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot2d.c:2783
    #8 0x55ea8ea52048 in plotrequest /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot2d.c:301
    #9 0x55ea8e935106 in plot_command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:1849
    #10 0x55ea8e93060d in command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:629
    #11 0x55ea8e92f4fe in do_line /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:419
    #12 0x55ea8ea20f22 in load_file /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/misc.c:447
    #13 0x55ea8ea4fde7 in main /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot.c:654
    #14 0x7f5291514222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #15 0x55ea8e9040ed in _start (/home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/gnuplot+0xf20ed)

0x60e000000620 is located 0 bytes to the right of 160-byte region [0x60e000000580,0x60e000000620)
allocated by thread T0 here:
    #0 0x7f5294339019 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x55ea8e9041eb in gp_alloc /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/alloc.c:74
    #2 0x55ea8e943a13 in df_init /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/datafile.c:592
    #3 0x55ea8ebee49d in reset_command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/unset.c:2010
    #4 0x55ea8ea4ff12 in init_session /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot.c:749
    #5 0x55ea8ea4f6ec in main /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot.c:514
    #6 0x7f5291514222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)

SUMMARY: AddressSanitizer: heap-buffer-overflow /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1522 in __interceptor_vsprintf
Shadow bytes around the buggy address:
  0x0c1c7fff8070: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1c7fff8080: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1c7fff8090: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c7fff80a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1c7fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c7fff80c0: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18181==ABORTING
-------- STDOUT --------

Credits:
Tim Blazytko
Cornelius Aschermann
Sergej Schumilo
Nils Bars

1 Attachments
b66d324c5eec5516.payload

Discussion

  • Nils Bars

    Nils Bars - 2018-11-19
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -82,3 +82,9 @@
 ==18181==ABORTING
 -------- STDOUT --------
 ~~~
+
+Credits:
+Tim Blazytko
+Cornelius Aschermann
+Sergej Schumilo
+Nils Bars
    • Group: -->
    • Priority: -->
     

  • Ethan Merritt

    Ethan Merritt - 2018-11-20
    • status: open --> pending-fixed
     

  • Ethan Merritt

    Ethan Merritt - 2018-11-20

    fixed in 5.2 and 5.3

     

  • Ethan Merritt

    Ethan Merritt - 2019-01-02
    • Status: pending-fixed --> closed-fixed
     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.