Menu

#2094 Buffer overflow in the font name processing code of the postscript terminal

None
closed-fixed
nobody
None
2019-01-02
2018-11-19
Nils Bars
No

Version:
gnuplot 5.2 patchlevel 5

Description:
Due to missing bounds checks of font names when using the postscript terminal,
a global buffer overflow occurs.

As the length of the font name is unconstrained, an attacker might use this
flaw to overflow important data to hijack the control flow.

Steps to reproduce (payload is attached):

gnuplot <payload>

ASAN-Report:

-------- STDERR --------

se t"po 8lc!,r22222"po 'l=d,022222222\setlength{\parindent}{0bp}%%lc"!,�222>22>2?F=~'
                        ^
"/tmp/tmpz6ejmz84/bcd775ea23d960c5", line 1: warning: Illegal characters in PostScript font name.
"/tmp/tmpz6ejmz84/bcd775ea23d960c5", line 1: warning: I will try to fix it but this may not work.
=================================================================
==17094==ERROR: AddressSanitizer: global-buffer-overflow on address 0x564323340a33 at pc 0x7f6fb59521d3 bp 0x7ffe8fb0d5e0 sp 0x7ffe8fb0cd70
WRITE of size 54 at 0x564323340a33 thread T0
    #0 0x7f6fb59521d2 in __interceptor_vsprintf /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1522
    #1 0x7f6fb595255f in __interceptor_sprintf /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1553
    #2 0x564323159b98 in PS_options ../term/post.trm:1197
    #3 0x5643230be6df in set_terminal /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/set.c:4948
    #4 0x564323092d25 in set_command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/set.c:466
    #5 0x564322f0660d in command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:629
    #6 0x564322f054fe in do_line /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:419
    #7 0x564322ff6f22 in load_file /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/misc.c:447
    #8 0x564323025de7 in main /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot.c:654
    #9 0x7f6fb2bd0222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #10 0x564322eda0ed in _start (/home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/gnuplot+0xf20ed)

0x564323340a33 is located 0 bytes to the right of global variable 'PS_default_font' defined in '../term/post.trm:438:13' (0x564323340a00) of size 51
0x564323340a33 is located 45 bytes to the left of global variable 'SVG_emit_doctype' defined in '../term/svg.trm:140:17' (0x564323340a60) of size 1
SUMMARY: AddressSanitizer: global-buffer-overflow /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1522 in __interceptor_vsprintf
Shadow bytes around the buggy address:
  0x0ac8e46600f0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0ac8e4660100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac8e4660110: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ac8e4660120: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0ac8e4660130: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
=>0x0ac8e4660140: 00 00 00 00 00 00[03]f9 f9 f9 f9 f9 01 f9 f9 f9
  0x0ac8e4660150: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0ac8e4660160: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0ac8e4660170: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0ac8e4660180: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ac8e4660190: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17094==ABORTING
-------- STDOUT --------

Credits:
Tim Blazytko
Cornelius Aschermann
Sergej Schumilo
Nils Bars

1 Attachments
bcd775ea23d960c5.payload

Discussion

  • Nils Bars

    Nils Bars - 2018-11-19
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -73,3 +73,9 @@
 ==17094==ABORTING
 -------- STDOUT --------
 ~~~
+
+Credits:
+Tim Blazytko
+Cornelius Aschermann
+Sergej Schumilo
+Nils Bars
    • Group: -->
    • Priority: -->
     

  • Ethan Merritt

    Ethan Merritt - 2018-11-20
    • status: open --> pending-fixed
     

  • Ethan Merritt

    Ethan Merritt - 2018-11-20

    fixed in 5.2 and 5.3

     

  • Ethan Merritt

    Ethan Merritt - 2019-01-02
    • Status: pending-fixed --> closed-fixed
     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.