[Gptfdisk-general] Malformed partition image causes stack buffer overflow
Brought to you by:
srs5694
Menu
▾
▴
[Gptfdisk-general] Malformed partition image causes stack buffer overflow
|
From: Hanno B. <ha...@hb...> - 2017-01-16 16:11:01
|
Hi,
The attached file causes a stack buffer overflow in gdisk. This can be
seen by compiling gdisk with the memory safety feature address
sanitizer (make CFLAGS="-fsanitize=address -g"
CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address").
There's a buffer overflow of 8 bytes in the function
BasicMBRData::ReadLogicalParts
This was found with the fuzzing tool american fuzzy lop.
Here's the full stack trace from address sanitizer:
==7508==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc8e455cd8 at pc 0x00000040fab8 bp 0x7ffc8e455a60 sp 0x7ffc8e455a58
WRITE of size 8 at 0x7ffc8e455cd8 thread T0
#0 0x40fab7 in BasicMBRData::ReadLogicalParts(unsigned long, int) /f/gdisk/gptfdisk-code/basicmbr.cc:264
#1 0x40f3cf in BasicMBRData::ReadMBRData(DiskIO*, int) /f/gdisk/gptfdisk-code/basicmbr.cc:200
#2 0x424538 in GPTData::PartitionScan() /f/gdisk/gptfdisk-code/gpt.cc:701
#3 0x424e20 in GPTData::LoadPartitions(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /f/gdisk/gptfdisk-code/gpt.cc:766
#4 0x43d7b0 in main /f/gdisk/gptfdisk-code/gdisk.cc:57
#5 0x7f386c18878f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#6 0x403178 in _start (/f/gdisk/gptfdisk-code/gdisk+0x403178)
Address 0x7ffc8e455cd8 is located in stack of thread T0 at offset 552 in frame
#0 0x40f901 in BasicMBRData::ReadLogicalParts(unsigned long, int) /f/gdisk/gptfdisk-code/basicmbr.cc:247
This frame has 2 object(s):
[32, 544) 'ebr' <== Memory access at offset 552 overflows this variable
[576, 1600) 'EbrLocations'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer:
stack-buffer-overflow /f/gdisk/gptfdisk-code/basicmbr.cc:264 in
BasicMBRData::ReadLogicalParts(unsigned long, int)
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hb...
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
|
