Menu

#28 fig2dev: buffer underwrite in get_line() in version 3.2.7a

closed
nobody
None
2019-10-30
2018-08-22
Ace Team
No

Hello Team,

This ticket is regarding #882022. According to the email thread, the issue looks to be fixed in 3.2.7.

But as per our research, the vulnerability is not fixed yet in the latest version of fig2dev 3.2.7a as we are still able to reproduce it.

At get_line() function when the value of 'len' variable is less than 2, it then attempts to write prior to the buffer. We have observed, this vulnerability has been fixed in the funtion read_objects() by adding a check if (len > 1 && buf[len-2] == '\r').
We believe that applying same condition may fix the issue in get_line() as well.

Debugging:

Breakpoint 1 at 0x812ad: file read.c, line 1470.
The program is not being run.
Starting program: /home/ethan/Desktop/fig2dev-3.2.7a_debian/fig2dev/fig2dev -L tikz ~/Desktop/overflow_218
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, get_line (fp=0x616000000080) at read.c:1470
1470                if (buf[len-2] == '\r')
len = 1
rax            0x555555995ac0   93824996694720
rbx            0x7fffffffde70   140737488346736
rcx            0x0  0
rdx            0x0  0
rsi            0x616000000100   107064944754944
rdi            0x0  0
rbp            0x7fffffffddd0   0x7fffffffddd0
rsp            0x7fffffffddb0   0x7fffffffddb0
r8             0x0  0
r9             0x0  0
r10            0x7ffff7fdb780   140737353987968
r11            0x246    582
r12            0xffffffffbce    17592186043342
r13            0x7fffffffdf10   140737488346896
r14            0x7fffffffde70   140737488346736
r15            0x0  0
rip            0x5555555d52ad   0x5555555d52ad <get_line+204>
eflags         0x246    [ PF ZF IF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0
1465                if (save_comment() < 0)
1466                    return -1;
1467            } else if (*buf != '\n') {      /* Skip empty lines */
1468                len = strlen(buf);
1469                buf[len-1] = '\0';      /* strip trailing newline */
1470                if (buf[len-2] == '\r')
1471                    buf[len-2] = '\0';  /* strip trailing CRs */
1472                return 1;
1473            }
1474        }
Continuing.
[Inferior 1 (process 5867) exited with code 01]

Please do confirm if you are able to reproduce the issue with this - Reproducer

Discussion

  • tkl

    tkl - 2018-08-22

    With the provided input file, fig2dev terminates with exit code 1, no seg fault.

    I believe, the only way to set len to a value smaller than 2, i.e., 1, is by reading in a single character in the last line, before EOF. The provided file ends with \n 0, hence this vulnerabilty could be triggered. The fix, as suggested, should be applied. It is strange, that I cannot reproduce the issue.

     
  • tkl

    tkl - 2018-08-25

    As per the discussion in ticket #28, the issue can be reproduced with CFLAGS="-fsanitize=address" enabled. This issue is fixed in commit e0c4b02.

     
  • tkl

    tkl - 2018-08-25
    • status: open --> pending
     
  • tkl

    tkl - 2019-10-30
     
  • tkl

    tkl - 2019-10-30

    Fixed with release 3.2.7b.

     
  • tkl

    tkl - 2019-10-30
    • status: pending --> closed
     

Log in to post a comment.