When open a crafted file, The program could tigger out of bound read
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7fc06d0 --> 0x7ffff761c14c --> 0x2000200020002
RBX: 0x611720 (" this is a comment(\220\216\363rbose=true")
RCX: 0x1d
RDX: 0x23 ('#')
RSI: 0x3
RDI: 0x60ce80 --> 0x0
RBP: 0x60ce80 --> 0x0
RSP: 0x7fffffffdce0 --> 0x0
RIP: 0x4054b7 (<qend+71>: movsx rbp,BYTE PTR [rbx+r13*1])
R8 : 0x1
R9 : 0x3
R10: 0x7fffffffdaa0 --> 0x0
R11: 0x7ffff7a41110 (<__ctype_b_loc>: mov rax,QWORD PTR [rip+0x391ce9] # 0x7ffff7dd2e00)
R12: 0x20 (' ')
R13: 0x20 (' ')
R14: 0x611700 --> 0x60d6a0 --> 0x60d460 --> 0xfbad2498
R15: 0x60d6a0 --> 0x60d460 --> 0xfbad2498
EFLAGS: 0x203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x4054a9 <qend+57>: jbe 0x405535 <qend+197>
0x4054af <qend+63>: mov r13d,r12d
0x4054b2 <qend+66>: call 0x4012f0 <__ctype_b_loc@plt>
=> 0x4054b7 <qend+71>: movsx rbp,BYTE PTR [rbx+r13*1]
0x4054bc <qend+76>: mov rsi,QWORD PTR [rax]
0x4054bf <qend+79>: jmp 0x4054ce <qend+94>
0x4054c1 <qend+81>: nop DWORD PTR [rax+0x0]
0x4054c8 <qend+88>: cmp r13d,0x1
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdce0 --> 0x0
0008| 0x7fffffffdce8 --> 0x47 ('G')
0016| 0x7fffffffdcf0 --> 0x60ce80 --> 0x0
0024| 0x7fffffffdcf8 --> 0x60d712 --> 0x72657672657300 ('')
0032| 0x7fffffffdd00 --> 0x60d711 --> 0x726576726573000a ('\n')
0040| 0x7fffffffdd08 --> 0x405fef (<cfg_yylex+447>: add rsp,0x38)
0048| 0x7fffffffdd10 --> 0x4010
0056| 0x7fffffffdd18 --> 0x60d460 --> 0xfbad2498
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x00000000004054b7 in trim_whitespace (len=0x20, str=0x611720 " this is a comment(\220\216\363rbose=true") at lexer.l:397
397 if ((str[len] == 0 || isspace(str[len])) && isspace(str[len - 1]))
gdb-peda$ bt
#0 0x00000000004054b7 in trim_whitespace (len=0x20, str=0x611720 " this is a comment(\220\216\363rbose=true") at lexer.l:397
#1 qend (cfg=cfg@entry=0x60ce80, ret=0x8, trim=0x1) at lexer.l:420
#2 0x0000000000405fef in cfg_yylex (cfg=cfg@entry=0x60ce80) at lexer.l:125
#3 0x0000000000403990 in cfg_parse_internal (cfg=cfg@entry=0x60ce80, level=level@entry=0x0, force_state=force_state@entry=0xffffffff, force_opt=force_opt@entry=0x0) at confuse.c:1060
#4 0x00000000004041b9 in cfg_parse_fp (cfg=0x60ce80, fp=<optimized out>) at confuse.c:1442
#5 0x0000000000404286 in cfg_parse (cfg=cfg@entry=0x60ce80, filename=<optimized out>) at confuse.c:1535
#6 0x00000000004014ce in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe318) at simple.c:46
#7 0x00007ffff7a32f45 in __libc_start_main (main=0x4013b0 <main>, argc=0x2, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at libc-start.c:287
#8 0x0000000000401607 in _start ()
gdb-peda$ x/4xg $rbx-0x10
0x611710: 0x0000000000000000 0x0000000000000031
0x611720: 0x7369207369687420 0x656d6d6f63206120
gdb-peda$ p/x $r13
$3 = 0x20
gdb-peda$
As you can see $rbx point a 0x30 size malloc chunk (which size for user is 0x20), and $r13 is 0x20
then
0x4054b7 <qend+71>: movsx rbp,BYTE PTR [rbx+r13*1]
could access **1 byte out of ** the vaild memory.
the poc file
https://gitee.com/hac425/blog_data/blob/master/fuzz_pocs/libconfuse_poc
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4