|
Bugzilla – Full Text Bug Listing |
| Summary: | AUDIT-1: hcode: Hangul text conversion utility | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Wolfgang Frisch <wolfgang.frisch> |
| Component: | Audits | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Minor | ||
| Priority: | P4 - Low | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| See Also: | https://bugzilla.suse.com/show_bug.cgi?id=1223534 | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | POC for hcode's putSDN function | ||
|
Description
Wolfgang Frisch
2023-10-10 15:35:18 UTC
Fuzzed with afl++, using a corpus of EUC-KR encoded samples and multiple text conversion modes: no crashes. This audit is mostly finished, just needs documentation. Done: - manual review - static analysis - fuzzing Created attachment 874541 [details]
POC for hcode's putSDN function
1. Compile with -fsanitize=address
2. ./hcode -kd hcode_putSDN_poc output
=================================================================
==4721==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f35ab508420 at pc 0x000000407ba0 bp 0x7ffdf1513680 sp 0x7ffdf1513678
WRITE of size 1 at 0x7f35ab508420 thread T0
#0 0x407b9f in putSDN /home/wfrisch/audit/hcode/hcode2.1-mailpatch3/mail.c:282
#1 0x4029ef in main /home/wfrisch/audit/hcode/hcode2.1-mailpatch3/hcode.c:114
#2 0x7f35ad42a1ef in __libc_start_call_main (/lib64/libc.so.6+0x2a1ef) (BuildId: 96b8eb5a4407af753cc31c18e7c116279f2eab1f)
#3 0x7f35ad42a2b8 in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a2b8) (BuildId: 96b8eb5a4407af753cc31c18e7c116279f2eab1f)
#4 0x4022d4 in _start ../sysdeps/x86_64/start.S:115
Address 0x7f35ab508420 is located in stack of thread T0 at offset 1056 in frame
#0 0x4074fa in putSDN /home/wfrisch/audit/hcode/hcode2.1-mailpatch3/mail.c:238
This frame has 3 object(s):
[32, 1056) 'ibuf' (line 240) <== Memory access at offset 1056 overflows this variable
[1184, 2208) 'obuf' (line 240)
[2336, 3360) 'tbuf' (line 240)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/wfrisch/audit/hcode/hcode2.1-mailpatch3/mail.c:282 in putSDN
Shadow bytes around the buggy address:
0x7f35ab508180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f35ab508200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f35ab508280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f35ab508300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f35ab508380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7f35ab508400: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x7f35ab508480: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x7f35ab508500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f35ab508580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f35ab508600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f35ab508680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4721==ABORTING
- wrote a brief report - submitted fix to openSUSE - requested CVE from Mitre Resolved. |