Skip to content

hexdump-parse: handle truncated format pattern #2133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 28, 2023
Merged

hexdump-parse: handle truncated format pattern #2133

merged 1 commit into from
Mar 28, 2023

Conversation

rpigott
Copy link
Contributor

@rpigott rpigott commented Mar 23, 2023
edited
Loading

If the fmt being parsed by block_size is exactly '%', *++fmt is the terminator and strchr will return a valid pointer to the terminator of spec rather than NULL, the while condition will pass and subsequent strchr will read past the end of fmt until a spec character is found again

ASAN aborts with the following error on the first buffer overread:

AddressSanitizer: heap-buffer-overflow on address 0x602000000212 at pc 0x55bf1c4b2d78 bp 0x7ffe33c8cff0 sp 0x7ffe33c8cfe0 READ of size 1 at 0x602000000212 thread T0
    #0 0x55bf1c4b2d77 in block_size ../text-utils/hexdump-parse.c:207
    #1 0x55bf1c4ad36f in main ../text-utils/hexdump.c:214
    #2 0x7f15f063c78f  (/usr/lib/libc.so.6+0x2378f)
    #3 0x7f15f063c849 in __libc_start_main (/usr/lib/libc.so.6+0x23849)
    #4 0x55bf1c4ac6c4 in _start (../build/hexdump+0x86c4)

@rpigott
hexdump-parse: handle truncated format pattern
e9aa06b 
If the fmt being parsed by block_size is exactly '%', *++fmt is the
terminator and strchr will return a valid pointer to the terminator of
spec rather than NULL, the while condition will pass and subsequent
strchr will read past the end of fmt until a spec character is found
again

ASAN aborts with the following error on the first buffer overread:

AddressSanitizer: heap-buffer-overflow on address 0x602000000212 at pc 0x55bf1c4b2d78 bp 0x7ffe33c8cff0 sp 0x7ffe33c8cfe0
READ of size 1 at 0x602000000212 thread T0
    #0 0x55bf1c4b2d77 in block_size ../text-utils/hexdump-parse.c:207
    util-linux#1 0x55bf1c4ad36f in main ../text-utils/hexdump.c:214
    util-linux#2 0x7f15f063c78f  (/usr/lib/libc.so.6+0x2378f)
    util-linux#3 0x7f15f063c849 in __libc_start_main (/usr/lib/libc.so.6+0x23849)
    util-linux#4 0x55bf1c4ac6c4 in _start (../build/hexdump+0x86c4)
@rpigott
Copy link
Contributor Author

rpigott commented Mar 24, 2023

Noticed that next_number also increments fmt, so we need to move the null check below that too.

@karelzak karelzak merged commit 9fadd8e into util-linux:master Mar 28, 2023
@rpigott rpigott deleted the badfmt branch April 14, 2023 07:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rpigott @karelzak