Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in mdp #165

Open
Frank-Z7 opened this issue Nov 9, 2023 · 4 comments
Open

heap-buffer-overflow in mdp #165

Frank-Z7 opened this issue Nov 9, 2023 · 4 comments

Comments

@Frank-Z7
Copy link

Frank-Z7 commented Nov 9, 2023
edited

heap-buffer-overflow in mdp

Hi.I found a heap-buffer-overflow bug in mdp.

Please confirm.

Thanks for your time!

Version

mdp 1.0.15
Copyright (C) 2018 Michael Goehler
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Michael Goehler and others, see <https://github.com/visit1985/mdp/blob/master/AUTHORS>.

ASAN Log

./mdp -e -i -x poc1mdp

=================================================================
==3175382==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000006040 at pc 0x0000004cc70e bp 0x7fffffffe1e0 sp 0x7fffffffe1d8
READ of size 4 at 0x607000006040 thread T0
	#0 0x4cc70d  (/afltest/mdp/mdp+0x4cc70d)
	#1 0x4ccba1  (/afltest/mdp/mdp+0x4ccba1)
	#2 0x4c696c  (/afltest/mdp/mdp+0x4c696c)
	#3 0x7ffff7be9082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
	#4 0x41d65d  (/afltest/mdp/mdp+0x41d65d)

0x607000006040 is located 0 bytes to the right of 80-byte region [0x607000005ff0,0x607000006040)
allocated by thread T0 here:
	#0 0x4960b9 in realloc (/afltest/mdp/mdp+0x4960b9)
	#1 0x4c5cc1  (/afltest/mdp/mdp+0x4c5cc1)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/afltest/mdp/mdp+0x4cc70d)
Shadow bytes around the buggy address:
  0x0c0e7fff8bb0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fff8bc0: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8bd0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e7fff8be0: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0e7fff8bf0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
=>0x0c0e7fff8c00: 00 00 00 00 00 00 00 00[fa]fa fa fa fd fd fd fd
  0x0c0e7fff8c10: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff8c20: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fff8c30: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
  0x0c0e7fff8c40: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e7fff8c50: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone:       fa
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
Shadow gap:              cc
==3175382==ABORTING

Reproduction

Steps to reproduce:
1.Download the poc1mdp file.
2.Compile the source code with ASan.
(My approach is to install AFLplusplus and add the following two lines to the Makefile:
CC=afl-clang-fast
CXX=afl-clang-fast++

then:
AFL_USE_ASAN=1 make
)
3.Execute the following command:
./mdp -e -i -x poc1mdp

PoC

poc1mdp: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc1mdp

Impact

This vulnerability is capable of causing crashes, or possible DOS.

Reference

https://github.com/visit1985/mdp

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09
@visit1985
Copy link
Owner

Hey @Frank-Z7, thanks for reporting this. Shouldn't this cause a crash? I can't produce one when i follow your steps without afl on

macOS Monterey 12.7.1
Apple clang version 14.0.0 (clang-1400.0.29.202)

Arch Linux
gcc version 12.2.1 20230201 (GCC)

@Frank-Z7
Copy link
Author

Frank-Z7 commented Dec 2, 2023

Hey @Frank-Z7, thanks for reporting this. Shouldn't this cause a crash? I can't produce one when i follow your steps without afl on

macOS Monterey 12.7.1
Apple clang version 14.0.0 (clang-1400.0.29.202)

Arch Linux
gcc version 12.2.1 20230201 (GCC)

Hi @visit1985 ,

Thank you for your attention. The vulnerability is not related to the use of afl, which comes with the ASAN(AddressSanitizer) tool to check for memory errors.

AddressSanitizer (https://github.com/google/sanitizers), Google famous memory testing tool, it could print out the report and display of memory problem, and has been integrated in the GCC, LLVM compiler, etc.

To make it easier for you to reproduce the problem, I changed the Makefile in the mdp folder and the mdp/src folder. I used the gcc compiler and added the -fsanitize=address flag to enable ASAN. The modified compressed package is as follows. You can directly run the "./ mdp-e-i-x poc1"command to rectify the problem.

@Frank-Z7
Copy link
Author

Frank-Z7 commented Dec 2, 2023

mdp2.tar.gz

@Frank-Z7
Copy link
Author

Frank-Z7 commented Dec 2, 2023

I made the following changes to the Makefile: I used the gcc compiler and added the -fsanitize=address flag to enable ASAN to conveniently reveal the heap-buffer-overfkow problem.
Thanks for your time.

image
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@visit1985 @Frank-Z7