client9/libinjection

Uninitialized memory read

jvoisin opened this issue · 2 comments

jvoisin commented 
==25139==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000016a1 at pc 0x000000514532 bp 0x7fff49f849d0 sp 0x7fff49f849c8
READ of size 1 at 0x6030000016a1 thread T0
    #0 0x514531 in h5_state_tag_open /home/jvoisin/Dev/libinjection/src/libinjection_html5.c:183:10
    #1 0x52e2ab in libinjection_is_xss /home/jvoisin/Dev/libinjection/src/libinjection_xss.c:419:12
    #2 0x52f6db in libinjection_xss /home/jvoisin/Dev/libinjection/src/libinjection_xss.c:514:9
    #3 0x510ad1 in LLVMFuzzerTestOneInput /home/jvoisin/Dev/libinjection/src/./xss_fuzz.c:10:2
    #4 0x4fabc2 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/jvoisin/Dev/Fuzzer/./FuzzerLoop.cpp:536:13
    #5 0x4fadb4 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/jvoisin/Dev/Fuzzer/./FuzzerLoop.cpp:487:3
    #6 0x4fbeaf in fuzzer::Fuzzer::MutateAndTestOne() /home/jvoisin/Dev/Fuzzer/./FuzzerLoop.cpp:724:30
    #7 0x4fc0b7 in fuzzer::Fuzzer::Loop() /home/jvoisin/Dev/Fuzzer/./FuzzerLoop.cpp:757:5
    #8 0x4f4018 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/jvoisin/Dev/Fuzzer/./FuzzerDriver.cpp:531:3
    #9 0x4f1b50 in main /home/jvoisin/Dev/Fuzzer/./FuzzerMain.cpp:20:10
    #10 0x7fcab26f682f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #11 0x41bc88 in _start (/home/jvoisin/Dev/libinjection/src/libinjection_fuzzer+0x41bc88)

0x6030000016a1 is located 0 bytes to the right of 17-byte region [0x603000001690,0x6030000016a1)
allocated by thread T0 here:
    #0 0x4eeb8b in operator new[](unsigned long) (/home/jvoisin/Dev/libinjection/src/libinjection_fuzzer+0x4eeb8b)
    #1 0x4fab0a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/jvoisin/Dev/Fuzzer/./FuzzerLoop.cpp:526:23
    #2 0x4fadb4 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/jvoisin/Dev/Fuzzer/./FuzzerLoop.cpp:487:3
    #3 0x4fbeaf in fuzzer::Fuzzer::MutateAndTestOne() /home/jvoisin/Dev/Fuzzer/./FuzzerLoop.cpp:724:30
    #4 0x4fc0b7 in fuzzer::Fuzzer::Loop() /home/jvoisin/Dev/Fuzzer/./FuzzerLoop.cpp:757:5
    #5 0x4f4018 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/jvoisin/Dev/Fuzzer/./FuzzerDriver.cpp:531:3
    #6 0x4f1b50 in main /home/jvoisin/Dev/Fuzzer/./FuzzerMain.cpp:20:10
    #7 0x7fcab26f682f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jvoisin/Dev/libinjection/src/libinjection_html5.c:183:10 in h5_state_tag_open
Shadow bytes around the buggy address:
  0x0c067fff8280: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8290: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff82a0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff82b0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff82c0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
=>0x0c067fff82d0: fa fa 00 00[01]fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8300: fa fa fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25139==ABORTING
MS: 3 ChangeBinInt-ChangeBinInt-CrossOver-; base unit: 19584bef734a8a8658a3bce54010e749d082247f
0x1,0x0,0x0,0x0,0x0,0x4e,0xbc,0x83,0x1,0x0,0x0,0x0,0xc1,0xc1,0xc1,0xbc,0x3c,
\x01\x00\x00\x00\x00N\xbc\x83\x01\x00\x00\x00\xc1\xc1\xc1\xbc<
artifact_prefix='./'; Test unit written to ./crash-a5df96ffac113271f921591a7454a828cebc622b
Base64: AQAAAABOvIMBAAAAwcHBvDw=
zsh: exit 1     ./libinjection_fuzzer
jvoisin@mim 15:20 ~/Dev/libinjection/src

tl;dr: if the strings ends with a <, libinjection will read the (non-initailized) data behind it.

zimmerle commented

Seems to be a 1-byte buffer over-read. Further info (+ demo) here: https://gist.github.com/zimmerle/5832f71985179132e057f7aced58a5e7

Does not seems to be harmful.

Sending a pull request with the fix in a few minutes....

  • ❤️1
client9 commented

this was merged and should be fixed.