libwab heap-based out-of-bound read in write_ldif
xinali opened this issue · 0 comments
xinali commented
test on
ubuntu 16.04 x64
compiled with clang-6.0
gdb info
Program received signal SIGSEGV, Segmentation fault.
0x000000000041295d in write_ldif (dest=0x7ffff7dd2620 <_IO_2_1_stdout_>, mrec=mrec@entry=0x7fffffffe0f0) at /home/libwab/libwab.c:598
598 if( ((mrec->oplist[i] >> 16) & 0xffff) == PR_DISPLAY_NAME)
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x5bcc
RCX 0x7ffffe24
RDX 0x7ffff7dd3780 (_IO_stdfile_1_lock) ◂— 0x0
RDI 0x0
RSI 0x1db
R8 0x0
R9 0x6470d0 ◂— 0x30080040800b1102
R10 0x1db
R11 0xa456794f
R12 0x7fffffffe0f0 ◂— 0x11d275138dcbcb9c
R13 0x7ffff7dd2620 (_IO_2_1_stdout_) ◂— 0xfbad2a84
R14 0x0
R15 0x1
RBP 0x16f30
RSP 0x7fffffffe080 —▸ 0x645e8c ◂— 0xfbad248800000000
RIP 0x41295d (write_ldif+2813) ◂— mov edi, dword ptr [r9 + rbp]
─────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────
► 0x41295d <write_ldif+2813> mov edi, dword ptr [r9 + rbp]
0x412961 <write_ldif+2817> shr edi, 0x10
0x412964 <write_ldif+2820> cmp edi, 0x3001
0x41296a <write_ldif+2826> je write_ldif+2621 <0x41289d>
↓
0x41289d <write_ldif+2621> nop dword ptr [rax]
0x4128a0 <write_ldif+2624> lea rsp, [rsp - 0x98]
0x4128a8 <write_ldif+2632> mov qword ptr [rsp], rdx
0x4128ac <write_ldif+2636> mov qword ptr [rsp + 8], rcx
0x4128b1 <write_ldif+2641> mov qword ptr [rsp + 0x10], rax
0x4128b6 <write_ldif+2646> mov rcx, 0x4a5b
0x4128bd <write_ldif+2653> call __afl_maybe_log <0x416958>
──────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────
In file: /home/libwab/libwab.c
593
594 for( i=0; i<mrec->head.opcount; i++ ) {
595 //VBUF_STATIC( base64buf, 10 );
596 char *ldid;
597
► 598 if( ((mrec->oplist[i] >> 16) & 0xffff) == PR_DISPLAY_NAME)
599 continue;
600
601 if( NULL == (ldid = ldid_get_str( (mrec->oplist[i] >> 16) & 0xffff ) ) ) {
602 DEBUG(DB_VERBOSE2, fprintf(stderr, "Couldn't find ldid for 0x%x\n", (mrec->oplist[i] >> 16) & 0xffff); );
603 continue;
──────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe080 —▸ 0x645e8c ◂— 0xfbad248800000000
01:0008│ 0x7fffffffe088 ◂— 0x0
02:0010│ 0x7fffffffe090 —▸ 0x645e90 ◂— 0xfbad2488
03:0018│ 0x7fffffffe098 —▸ 0x645e2c ◂— 0x84d000000002
04:0020│ 0x7fffffffe0a0 ◂— 0x8c4
05:0028│ 0x7fffffffe0a8 —▸ 0x415da9 (output_records+1449) ◂— mov rdi, qword ptr [rip + 0x226450]
06:0030│ 0x7fffffffe0b0 —▸ 0x645e90 ◂— 0xfbad2488
07:0038│ 0x7fffffffe0b8 —▸ 0x645e2c ◂— 0x84d000000002
────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
► f 0 41295d write_ldif+2813
f 1 415da9 output_records+1449
f 2 403346 main+982
f 3 7ffff7a2d830 __libc_start_main+240
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Program received signal SIGSEGV (fault address 0x65e000)
pwndbg> p mrec->oplist[i]
Cannot access memory at address 0x65e000
pwndbg> info proc mappings
process 27224
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x400000 0x43c000 0x3c000 0x0 /home/libwab/build/wabread
0x63b000 0x63c000 0x1000 0x3b000 /home/libwab/build/wabread
0x63c000 0x63d000 0x1000 0x3c000 /home/libwab/build/wabread
0x63d000 0x65e000 0x21000 0x0 [heap]
0x7ffff7809000 0x7ffff780c000 0x3000 0x0 /usr/lib/x86_64-linux-gnu/gconv/UTF-16.so
0x7ffff780c000 0x7ffff7a0b000 0x1ff000 0x3000 /usr/lib/x86_64-linux-gnu/gconv/UTF-16.so
0x7ffff7a0b000 0x7ffff7a0c000 0x1000 0x2000 /usr/lib/x86_64-linux-gnu/gconv/UTF-16.so
0x7ffff7a0c000 0x7ffff7a0d000 0x1000 0x3000 /usr/lib/x86_64-linux-gnu/gconv/UTF-16.so
0x7ffff7a0d000 0x7ffff7bcd000 0x1c0000 0x0 /lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff7bcd000 0x7ffff7dcd000 0x200000 0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff7dcd000 0x7ffff7dd1000 0x4000 0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff7dd1000 0x7ffff7dd3000 0x2000 0x1c4000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff7dd3000 0x7ffff7dd7000 0x4000 0x0
0x7ffff7dd7000 0x7ffff7dfd000 0x26000 0x0 /lib/x86_64-linux-gnu/ld-2.23.so
0x7ffff7fef000 0x7ffff7ff2000 0x3000 0x0
0x7ffff7ff4000 0x7ffff7ffb000 0x7000 0x0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
0x7ffff7ffb000 0x7ffff7ffc000 0x1000 0x0 [vdso]
0x7ffff7ffc000 0x7ffff7ffd000 0x1000 0x25000 /lib/x86_64-linux-gnu/ld-2.23.so
0x7ffff7ffd000 0x7ffff7ffe000 0x1000 0x26000 /lib/x86_64-linux-gnu/ld-2.23.so
0x7ffff7ffe000 0x7ffff7fff000 0x1000 0x0
0x7ffffffea000 0x7ffffffff000 0x15000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]