← Back to team overview

tpad team mailing list archive

[Bug 1775314] [NEW] heap-buffer-overflow when opening a file

 

*** This bug is a security vulnerability ***

Private security bug reported:

heap-buffer-overflow
heap-buffer-overflow on address 0x606000147d20 at pc 0x55b111ded56e bp 0x7f3ee1ffe8c0 sp 0x7f3ee1ffe068
READ of size 65 at 0x606000147d20 thread T1

    #0 0x55b111ded56d in __interceptor_strlen.part.24 (/home/andy/ram/b/usr/bin/tpad+0x4656d)
    #1 0x55b111ecc534 in data_to_hex tpad_hash.c:228
    #2 0x55b111ecba8b in str2sha512 tpad_hash.c:75
    #3 0x55b111ecb971 in curFile2sha512 tpad_hash.c:43
    #4 0x55b111ebe456 in tpad_control_store_hash_of_current_file_set tpad_control.c:34
    #5 0x55b111ec3a58 in show_file tpad_show_file.c:47
    #6 0x55b111ebba1d in tpad_main tpad_main.c:79
    #7 0x55b111ebb957 in ntpad main.c:95
    #8 0x7f3eef31d6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #9 0x7f3eee68488e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x606000147d20 is located 0 bytes to the right of 64-byte region [0x606000147ce0,0x606000147d20)
allocated by thread T1 here:
    #0 0x55b111e7ac18 in calloc (/home/andy/ram/b/usr/bin/tpad+0xd3c18)
    #1 0x55b111ecba41 in str2sha512 tpad_hash.c:69
    #2 0x55b111ecb971 in curFile2sha512 tpad_hash.c:43
    #3 0x55b111ebe456 in tpad_control_store_hash_of_current_file_set tpad_control.c:34
    #4 0x55b111ec3a58 in show_file tpad_show_file.c:47
    #5 0x55b111ebba1d in tpad_main tpad_main.c:79
    #6 0x55b111ebb957 in ntpad main.c:95
    #7 0x7f3eef31d6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T1 created by T0 here:
    #0 0x55b111dd3c2f in __interceptor_pthread_create (/home/andy/ram/b/usr/bin/tpad+0x2cc2f)
    #1 0x55b111ebb794 in main main.c:65
    #2 0x7f3eee584b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

  0x0c0c80020f50: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c80020f60: 00 00 00 00 00 00 02 fa fa fa fa fa 00 00 00 00
  0x0c0c80020f70: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c80020f80: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c80020f90: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
=>0x0c0c80020fa0: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80020fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80020fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80020fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80020fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80020ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

** Affects: tpad-project
     Importance: Critical
     Assignee: GNAServicesInc (gnaservicesinc)
         Status: Triaged


** Tags: security

** Changed in: tpad-project
       Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of tpad
Developers, which is subscribed to tpad.
https://bugs.launchpad.net/bugs/1775314

Title:
  heap-buffer-overflow when opening a file

Status in tpad:
  Triaged

Bug description:
  heap-buffer-overflow
  heap-buffer-overflow on address 0x606000147d20 at pc 0x55b111ded56e bp 0x7f3ee1ffe8c0 sp 0x7f3ee1ffe068
  READ of size 65 at 0x606000147d20 thread T1

      #0 0x55b111ded56d in __interceptor_strlen.part.24 (/home/andy/ram/b/usr/bin/tpad+0x4656d)
      #1 0x55b111ecc534 in data_to_hex tpad_hash.c:228
      #2 0x55b111ecba8b in str2sha512 tpad_hash.c:75
      #3 0x55b111ecb971 in curFile2sha512 tpad_hash.c:43
      #4 0x55b111ebe456 in tpad_control_store_hash_of_current_file_set tpad_control.c:34
      #5 0x55b111ec3a58 in show_file tpad_show_file.c:47
      #6 0x55b111ebba1d in tpad_main tpad_main.c:79
      #7 0x55b111ebb957 in ntpad main.c:95
      #8 0x7f3eef31d6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
      #9 0x7f3eee68488e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

  0x606000147d20 is located 0 bytes to the right of 64-byte region [0x606000147ce0,0x606000147d20)
  allocated by thread T1 here:
      #0 0x55b111e7ac18 in calloc (/home/andy/ram/b/usr/bin/tpad+0xd3c18)
      #1 0x55b111ecba41 in str2sha512 tpad_hash.c:69
      #2 0x55b111ecb971 in curFile2sha512 tpad_hash.c:43
      #3 0x55b111ebe456 in tpad_control_store_hash_of_current_file_set tpad_control.c:34
      #4 0x55b111ec3a58 in show_file tpad_show_file.c:47
      #5 0x55b111ebba1d in tpad_main tpad_main.c:79
      #6 0x55b111ebb957 in ntpad main.c:95
      #7 0x7f3eef31d6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

  Thread T1 created by T0 here:
      #0 0x55b111dd3c2f in __interceptor_pthread_create (/home/andy/ram/b/usr/bin/tpad+0x2cc2f)
      #1 0x55b111ebb794 in main main.c:65
      #2 0x7f3eee584b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

    0x0c0c80020f50: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
    0x0c0c80020f60: 00 00 00 00 00 00 02 fa fa fa fa fa 00 00 00 00
    0x0c0c80020f70: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
    0x0c0c80020f80: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
    0x0c0c80020f90: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  =>0x0c0c80020fa0: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
    0x0c0c80020fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c0c80020fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c0c80020fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c0c80020fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c0c80020ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb

To manage notifications about this bug go to:
https://bugs.launchpad.net/tpad-project/+bug/1775314/+subscriptions


Follow ups