tpad team mailing list archive
-
tpad team
-
Mailing list archive
-
Message #00307
[Bug 1775314] [NEW] heap-buffer-overflow when opening a file
*** This bug is a security vulnerability ***
Private security bug reported:
heap-buffer-overflow
heap-buffer-overflow on address 0x606000147d20 at pc 0x55b111ded56e bp 0x7f3ee1ffe8c0 sp 0x7f3ee1ffe068
READ of size 65 at 0x606000147d20 thread T1
#0 0x55b111ded56d in __interceptor_strlen.part.24 (/home/andy/ram/b/usr/bin/tpad+0x4656d)
#1 0x55b111ecc534 in data_to_hex tpad_hash.c:228
#2 0x55b111ecba8b in str2sha512 tpad_hash.c:75
#3 0x55b111ecb971 in curFile2sha512 tpad_hash.c:43
#4 0x55b111ebe456 in tpad_control_store_hash_of_current_file_set tpad_control.c:34
#5 0x55b111ec3a58 in show_file tpad_show_file.c:47
#6 0x55b111ebba1d in tpad_main tpad_main.c:79
#7 0x55b111ebb957 in ntpad main.c:95
#8 0x7f3eef31d6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#9 0x7f3eee68488e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
0x606000147d20 is located 0 bytes to the right of 64-byte region [0x606000147ce0,0x606000147d20)
allocated by thread T1 here:
#0 0x55b111e7ac18 in calloc (/home/andy/ram/b/usr/bin/tpad+0xd3c18)
#1 0x55b111ecba41 in str2sha512 tpad_hash.c:69
#2 0x55b111ecb971 in curFile2sha512 tpad_hash.c:43
#3 0x55b111ebe456 in tpad_control_store_hash_of_current_file_set tpad_control.c:34
#4 0x55b111ec3a58 in show_file tpad_show_file.c:47
#5 0x55b111ebba1d in tpad_main tpad_main.c:79
#6 0x55b111ebb957 in ntpad main.c:95
#7 0x7f3eef31d6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
Thread T1 created by T0 here:
#0 0x55b111dd3c2f in __interceptor_pthread_create (/home/andy/ram/b/usr/bin/tpad+0x2cc2f)
#1 0x55b111ebb794 in main main.c:65
#2 0x7f3eee584b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
0x0c0c80020f50: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c80020f60: 00 00 00 00 00 00 02 fa fa fa fa fa 00 00 00 00
0x0c0c80020f70: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c80020f80: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c80020f90: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
=>0x0c0c80020fa0: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80020fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80020fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80020fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80020fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80020ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
** Affects: tpad-project
Importance: Critical
Assignee: GNAServicesInc (gnaservicesinc)
Status: Triaged
** Tags: security
** Changed in: tpad-project
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of tpad
Developers, which is subscribed to tpad.
https://bugs.launchpad.net/bugs/1775314
Title:
heap-buffer-overflow when opening a file
Status in tpad:
Triaged
Bug description:
heap-buffer-overflow
heap-buffer-overflow on address 0x606000147d20 at pc 0x55b111ded56e bp 0x7f3ee1ffe8c0 sp 0x7f3ee1ffe068
READ of size 65 at 0x606000147d20 thread T1
#0 0x55b111ded56d in __interceptor_strlen.part.24 (/home/andy/ram/b/usr/bin/tpad+0x4656d)
#1 0x55b111ecc534 in data_to_hex tpad_hash.c:228
#2 0x55b111ecba8b in str2sha512 tpad_hash.c:75
#3 0x55b111ecb971 in curFile2sha512 tpad_hash.c:43
#4 0x55b111ebe456 in tpad_control_store_hash_of_current_file_set tpad_control.c:34
#5 0x55b111ec3a58 in show_file tpad_show_file.c:47
#6 0x55b111ebba1d in tpad_main tpad_main.c:79
#7 0x55b111ebb957 in ntpad main.c:95
#8 0x7f3eef31d6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#9 0x7f3eee68488e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
0x606000147d20 is located 0 bytes to the right of 64-byte region [0x606000147ce0,0x606000147d20)
allocated by thread T1 here:
#0 0x55b111e7ac18 in calloc (/home/andy/ram/b/usr/bin/tpad+0xd3c18)
#1 0x55b111ecba41 in str2sha512 tpad_hash.c:69
#2 0x55b111ecb971 in curFile2sha512 tpad_hash.c:43
#3 0x55b111ebe456 in tpad_control_store_hash_of_current_file_set tpad_control.c:34
#4 0x55b111ec3a58 in show_file tpad_show_file.c:47
#5 0x55b111ebba1d in tpad_main tpad_main.c:79
#6 0x55b111ebb957 in ntpad main.c:95
#7 0x7f3eef31d6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
Thread T1 created by T0 here:
#0 0x55b111dd3c2f in __interceptor_pthread_create (/home/andy/ram/b/usr/bin/tpad+0x2cc2f)
#1 0x55b111ebb794 in main main.c:65
#2 0x7f3eee584b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
0x0c0c80020f50: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c80020f60: 00 00 00 00 00 00 02 fa fa fa fa fa 00 00 00 00
0x0c0c80020f70: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c80020f80: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c80020f90: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
=>0x0c0c80020fa0: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80020fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80020fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80020fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80020fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80020ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
To manage notifications about this bug go to:
https://bugs.launchpad.net/tpad-project/+bug/1775314/+subscriptions
Follow ups