heap-buffer-overflow in parse_string_node

zhunki commented 7 years ago

==4536== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5e0074e at pc 0x806616b bp 0xbfabe008 sp 0xbfabdffc
WRITE of size 1 at 0xb5e0074e thread T0
    #0 0x806616a in parse_string_node /home/b/asan/libplist/src/bplist.c:298
    #1 0x806616a in parse_bin_node /home/b/asan/libplist/src/bplist.c:668
    #2 0x806616a in parse_bin_node_at_index /home/b/asan/libplist/src/bplist.c:755
    #3 0x80632a0 in parse_dict_node /home/b/asan/libplist/src/bplist.c:461
    #4 0x80632a0 in parse_bin_node /home/b/asan/libplist/src/bplist.c:697
    #5 0x80632a0 in parse_bin_node_at_index /home/b/asan/libplist/src/bplist.c:755
    #6 0x8068b30 in plist_from_bin /home/b/asan/libplist/src/bplist.c:844
    #7 0x804a175 in main /home/b/asan/libplist/tools/plistutil.c:150
    #8 0xb5f9ba82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #9 0x804aef5 in _start (/home/b/asan/libplist/tools/plistutil+0x804aef5)
0xb5e0074e is located 2 bytes to the left of 1-byte region [0xb5e00750,0xb5e00751)
allocated by thread T0 here:
    #0 0xb6163854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
    #1 0x8063b7c in parse_string_node /home/b/asan/libplist/src/bplist.c:292
    #2 0x8063b7c in parse_bin_node /home/b/asan/libplist/src/bplist.c:668
    #3 0x8063b7c in parse_bin_node_at_index /home/b/asan/libplist/src/bplist.c:755
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/b/asan/libplist/src/bplist.c:298 parse_string_node
Shadow bytes around the buggy address:
  0x36bc0090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36bc00e0: fa fa fa fa fa fa fa fa fa[fa]01 fa fa fa 00 04
  0x36bc00f0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x36bc0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe

poc.txt

nikias commented 7 years ago

Can you please re-run with lastet code? AFAIK this was fixed with commit 32ee5213fe64f1e10ec76c1ee861ee6f233120dd.

carnil commented 7 years ago

This is CVE-2017-6439

libimobiledevice / libplist

heap-buffer-overflow in parse_string_node #95