search

libretro / RetroArch

Cross-platform, sophisticated frontend for the libretro API. Licensed GPLv3.
http://www.libretro.com
GNU General Public License v3.0
10.38k stars 1.84k forks source link

Heap overflow with corrupted config files #7517

Open ghost opened 6 years ago

ghost commented 6 years ago

I accidentally left out a closing quote in a config file variable and then this happened:

$ ./retroarch
=================================================================
==21927==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000029181 at pc 0x7fab014b3d41 bp 0x7ffe4d2983c0 sp 0x7ffe4d297b68
READ of size 20 at 0x607000029181 thread T0
    #0 0x7fab014b3d40 in __interceptor_strchr /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:618
    #1 0x55fdabe1df24 in strip_comment libretro-common/file/config_file.c:159
    #2 0x55fdabe1f87e in parse_line libretro-common/file/config_file.c:338
    #3 0x55fdabe208e8 in config_file_new_internal libretro-common/file/config_file.c:460
    #4 0x55fdabe221a1 in config_file_new libretro-common/file/config_file.c:616
    #5 0x55fdabdbaf0d in open_default_config_file /home/bp/RetroArch/configuration.c:2272
    #6 0x55fdabdbc542 in config_load_file /home/bp/RetroArch/configuration.c:2620
    #7 0x55fdabdc4127 in parse_config_file /home/bp/RetroArch/configuration.c:3707
    #8 0x55fdabdc55eb in config_load /home/bp/RetroArch/configuration.c:3941
    #9 0x55fdabb993ac in retroarch_parse_input_and_config /home/bp/RetroArch/retroarch.c:793
    #10 0x55fdabb9ba38 in retroarch_main_init /home/bp/RetroArch/retroarch.c:1330
    #11 0x55fdabbd6da1 in content_load tasks/task_content.c:281
    #12 0x55fdabbdc671 in task_load_content tasks/task_content.c:889
    #13 0x55fdabbe29a5 in task_load_content_callback tasks/task_content.c:1570
    #14 0x55fdabbe2d37 in task_push_load_content_from_cli tasks/task_content.c:1638
    #15 0x55fdabb8fa31 in rarch_main frontend/frontend.c:125
    #16 0x55fdabf47fdc in main ui/drivers/qt/ui_qt_application.cpp:182
    #17 0x7faafb9de222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #18 0x55fdabb7facd in _start (/home/bp/RetroArch/retroarch+0x1880acd)

0x607000029181 is located 0 bytes to the right of 65-byte region [0x607000029140,0x607000029181)
allocated by thread T0 here:
    #0 0x7fab014fb491 in __interceptor_realloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:105
    #1 0x55fdabc0b2b7 in filestream_getline libretro-common/streams/file_stream.c:596
    #2 0x55fdabe20859 in config_file_new_internal libretro-common/file/config_file.c:452
    #3 0x55fdabe221a1 in config_file_new libretro-common/file/config_file.c:616
    #4 0x55fdabdbaf0d in open_default_config_file /home/bp/RetroArch/configuration.c:2272
    #5 0x55fdabdbc542 in config_load_file /home/bp/RetroArch/configuration.c:2620
    #6 0x55fdabdc4127 in parse_config_file /home/bp/RetroArch/configuration.c:3707
    #7 0x55fdabdc55eb in config_load /home/bp/RetroArch/configuration.c:3941
    #8 0x55fdabb993ac in retroarch_parse_input_and_config /home/bp/RetroArch/retroarch.c:793
    #9 0x55fdabb9ba38 in retroarch_main_init /home/bp/RetroArch/retroarch.c:1330
    #10 0x55fdabbd6da1 in content_load tasks/task_content.c:281
    #11 0x55fdabbdc671 in task_load_content tasks/task_content.c:889
    #12 0x55fdabbe29a5 in task_load_content_callback tasks/task_content.c:1570
    #13 0x55fdabbe2d37 in task_push_load_content_from_cli tasks/task_content.c:1638
    #14 0x55fdabb8fa31 in rarch_main frontend/frontend.c:125
    #15 0x55fdabf47fdc in main ui/drivers/qt/ui_qt_application.cpp:182
    #16 0x7faafb9de222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)

SUMMARY: AddressSanitizer: heap-buffer-overflow /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:618 in __interceptor_strchr
Shadow bytes around the buggy address:
  0x0c0e7fffd1e0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fffd1f0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x0c0e7fffd200: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0e7fffd210: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fffd220: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0e7fffd230:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffd240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffd250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffd260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffd270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffd280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21927==ABORTING

We should probably find a way to simply ignore corrupt lines or something, instead of outright crashing.

orbea commented 5 years ago

I can reproduce this here too.

$ ./retroarch
=================================================================
==30451==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000731 at pc 0x7f528900486c bp 0x7ffcbe8f9c20 sp 0x7ffcbe8f93d0
READ of size 2 at 0x604000000731 thread T0
    #0 0x7f528900486b  (/usr/lib64/libasan.so.5+0xa486b)
    #1 0x56ff5c in strip_comment libretro-common/file/config_file.c:162
    #2 0x570d03 in parse_line libretro-common/file/config_file.c:341
    #3 0x5715cf in config_file_new_internal libretro-common/file/config_file.c:463
    #4 0x572133 in config_file_new libretro-common/file/config_file.c:618
    #5 0x539ec1 in open_default_config_file /home/orbea/gittings/forks/RetroArch/configuration.c:2347
    #6 0x53b025 in config_load_file /home/orbea/gittings/forks/RetroArch/configuration.c:2694
    #7 0x53f8e1 in parse_config_file /home/orbea/gittings/forks/RetroArch/configuration.c:3789
    #8 0x5407ec in config_load /home/orbea/gittings/forks/RetroArch/configuration.c:4021
    #9 0x41f3ea in retroarch_parse_input_and_config /home/orbea/gittings/forks/RetroArch/retroarch.c:811
    #10 0x420e3d in retroarch_main_init /home/orbea/gittings/forks/RetroArch/retroarch.c:1362
    #11 0x448e7b in content_load tasks/task_content.c:281
    #12 0x44bdf7 in task_load_content tasks/task_content.c:883
    #13 0x450140 in task_load_content_callback tasks/task_content.c:1559
    #14 0x4504c6 in task_push_load_content_from_cli tasks/task_content.c:1627
    #15 0x41a56f in rarch_main frontend/frontend.c:125
    #16 0x41a733 in main frontend/frontend.c:169
    #17 0x7f5285652c66 in __libc_start_main (/lib64/libc.so.6+0x22c66)
    #18 0x40fd59 in _start (/media/gittings/forks/RetroArch/retroarch+0x40fd59)

0x604000000731 is located 0 bytes to the right of 33-byte region [0x604000000710,0x604000000731)
allocated by thread T0 here:
    #0 0x7f5289049320 in __interceptor_realloc (/usr/lib64/libasan.so.5+0xe9320)
    #1 0x466db7 in filestream_getline libretro-common/streams/file_stream.c:594
    #2 0x571558 in config_file_new_internal libretro-common/file/config_file.c:455
    #3 0x572133 in config_file_new libretro-common/file/config_file.c:618
    #4 0x539ec1 in open_default_config_file /home/orbea/gittings/forks/RetroArch/configuration.c:2347
    #5 0x53b025 in config_load_file /home/orbea/gittings/forks/RetroArch/configuration.c:2694
    #6 0x53f8e1 in parse_config_file /home/orbea/gittings/forks/RetroArch/configuration.c:3789
    #7 0x5407ec in config_load /home/orbea/gittings/forks/RetroArch/configuration.c:4021
    #8 0x41f3ea in retroarch_parse_input_and_config /home/orbea/gittings/forks/RetroArch/retroarch.c:811
    #9 0x420e3d in retroarch_main_init /home/orbea/gittings/forks/RetroArch/retroarch.c:1362
    #10 0x448e7b in content_load tasks/task_content.c:281
    #11 0x44bdf7 in task_load_content tasks/task_content.c:883
    #12 0x450140 in task_load_content_callback tasks/task_content.c:1559
    #13 0x4504c6 in task_push_load_content_from_cli tasks/task_content.c:1627
    #14 0x41a56f in rarch_main frontend/frontend.c:125
    #15 0x41a733 in main frontend/frontend.c:169
    #16 0x7f5285652c66 in __libc_start_main (/lib64/libc.so.6+0x22c66)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib64/libasan.so.5+0xa486b) 
Shadow bytes around the buggy address:
  0x0c087fff8090: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff80a0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff80b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c087fff80c0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
  0x0c087fff80d0: fa fa 00 00 00 00 00 04 fa fa 00 00 00 00 00 04
=>0x0c087fff80e0: fa fa 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
  0x0c087fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30451==ABORTING