stack-buffer-overflow in codedoc_strlcpy codedoc.c:144

[cuanduo]

root@ubuntu:/home/tim/fuzz/codedoc# ./codedoc poc2 poc2.zip

asan output

=================================================================
==29166==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffffffddc40 at pc 0x7ffff6e94d82 bp 0x7ffffffd9b70 sp 0x7ffffffd9318
WRITE of size 1 at 0x7ffffffddc40 thread T0
    #0 0x7ffff6e94d81 in __interceptor_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ad81)
    #1 0x555555567c6e in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40
    #2 0x555555567c6e in codedoc_strlcpy /home/tim/codedoc-addr/codedoc.c:144
    #3 0x555555567e8c in add_variable /home/tim/codedoc-addr/codedoc.c:860
    #4 0x55555556d103 in scan_file /home/tim/codedoc-addr/codedoc.c:3591
    #5 0x555555566b56 in main /home/tim/codedoc-addr/codedoc.c:488
    #6 0x7ffff660eb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #7 0x5555555675e9 in _start (/home/tim/fuzz/codedoc/codedoc-addr+0x135e9)

Address 0x7ffffffddc40 is located in stack of thread T0 at offset 16480 in frame
    #0 0x555555567cb0 in add_variable /home/tim/codedoc-addr/codedoc.c:810

  This frame has 2 object(s):
    [32, 36) 'whitespace'
    [96, 16480) 'buffer' <== Memory access at offset 16480 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ad81) in __interceptor_memmove
Shadow bytes around the buggy address:
  0x10007fff3b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff3b80: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 00 00 00 00
  0x10007fff3b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3ba0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2
  0x10007fff3bb0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29166==ABORTING

gdb output

*** stack smashing detected ***: <unknown> terminated

Program received signal SIGABRT, Aborted.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7ffffffd9bd0 --> 0x0 
RCX: 0x7ffff75e6e97 (<__GI_raise+199>:  mov    rcx,QWORD PTR [rsp+0x108])
RDX: 0x0 
RSI: 0x7ffffffd9930 --> 0x0 
RDI: 0x2 
RBP: 0x7ffffffd9d60 --> 0x7ffff775e97e ("<unknown>")
RSP: 0x7ffffffd9930 --> 0x0 
RIP: 0x7ffff75e6e97 (<__GI_raise+199>:  mov    rcx,QWORD PTR [rsp+0x108])
R8 : 0x0 
R9 : 0x7ffffffd9930 --> 0x0 
R10: 0x8 
R11: 0x246 
R12: 0x7ffffffd9bd0 --> 0x0 
R13: 0x1000 
R14: 0x0 
R15: 0x30 ('0')
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff75e6e8b <__GI_raise+187>: mov    edi,0x2
   0x7ffff75e6e90 <__GI_raise+192>: mov    eax,0xe
   0x7ffff75e6e95 <__GI_raise+197>: syscall 
=> 0x7ffff75e6e97 <__GI_raise+199>: mov    rcx,QWORD PTR [rsp+0x108]
   0x7ffff75e6e9f <__GI_raise+207>: xor    rcx,QWORD PTR fs:0x28
   0x7ffff75e6ea8 <__GI_raise+216>: mov    eax,r8d
   0x7ffff75e6eab <__GI_raise+219>: jne    0x7ffff75e6ecc <__GI_raise+252>
   0x7ffff75e6ead <__GI_raise+221>: add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7ffffffd9930 --> 0x0 
0008| 0x7ffffffd9938 --> 0x0 
0016| 0x7ffffffd9940 --> 0x0 
0024| 0x7ffffffd9948 --> 0x0 
0032| 0x7ffffffd9950 --> 0x0 
0040| 0x7ffffffd9958 --> 0x0 
0048| 0x7ffffffd9960 --> 0x0 
0056| 0x7ffffffd9968 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff75e8801 in __GI_abort () at abort.c:79
#2  0x00007ffff7631897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff775e988 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff76dccd1 in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=0x0, msg=msg@entry=0x7ffff775e966 "stack smashing detected") at fortify_fail.c:33
#4  0x00007ffff76dcc92 in __stack_chk_fail () at stack_chk_fail.c:29
#5  0x0000555555558602 in add_variable (parent=<optimized out>, name=<optimized out>, type=<optimized out>) at codedoc.c:930
#6  0x000055555555b95e in scan_file (file=<optimized out>, tree=<optimized out>) at codedoc.c:3591
#7  0x00005555555577d6 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe098) at codedoc.c:488
#8  0x00007ffff75c9b97 in __libc_start_main (main=0x555555557239 <main>, argc=0x2, argv=0x7fffffffe098, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe088) at ../csu/libc-start.c:310
#9  0x0000555555557dfa in _start ()
gdb-peda$ 

[michaelrsweet]

[master 19532db] Fix a buffer overflow issue with fuzzer-generated code (Issue #5)