Joshua Rogers
2014-12-02 08:49:01 UTC
Hi,
`mail' is vulnerable to a heap based buffer overflow, according to
AddressSanitizer, using the testcase https://internot.info/docs/mail-test
In 'mail'(compiled with address sanitizer), if you press enter after it
being opened, it will malloc off by one.
`mail' is vulnerable to a heap based buffer overflow, according to
AddressSanitizer, using the testcase https://internot.info/docs/mail-test
In 'mail'(compiled with address sanitizer), if you press enter after it
being opened, it will malloc off by one.
=================================================================
==39802==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000004aef at pc 0x438498 bp 0x7fffc4d5b840 sp 0x7fffc4d5b838
READ of size 1 at 0x602000004aef thread T0
#0 0x438497 in mail_mainloop
/root/srcs/mailutils-2.2+dfsg1/mail/mail.c:531
#1 0x40c66f in main /root/srcs/mailutils-2.2+dfsg1/mail/mail.c:512
#2 0x7fecc9cca76c in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
#3 0x40ef04 (/usr/bin/mail+0x40ef04)
0x602000004aef is located 1 bytes to the left of 1-byte region
[0x602000004af0,0x602000004af1)
#0 0x7feccbd1978f in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5778f)
#1 0x7fecca2b1618 in xmalloc
(/lib/x86_64-linux-gnu/libreadline.so.6+0x2c618)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/srcs/mailutils-2.2+dfsg1/mail/mail.c:531 mail_mainloop
0x0c047fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]01 fa
0x0c047fff8960: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8970: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8980: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8990: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff89a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==39802==ABORTING
Thanks,==39802==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000004aef at pc 0x438498 bp 0x7fffc4d5b840 sp 0x7fffc4d5b838
READ of size 1 at 0x602000004aef thread T0
#0 0x438497 in mail_mainloop
/root/srcs/mailutils-2.2+dfsg1/mail/mail.c:531
#1 0x40c66f in main /root/srcs/mailutils-2.2+dfsg1/mail/mail.c:512
#2 0x7fecc9cca76c in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
#3 0x40ef04 (/usr/bin/mail+0x40ef04)
0x602000004aef is located 1 bytes to the left of 1-byte region
[0x602000004af0,0x602000004af1)
#0 0x7feccbd1978f in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5778f)
#1 0x7fecca2b1618 in xmalloc
(/lib/x86_64-linux-gnu/libreadline.so.6+0x2c618)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/srcs/mailutils-2.2+dfsg1/mail/mail.c:531 mail_mainloop
0x0c047fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]01 fa
0x0c047fff8960: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8970: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8980: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8990: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff89a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==39802==ABORTING
--
-- Joshua Rogers <https://internot.info/>
-- Joshua Rogers <https://internot.info/>