You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Stack based buffer overflow is observed in read_write.c and gattlib.c while fuzzing GATTLIB (releases - master, v0.3-rc1, dev, various-fixes) using CLANG with AFL FUZZER
Vulnerable code from read_write.c -
connection = gattlib_connect(NULL, argv[1], GATTLIB_CONNECTION_OPTIONS_LEGACY_DEFAULT);
if (connection == NULL) {
fprintf(stderr, "Fail to connect to the bluetooth device.\n");
return 1;
}
// Transform string from 'DA:94:40:95:E0:87' to 'dev_DA_94_40_95_E0_87'
strncpy(device_address_str, mac_address, sizeof(device_address_str));
for (int i = 0; i < strlen(device_address_str); i++) {
if (device_address_str[i] == ':') {
device_address_str[i] = '_';
}
}
=================================================================
==72493==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc83cd4d95 at pc 0x00000042efb9 bp 0x7ffc83cd4d50 sp 0x7ffc83cd4510
READ of size 22 at 0x7ffc83cd4d95 thread T0
-0 0x42efb8 in strlen (/home/zero/newfuz/gattlib/build/examples/read_write/read_write+0x42efb8)
-1 0x7fb3c462c532 in get_device_path_from_mac /home/zero/newfuz/gattlib/dbus/gattlib.c:114:22
-2 0x7fb3c462c532 in gattlib_connect /home/zero/newfuz/gattlib/dbus/gattlib.c:150:2
-3 0x4c471b in main /home/zero/newfuz/gattlib/examples/read_write/read_write.c:71:15
-4 0x7fb3c394e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
-5 0x41c38d in _start (/home/zero/newfuz/gattlib/build/examples/read_write/read_write+0x41c38d)
Address 0x7ffc83cd4d95 is located in stack of thread T0 at offset 53 in frame
-0 0x7fb3c462c2bf in gattlib_connect /home/zero/newfuz/gattlib/dbus/gattlib.c:136
This frame has 3 object(s):
[32, 53) 'device_address_str.i' (line 103) <== Memory access at offset 53 overflows this variable
[96, 104) 'error' (line 140)
[128, 228) 'object_path' (line 141)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/zero/newfuz/gattlib/build/examples/read_write/read_write+0x42efb8) in strlen
Shadow bytes around the buggy address:
0x100010792960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100010792970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100010792980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100010792990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000107929a0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x1000107929b0: 00 00[05]f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00
0x1000107929c0: 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3 f3 f3
0x1000107929d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000107929e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x1000107929f0: 00 f2 f2 f2 f8 f2 f2 f2 f8 f8 f8 f8 f8 f2 f2 f2
0x100010792a00: f2 f2 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==72493==ABORTING
Request team to implement proper patch and validate
The text was updated successfully, but these errors were encountered:
Hi Team,
Stack based buffer overflow is observed in read_write.c and gattlib.c while fuzzing GATTLIB (releases - master, v0.3-rc1, dev, various-fixes) using CLANG with AFL FUZZER
Vulnerable code from read_write.c -
Vulnerable code from gattlib.c -
get_device_path_from_mac(adapter_name, dst, object_path, sizeof(object_path));
// Transform string from 'DA:94:40:95:E0:87' to 'dev_DA_94_40_95_E0_87'
strncpy(device_address_str, mac_address, sizeof(device_address_str));
for (int i = 0; i < strlen(device_address_str); i++) {
if (device_address_str[i] == ':') {
device_address_str[i] = '_';
}
}
Steps to Reproduce -
cd
mkdir build && cd build
cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -fsanitize=leak -g" -DCMAKE_C_FLAGS="-fsanitize=address -fsanitize=leak -g"
make
./examples/read_write/read_write 11111111111111111111111111111111111 read 00002a29-0000-1000-8000-00805f9b34fb
ASAN output -
=================================================================
==72493==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc83cd4d95 at pc 0x00000042efb9 bp 0x7ffc83cd4d50 sp 0x7ffc83cd4510
READ of size 22 at 0x7ffc83cd4d95 thread T0
-0 0x42efb8 in strlen (/home/zero/newfuz/gattlib/build/examples/read_write/read_write+0x42efb8)
-1 0x7fb3c462c532 in get_device_path_from_mac /home/zero/newfuz/gattlib/dbus/gattlib.c:114:22
-2 0x7fb3c462c532 in gattlib_connect /home/zero/newfuz/gattlib/dbus/gattlib.c:150:2
-3 0x4c471b in main /home/zero/newfuz/gattlib/examples/read_write/read_write.c:71:15
-4 0x7fb3c394e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
-5 0x41c38d in _start (/home/zero/newfuz/gattlib/build/examples/read_write/read_write+0x41c38d)
Address 0x7ffc83cd4d95 is located in stack of thread T0 at offset 53 in frame
-0 0x7fb3c462c2bf in gattlib_connect /home/zero/newfuz/gattlib/dbus/gattlib.c:136
This frame has 3 object(s):
[32, 53) 'device_address_str.i' (line 103) <== Memory access at offset 53 overflows this variable
[96, 104) 'error' (line 140)
[128, 228) 'object_path' (line 141)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/zero/newfuz/gattlib/build/examples/read_write/read_write+0x42efb8) in strlen
Shadow bytes around the buggy address:
0x100010792960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100010792970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100010792980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100010792990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000107929a0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x1000107929b0: 00 00[05]f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00
0x1000107929c0: 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3 f3 f3
0x1000107929d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000107929e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x1000107929f0: 00 f2 f2 f2 f8 f2 f2 f2 f8 f8 f8 f8 f8 f2 f2 f2
0x100010792a00: f2 f2 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==72493==ABORTING
Request team to implement proper patch and validate
The text was updated successfully, but these errors were encountered: