Bug#964358: libedit2: readline() SIGSEGV
federicjohnson at tutanota.com
federicjohnson at tutanota.com
Sun Jul 5 23:44:17 BST 2020
Package: libedit2
Version: 3.1-20181209-1
Hello.
Found a bug in libedit package which causes readline() to segfault after writting a large amount of data.
It crashes somewhere in function e_wgets() called from e_gets() from readline().
Looks like a buffer overflow, but appears to be crashing after trying to derreference a null pointer
I don't think this would represent a security issue even if it is exploitable in some way, but i report it just in case.
Bug appears to be fixed in newer versions of the lib, solved by building from source and installing the sid release of package
"libedit2_3.1-20191231-1_amd64.deb".
Proof of concept:
readline.c:
----------------------------------------
/* gcc readline.c -o readline -ledit */
#include <editline/readline.h>
int main(int argc, char **argv)
{
readline("Give me a line: ");
}
----------------------------------------
poc.py:
----------------------------------------
#!/usr/bin/env python3
import pty
import os
def read(fd):
data = os.read(fd, 1024)
if data.decode().find('Give me a line') != -1:
os.write(fd, bytes("A"*1000, 'ascii'))
return data
r = pty.spawn([os.getcwd() + '/readline'], read)
if r & 0xF == 11:
print ("\nGot SIGSEGV")
----------------------------------------
Output:
----------------------------------------
gcc readline.c -o readline -ledit && python3 poc.py
Give me a line: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA
Got SIGSEGV
-----------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-llvm-team/attachments/20200706/5b32b947/attachment.html>
More information about the Pkg-llvm-team
mailing list