Bug#993567: libedit-dev heap buffer overflow in readline.c:791

Chris Liu again.liu at gmail.com
Fri Sep 3 08:52:24 BST 2021


Package: libedit-dev
Version: 3.1-20191231
Tags: security
Severity: important

I was fuzzing libedit-dev package downloaded from apt-get with AFL, and
ASAN could catch heap buffer overflow from one of the input while using
fileman as my fuzzing harness. The same can be confirmed with bullseye and
bookworm. The input file readline_791 is attached in this email.

The way I compiled it was :
--
sudo apt-get build-dep -y libedit-dev
sudo apt-get source -y libedit-dev
cd libedit-3.1-20191231/
CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g"
dpkg-buildpackage -uc -us
cd examples/.libs/
export LD_LIBRARY_PATH=../../src/.libs/
cat /root/readline_791 | ./fileman
--

Sample output from ASAN is as follows.
--
==50116==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6030000015b8 at pc 0x7f15ddd471d5 bp 0x7ffee6778450 sp 0x7ffee6778448
READ of size 1 at 0x6030000015b8 thread T0
    #0 0x7f15ddd471d4 in _history_expand_command
/root/libedit-dev/libedit-3.1-20191231/src/readline.c:791
    #1 0x7f15ddd47e87 in history_expand
/root/libedit-dev/libedit-3.1-20191231/src/readline.c:1025
    #2 0x556e5ce6b579 in main
/root/libedit-dev/libedit-3.1-20191231/examples/fileman.c:124
    #3 0x7f15ddb35d09 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x26d09)
    #4 0x556e5ce6b319 in _start
(/root/libedit-dev/libedit-3.1-20191231/examples/.libs/fileman+0x3319)

0x6030000015b8 is located 0 bytes to the right of 24-byte region
[0x6030000015a0,0x6030000015b8)
allocated by thread T0 here:
    #0 0x7f15dde24037 in __interceptor_calloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x7f15ddd4743b in history_expand
/root/libedit-dev/libedit-3.1-20191231/src/readline.c:942
    #2 0x556e5ce6b579 in main
/root/libedit-dev/libedit-3.1-20191231/examples/fileman.c:124
    #3 0x7f15ddb35d09 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x26d09)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/libedit-dev/libedit-3.1-20191231/src/readline.c:791 in
_history_expand_command
Shadow bytes around the buggy address:
  0x0c067fff8260: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8270: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8280: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8290: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff82a0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
=>0x0c067fff82b0: 05 fa fa fa 00 00 00[fa]fa fa 00 00 00 00 fa fa
  0x0c067fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
--

ASAN sample from bullseye :
--
==57122==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6030000015b8 at pc 0x7fe0cbeea290 bp 0x7ffc36b806d0 sp 0x7ffc36b806c8
READ of size 1 at 0x6030000015b8 thread T0
    #0 0x7fe0cbeea28f in _history_expand_command
/root/libedit-20191231-3.1/src/readline.c:787
    #1 0x7fe0cbeeaf42 in history_expand
/root/libedit-20191231-3.1/src/readline.c:1021
    #2 0x564dcf1f4579 in main
/root/libedit-20191231-3.1/examples/fileman.c:124
    #3 0x7fe0cbcd8d09 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x26d09)
    #4 0x564dcf1f4319 in _start
(/root/libedit-20191231-3.1/examples/.libs/fileman+0x3319)

0x6030000015b8 is located 0 bytes to the right of 24-byte region
[0x6030000015a0,0x6030000015b8)
allocated by thread T0 here:
    #0 0x7fe0cbfcf037 in __interceptor_calloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x7fe0cbeea4f6 in history_expand
/root/libedit-20191231-3.1/src/readline.c:938
    #2 0x564dcf1f4579 in main
/root/libedit-20191231-3.1/examples/fileman.c:124
    #3 0x7fe0cbcd8d09 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x26d09)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/libedit-20191231-3.1/src/readline.c:787 in _history_expand_command
Shadow bytes around the buggy address:
  0x0c067fff8260: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8270: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8280: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8290: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff82a0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
=>0x0c067fff82b0: 05 fa fa fa 00 00 00[fa]fa fa 00 00 00 00 fa fa
  0x0c067fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
--

ASAN from bookworm :
--
==57156==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6030000015b8 at pc 0x7f7d06fee35e bp 0x7fff50ed0810 sp 0x7fff50ed0808
READ of size 1 at 0x6030000015b8 thread T0
    #0 0x7f7d06fee35d in _history_expand_command
/root/libedit-20210714-3.1/src/readline.c:787
    #1 0x7f7d06fef010 in history_expand
/root/libedit-20210714-3.1/src/readline.c:1021
    #2 0x55f98c9f1579 in main
/root/libedit-20210714-3.1/examples/fileman.c:124
    #3 0x7f7d06ddcd09 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x26d09)
    #4 0x55f98c9f1319 in _start
(/root/libedit-20210714-3.1/examples/.libs/fileman+0x3319)

0x6030000015b8 is located 0 bytes to the right of 24-byte region
[0x6030000015a0,0x6030000015b8)
allocated by thread T0 here:
    #0 0x7f7d070d3037 in __interceptor_calloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x7f7d06fee5c4 in history_expand
/root/libedit-20210714-3.1/src/readline.c:938
    #2 0x55f98c9f1579 in main
/root/libedit-20210714-3.1/examples/fileman.c:124
    #3 0x7f7d06ddcd09 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x26d09)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/libedit-20210714-3.1/src/readline.c:787 in _history_expand_command
Shadow bytes around the buggy address:
  0x0c067fff8260: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8270: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8280: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8290: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff82a0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
=>0x0c067fff82b0: 05 fa fa fa 00 00 00[fa]fa fa 00 00 00 00 fa fa
  0x0c067fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
--

Debian, kernel version and libc version:
--
root at debian:/# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:  Debian GNU/Linux 11 (bullseye)
Release:  11
Codename: bullseye

root at debian:/# uname -a
Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64
GNU/Linux

root at debian:/# /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Debian GLIBC 2.31-13) stable release version 2.31.
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-llvm-team/attachments/20210903/3ceb5957/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: readline_791
Type: application/octet-stream
Size: 1151 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-llvm-team/attachments/20210903/3ceb5957/attachment.obj>


More information about the Pkg-llvm-team mailing list