openeuler-baseservice / mcpp Goto Github PK

CVE-2019-14274
漏洞背景:https://sourceforge.net/p/mcpp/bugs/13/
Patch URL:https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/mcpp/2.7.2-5/mcpp_2.7.2-5.debian.tar.xz
解压后:./debian/patches/05-gniibe-fix-13.patch

Heap-based Buffer Overflow was found in the do_msg() function in support.c.This bug was recorded in sourceforge.net( https://sourceforge.net/p/mcpp/bugs/13/ ). And it got assigned CVE-2019-14274.
When I used the test file provided by sourceforge.net, I got the same output information.

/usr/local/bin/mcpp /root/test-do_msg01

=================================================================
==46768==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000001b8 at pc 0x00000042971d bp 0x7fff00209020 sp 0x7fff00209000
WRITE of size 1 at 0x6020000001b8 thread T0
#0 0x42971c in do_msg /root/packages/github/mcpp/src/support.c:2516
#1 0x42fb80 in cerror /root/packages/github/mcpp/src/support.c:2635
#2 0x42fb80 in scan_quote /root/packages/github/mcpp/src/support.c:867
#3 0x43099c in parse_line /root/packages/github/mcpp/src/support.c:1760
#4 0x42da13 in get_ch /root/packages/github/mcpp/src/support.c:1580
#5 0x402c6f in mcpp_main /root/packages/github/mcpp/src/main.c:628
#6 0x402c6f in main /root/packages/github/mcpp/src/main.c:423
#7 0x7f2262986b66 in __libc_start_main (/lib64/libc.so.6+0x25b66)
#8 0x4042b9 in _start (/usr/local/bin/mcpp+0x4042b9)

0x6020000001b8 is located 0 bytes to the right of 8-byte region [0x6020000001b0,0x6020000001b8)
allocated by thread T0 here:
#0 0x7f2262c74115 in malloc (/lib64/libasan.so.4+0x152115)
#1 0x428674 in do_msg /root/packages/github/mcpp/src/support.c:2461

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/packages/github/mcpp/src/support.c:2516 in do_msg
Shadow bytes around the buggy address:
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 06 fa fa 00 07 fa fa fd fa fa fa fd fa
0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8030: fa fa fd fa fa fa 00[fa]fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==46768==ABORTING