Description
Details
Malcrafted format files can cause a Heap Buffer Overflow in the hexdump tool when passed to the -f or --format-file parameters. When reading the format file in function addfile() in hexdump-parse.c, a memory corruption problem is introduced depending on the input. Subsequent crashes or memory problems occur later at function block_size() when the application is figuring out the block size before displaying the hex values.
Known affected versions
hexdump from util-linux 2.39.3 to 2.40-rc1-126-7ca98
ASAN Output
==139809==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000000f0 at pc 0x55640a472ab9 bp 0x7ffcb4f25220 sp 0x7ffcb4f25218
READ of size 4 at 0x6030000000f0 thread T0
#0 0x55640a472ab8 in print /home/andres/misc/framework/repos/util-linux/text-utils/hexdump-display.c:200:4
#1 0x55640a474da5 in display /home/andres/misc/framework/repos/util-linux/text-utils/hexdump-display.c:280:8
#2 0x55640a474da5 in main /home/andres/misc/framework/repos/util-linux/text-utils/hexdump.c:229:2
#3 0x7f1e1008c6c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#4 0x7f1e1008c784 in __libc_start_main csu/../csu/libc-start.c:360:3
#5 0x55640a395560 in _start (/home/andres/misc/framework/repos/util-linux/hexdump+0x5d560) (BuildId: 66e36720a99b4a41)
0x6030000000f0 is located 0 bytes after 32-byte region [0x6030000000d0,0x6030000000f0)
allocated by thread T0 here:
#0 0x55640a4303ac in calloc (/home/andres/misc/framework/repos/util-linux/hexdump+0xf83ac) (BuildId: 66e36720a99b4a41)
#1 0x55640a474416 in xcalloc /home/andres/misc/framework/repos/util-linux/./include/xalloc.h:67:14
#2 0x55640a474416 in get /home/andres/misc/framework/repos/util-linux/text-utils/hexdump-display.c:336:10
#3 0x55640a474416 in display /home/andres/misc/framework/repos/util-linux/text-utils/hexdump-display.c:252:15
#4 0x55640a474416 in main /home/andres/misc/framework/repos/util-linux/text-utils/hexdump.c:229:2
PoC
hexdump -f crash-5.txt any-other-target-input-file
See attached file crash-5.txt
Credits
These findings come from a research effort on software quality and security based on a Human Error-Driven Framework for software defect prediction.
--
Carlos Andres Ramirez
Researcher