DumpTS
Describe:
A Null Pointer Dereference was discovered in DumpTS v0.1.0-nightly. The issue is being triggered in function DumpOneStream() at src/DumpStream.cpp:2858.Attackers may exploit this vulnerability to execute and cause a DOS attack.
Reproduce:
Tested in Ubuntu 22.04
Compile the program with address sanitizer with this:
first add the command in makefile as follows:
Then:
gdb --args ./DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000008,sig:11,src:000034+000066,time:416966,execs:118645,op:splice,rep:3 --showinfo --removebox='unkn' (gdb) set logging on
(gdb) set logging file out.txt
(gdb) set logging redirect on
(gdb) break main
(gdb) run
(gdb) step
(gdb) print argc
(gdb) print argv
(gdb) continue
(gdb) info signals
(gdb) backtrace
GDB Reports:
(gdb) run
Starting program: /home/DumpTS/build/linux/DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000008,sig:11,src:000034+000066,time:416966,execs:118645,op:splice,rep:3 --showinfo --removebox=unkn
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[13818-1] current PSI section failed do check-sum.
[13818-1] current PSI section failed do check-sum.
The PSI section data seems not to be enough.
Program received signal SIGSEGV, Segmentation fault.
0x00007f132bc67d4d in ftell () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) continue
Continuing.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==707503==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f132bc67d4d bp 0x7ffcd94f18b0 sp 0x7ffcd94f13d0 T0)
==707503==The signal is caused by a READ memory access.
==707503==Hint: address points to the zero page.
[Detaching after fork from child process 709561]
#0 0x7f132bc67d4d in _IO_ftell (/lib/x86_64-linux-gnu/libc.so.6+0x7fd4d) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
#1 0x55753fbff503 (/home/DumpTS/build/linux/DumpTS+0xe82503) (BuildId: b640c03d1d58bdf7)
#2 0x55753fc36276 (/home/DumpTS/build/linux/DumpTS+0xeb9276) (BuildId: b640c03d1d58bdf7)
#3 0x7f132bc11d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
#4 0x7f132bc11e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
#5 0x55753f0fd324 (/home/DumpTS/build/linux/DumpTS+0x380324) (BuildId: b640c03d1d58bdf7)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x7fd4d) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348) in _IO_ftell
==707503==ABORTING
[Inferior 1 (process 707503) exited with code 01]
and this is the command at the bug address:
Poc
Poc file is here
Fuzzer
Fuzzer is AFL.
DumpTS
Describe:
A Null Pointer Dereference was discovered in DumpTS v0.1.0-nightly. The issue is being triggered in function DumpOneStream() at src/DumpStream.cpp:2858.Attackers may exploit this vulnerability to execute and cause a DOS attack.
Reproduce:
Tested in Ubuntu 22.04
Compile the program with address sanitizer with this:
first add the command in makefile as follows:
Then:
gdb --args ./DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000008,sig:11,src:000034+000066,time:416966,execs:118645,op:splice,rep:3 --showinfo --removebox='unkn'(gdb) set logging on(gdb) set logging file out.txt
(gdb) set logging redirect on
(gdb) break main
(gdb) run
(gdb) step
(gdb) print argc
(gdb) print argv
(gdb) continue
(gdb) info signals
(gdb) backtrace
GDB Reports:
and this is the command at the bug address:
Poc
Poc file is here
Fuzzer
Fuzzer is AFL.