Stack out of bounds read access in uudecode / sharutils

[Hanno Böck <hanno () hboeck de>]

https://blog.fuzzing-project.org/13-Stack-out-of-bounds-read-access-in-uudecode-sharutils.html

uudecode is a tool to decode uuencoded data. It is shipped with the
package sharutils.

An invalid input file can cause an out of bounds stack read access in
the function expand_tilde(). This issue has been reported to the
developers on 2015-03-04. It has been fixed in sharutils 4.15.2
(2015-05-30).

To see this bug one needs to use a tool like valgrind or address
sanitizer that detects out of bounds memory reads. The bug was found
with american fuzzy lop.

Sample file
https://crashes.fuzzing-project.org/uudecode-oob-read-stack-expand_tilde.uu

Address sanitizer output:

==8209==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff8a4a8690 at pc 0x40738d bp 0x7fff8a4a44a0 sp 
0x7fff8a4a4490
READ of size 1 at 0x7fff8a4a8690 thread T0
#0 0x40738c in expand_tilde /mnt/ram/sharutils-4.14/src/uudecode.c:252
#1 0x40738c in decode /mnt/ram/sharutils-4.14/src/uudecode.c:437
#2 0x403660 in main /mnt/ram/sharutils-4.14/src/uudecode.c:530
#3 0x7f13d97fff9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
#4 0x403c81 (/mnt/ram/sharutils-4.14/src/uudecode+0x403c81)

Address 0x7fff8a4a8690 is located in stack of thread T0 at offset 16800 in frame
#0 0x403da7 in decode /mnt/ram/sharutils-4.14/src/uudecode.c:362

This frame has 7 object(s):
[32, 36) 'mode'
[96, 104) 'outlen'
[160, 168) 'ctx'
[224, 368) 'attr'
[416, 16800) 'buf' <== Memory access at offset 16800 overflows this variable
[16832, 33216) 'buf_in'
[33248, 49632) 'buf'

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature