oss-sec mailing list archives

Re: TR : CVE request for dash 0.5.7-3 x86-64 local buffer overflow

From: Jann Horn <jann () thejh net>
Date: Thu, 9 Jul 2015 12:25:49 +0200

On Mon, Jul 06, 2015 at 12:58:07PM +0000, jean-marie.bourbon () armaturetech com wrote:

==9241== Stack overflow in thread 1: can't grow stack to 0x7fe801ef8
==9241==
==9241== Process terminating with default action of signal 11 (SIGSEGV): dumping core
[...]
It appear that the binary has only the NoeXecutable protection (and ASLR) with an interesting buffer overflow... 
that's why I'd like to
know how to make my small contribution on this subject.


That looks like a stack overflow to me, not a buffer overflow on the stack. (So in
X86 terms, the problem isn't that a pointer to the right of a buffer on a stack is
used, the problem is that the stack pointer was decremented past the *left* end of
the stack. To the left end of the stack of the main thread is a really big area of
unallocated memory, so you get a segfault.)

Are you sure this is a buffer overflow?

Attachment: _bin
Description:

Current thread:

TR : CVE request for dash 0.5.7-3 x86-64 local buffer overflow jean-marie.bourbon () armaturetech com (Jul 06)
- Re: TR : CVE request for dash 0.5.7-3 x86-64 local buffer overflow Adam D. Barratt (Jul 06)
- Re: TR : CVE request for dash 0.5.7-3 x86-64 local buffer overflow Simon McVittie (Jul 06)
- Re: TR : CVE request for dash 0.5.7-3 x86-64 local buffer overflow Jann Horn (Jul 09)