Heap buffer overlow

[hosein askari]

To whom it may concern,

I really appreciate your cooperation for your dedicated time to my report.

The PoC is attached to this email.

# ./memcached --auth-file=input/a.txt  -u root -m 1024 -p 11211

=================================================================

==1061115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000009e at pc 0x7fae5a305f9d bp 0x7ffee16f4fd0 sp 0x7ffee16f4778

WRITE of size 15 at 0x60200000009e thread T0

    #0 0x7fae5a305f9c  (/lib/x86_64-linux-gnu/libasan.so.5+0x53f9c)

    #1 0x55bca5ccaf23 in fgets /usr/include/x86_64-linux-gnu/bits/stdio2.h:265

    #2 0x55bca5ccaf23 in authfile_load /home/constantine/test/memcached/authfile.c:50

    #3 0x55bca5c3ffb5 in main /home/constantine/test/memcached/memcached.c:5639

    #4 0x7fae597010b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

    #5 0x55bca5c45d9d in _start (/home/constantine/test/memcached/memcached+0x26d9d)

0x60200000009e is located 0 bytes to the right of 14-byte region [0x602000000090,0x60200000009e)

allocated by thread T0 here:

    #0 0x7fae5a3bfdc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)

    #1 0x55bca5ccaedd in authfile_load /home/constantine/test/memcached/authfile.c:44

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x53f9c) 

Shadow bytes around the buggy address:

  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c047fff8000: fa fa 00 04 fa fa 00 00 fa fa 00 00 fa fa 00 00

=>0x0c047fff8010: fa fa 00[06]fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==1061115==ABORTING

I am looking forward to hearing from you in the earliest convenience.

Sincerely,

Mohammad Hosein Askari