Invia #630903: vim xxd vim-9.1.0000 and related xxd versions (latest master branch) Buffer Overflowinformazioni

Titolovim xxd vim-9.1.0000 and related xxd versions (latest master branch) Buffer Overflow
Descrizione# XXD Fortify Buffer Overflow Vulnerability ## Vulnerability Summary During fuzzing of the xxd (hex dump) utility, a critical buffer overflow vulnerability was discovered in the binary and EBCDIC mode processing logic. The vulnerability is detected by GCC's fortify source protection mechanism and occurs when xxd processes input files with binary output (`-b`) and EBCDIC encoding (`-E`) flags, leading to buffer overflow conditions that trigger abort signals due to stack protection mechanisms. ## Technical Details - **Vulnerability Type**: Buffer Overflow (Fortify Detection) - **Affected Function**: `__GI___chk_fail` - **Source File**: `chk_fail.c` - **Line Number**: 28 - **Signal**: SIGABRT (6) ## Vulnerability Mechanism and Root Cause This buffer overflow vulnerability occurs in xxd's binary and EBCDIC processing routines when specific input data triggers buffer boundary violations. The root cause lies in insufficient boundary checking during binary-to-EBCDIC conversion operations. The vulnerability is triggered when: 1. xxd processes input with `-b` (binary output) and `-E` (EBCDIC encoding) flags 2. The binary formatter converts input data to binary representation (0s and 1s) 3. The EBCDIC converter attempts to apply character encoding conversion to the binary output 4. During the conversion process, buffer size calculations become inconsistent 5. The EBCDIC conversion routine writes beyond allocated buffer boundaries 6. GCC's fortify source protection detects the buffer overflow attempt 7. The fortify mechanism calls `__GI___fortify_fail` with "buffer overflow detected" message 8. This triggers `__GI___chk_fail` which calls abort() to terminate the program 9. The program exits with SIGABRT (signal 6) instead of continuing with corrupted memory The buffer overflow is caught by compiler-level protection mechanisms before it can cause memory corruption, but represents a genuine security vulnerability that could be exploited in unprotected builds. ## AddressSanitizer Report ``` *** buffer overflow detected ***: terminated Aborted (core dumped) ``` ## GDB Debug Output ``` === PROGRAM_EXECUTION_START === [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGABRT, Aborted. __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737351522176) at ./nptl/pthread_kill.c:44 === PROGRAM_EXECUTION_END === === PRIMARY_CRASH_DETECTION === Program status from 'info program': Using the running image of child Thread 0x7ffff7d81780 (LWP 843178). Program stopped at 0x7ffff7e1a9fc. It stopped with signal SIGABRT, Aborted. === SIGNAL_CRASH_DETECTED === Program terminated by signal - this is a genuine crash === FRAME_ANALYSIS === Valid frame found - program stopped at signal === BACKTRACE_ANALYSIS === #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737351522176) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737351522176) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737351522176, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff7dc6476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff7dac7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff7e0d677 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f5f92e "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:156 #6 0x00007ffff7eba59a in __GI___fortify_fail (msg=msg@entry=0x7ffff7f5f8d4 "buffer overflow detected") at ./debug/fortify_fail.c:26 #7 0x00007ffff7eb8f16 in __GI___chk_fail () at ./debug/chk_fail.c:28 #8 0x000055555555fdce in ?? () #9 0x00007ffff7dadd90 in __libc_start_call_main (main=main@entry=0x55555555d0b0, argc=argc@entry=8, argv=argv@entry=0x7fffffffe418) at ../sysdeps/nptl/libc_start_call_main.h:58 #10 0x00007ffff7dade40 in __libc_start_main_impl (main=0x55555555d0b0, argc=8, argv=0x7fffffffe418, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe408) at ../csu/libc-start.c:392 #11 0x00005555555593b5 in ?? () === FINAL_STATUS_DETERMINATION === CONCLUSION: Program crashed due to signal This is a genuine crash requiring investigation *** buffer overflow detected ***: terminated 44 ./nptl/pthread_kill.c: No such file or directory. ``` ## Proof of Concept The vulnerability can be triggered by executing xxd with binary and EBCDIC mode flags on input data that causes buffer overflow during character encoding conversion. **POC Download**: [POC_xxd_buffer_overflow_fortify](https://drive.google.com/file/d/1JLnqrdcGsjUhbYzIEweXIGZyETjHlKtX/view?usp=sharing) ## Reproduction Steps 1. Compile xxd with fortify source protection enabled (default in most distributions) 2. Execute: `./xxd -b -E -c 128 -g 256 POC_xxd_buffer_overflow_fortify` 3. The program will abort with "buffer overflow detected" message ## Affected Versions vim-9.1.0000 and related xxd versions (latest master branch) **Credit** - Xudong Cao (UCAS) - Meng Xu (UW)
Fonte⚠️ https://github.com/vim/vim/issues/17944
Utente
 nipc-cxd (UID 88335)
Sottomissione08/08/2025 20:09 (11 mesi fa)
Moderazione23/08/2025 17:29 (15 days later)
StatoAccettato
Voce VulDB321223 [vim fino a 9.1.1615 xxd src/xxd/xxd.c main buffer overflow]
Punti20

Might our Artificial Intelligence support you?

Check our Alexa App!