| 제목 | floooh sokol e0832c9 Heap-based Buffer Overflow |
|---|
| 설명 | ### Description
We discovered a critical Heap Buffer Overflow (Write) in sokol_gfx
The crash occurs within _sg_pipeline_common_init at line 8148. The ASAN report indicates a WRITE of size 1 to an invalid memory address. The address is located 1040 bytes before a valid heap allocation, which strongly suggests that the initialization logic is using a large negative index or an incorrect pointer offset calculation to write data significantly outside the bounds of the target structure.
Vendor confirmed and fixed this vulnerability in commit 33e2271.
### Environment
- OS: Linux x86_64
- Complier: Clang with -fsanitize=address
- Tools: AddressSanitizer
### Vulnerability Details
- Target: sokol (sokol_gfx.h)
- Crash Type: Heap-buffer-overflow (Write)
- Location: sokol_gfx.h:8148 (in _sg_pipeline_common_init)
- Function: _sg_pipeline_common_init
- Root Cause Analysis: The stack trace is sg_make_pipeline -> _sg_init_pipeline -> _sg_pipeline_common_init.
The crash happens at line 8148 during the initialization phase. The ASAN report shows: 0x5320000003f0 is located 1040 bytes before ... region allocated ... in main
This indicates that the code is attempting to write to base_pointer - offset. This "write underflow" is particularly dangerous as it can corrupt the heap metadata or adjacent data structures . The fact that it writes to the "Heap left redzone" confirms the negative offset access.
### Reproduce
1. Compile the sokol test [harness](https://github.com/oneafter/1212/blob/main/harness.c) with AddressSanitizer enabled (-fsanitize=address -g)
2. Run the fuzzer harness with the attached [repro](https://github.com/oneafter/1212/blob/main/hbf1) input:
```
./harness repro
```
ASAN report
```
==20859==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5320000003f0 at pc 0x5644db731332 bp 0x7ffc86af94b0 sp 0x7ffc86af94a8
WRITE of size 1 at 0x5320000003f0 thread T0
#0 0x5644db731331 in _sg_pipeline_common_init /src/sokol/./sokol_gfx.h:8148:72
#1 0x5644db731331 in _sg_init_pipeline /src/sokol/./sokol_gfx.h:24284:13
#2 0x5644db723d7b in sg_make_pipeline /src/sokol/./sokol_gfx.h:25151:9
#3 0x5644db739497 in fuzz_input /src/sokol/harness_gfx_traditional.c:129:31
#4 0x5644db73d4b5 in main /src/sokol/harness_gfx_traditional.c:206:9
#5 0x7f90b7d491c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x7f90b7d4928a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x5644db627a64 in _start (/src/sokol/harness_gfx_traditional_fuzzer+0x8ba64) (BuildId: 756621c3a83311878fe2c1bf2919da032f4ab964)
0x5320000003f0 is located 1040 bytes before 94944-byte region [0x532000000800,0x532000017ae0)
allocated by thread T0 here:
#0 0x5644db6c7893 in malloc (/src/sokol/harness_gfx_traditional_fuzzer+0x12b893) (BuildId: 756621c3a83311878fe2c1bf2919da032f4ab964)
#1 0x5644db70e1a3 in _sg_malloc /src/sokol/./sokol_gfx.h:7329:15
#2 0x5644db70e1a3 in _sg_malloc_clear /src/sokol/./sokol_gfx.h:7338:17
#3 0x5644db73d4b5 in main /src/sokol/harness_gfx_traditional.c:206:9
#4 0x7f90b7d4928a in __libc_start_main csu/../csu/libc-start.c:360:3
#5 0x5644db627a64 in _start (/src/sokol/harness_gfx_traditional_fuzzer+0x8ba64) (BuildId: 756621c3a83311878fe2c1bf2919da032f4ab964)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/sokol/./sokol_gfx.h:8148:72 in _sg_pipeline_common_init
Shadow bytes around the buggy address:
0x532000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x532000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x532000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x532000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x532000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x532000000380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
0x532000000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x532000000480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x532000000500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x532000000580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x532000000600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20859==ABORTING
``` |
|---|
| 원천 | ⚠️ Expliot: https://github.com/floooh/sokol/issues/1406 | Fix: https://github.com/floooh/sokol/commit/33e2271c431bf21de001e972f72da17a984da932 |
|---|
| 사용자 | Oneafter (UID 92781) |
|---|
| 제출 | 2025. 12. 17. AM 03:34 (4 개월 ago) |
|---|
| 모더레이션 | 2025. 12. 19. AM 10:09 (2 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 337594 [floooh sokol 까지 33e2271c431bf21de001e972f72da17a984da932 sokol_gfx.h _sg_pipeline_common_init 메모리 손상] |
|---|
| 포인트들 | 20 |
|---|