BoneOS icon indicating copy to clipboard operation
BoneOS copied to clipboard
verified publisher icon Bone-Project

Buffer overflow from input anywhere in machine, hangs machine.

Open justinmarma opened this issue 8 years ago • 11 comments

Below is a linked image of the POC, system is hanged

justinmarma avatar Jan 17 '17 00:01 justinmarma

That is because the get_opt function uses str_t as the type of the sting provided which has a maximum buffer of 200. @Fortunate-MAN will fix this as soon as i add memory manager and get it to char* .

Note for @Fortunate-MAN :

I know in some places i do for(int i=0; i<200; i++) str_t_instance[i]=0; to clear out the buffer , dont forget to change those to fix this problem after i get memory manager working.

amanuel2 avatar Jan 17 '17 03:01 amanuel2

@justinmarma Can you give the exact ways how to reproduce this problem on another computer? I would need information like which OS you are running, are you running the latest build or v0.0.1, what commands are you doing before you run the OS or does it happen if you just start the OS?

Also, as per the image you have given, it looks like you are running an old version, so please get the Nightly Build from bintray or compile from source and run it.

double-fault avatar Jan 17 '17 11:01 double-fault

@Fortunate-MAN v0.0.1 or v0.0.2 .. i released the second version yesterday.

amanuel2 avatar Jan 17 '17 12:01 amanuel2

@Fortunate-MAN The bug exists in v0.0.2 too. I'm running the OS in VirtualBox and I showed above that it happens when input exceeds buffer len..

The buffer length is 200 and the BOF happens around 56 extra bytes relative to the end of the buffer.

This can be reproduced by creating a script or program to produce 200 chars and add the variable length to it, then pasting it into the console if you use VBox.

justinmarma avatar Jan 17 '17 20:01 justinmarma

@justinmarma no repro on this one either. I'm running QEmu on Ubuntu 14.04 and nothing much happened even after I entered way more than 200 chars. @amanuel2 can you repro this issue?

selection_143

double-fault avatar Jan 18 '17 12:01 double-fault

same here i cant reproduce this but, when you press enter the big crash happenes.

amanuel2 avatar Jan 18 '17 18:01 amanuel2

@amanuel2 @Fortunate-MAN The larger the input the more memory gets corrupted, the "big crash" is the buffer overflow and subsequent crash, so you are in fact reproducing the error, you're just not getting the same error I got because of the insane amount of chars you entered.

justinmarma avatar Jan 19 '17 00:01 justinmarma

Fresh Crash screenshot :) :) :) :)

justinmarma avatar Jan 19 '17 00:01 justinmarma

@justinmarma so you're saying that the crash happens after you press enter like @amanuel2 said?

double-fault avatar Jan 19 '17 14:01 double-fault

@justinmarma please reply.

double-fault avatar Jan 21 '17 10:01 double-fault

@Fortunate-MAN Yes, the BOF can only happen if a large amount of data is written into a buffer smaller than the input, which doesn't happen until one presses "enter" and it's written to the buffer. I think the BOF is in str_t but I may be wrong.

justinmarma avatar Jan 22 '17 23:01 justinmarma