[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gsasl buffer overrun
|
From: |
Joshua Rogers <Internot Bug Report> |
|
Subject: |
Re: gsasl buffer overrun |
|
Date: |
Sun, 04 Jan 2015 10:58:20 +1100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 |
Hi,
The way I built it was using afl-gcc(http://lcamtuf.coredump.cx/afl/),
with asan enabled:
export AFL_HARDEN=1 ; export AFL_USE_ASAN=1
CC=afl-gcc ./configure ; make
Thanks,
On 04/01/15 07:02, Simon Josefsson wrote:
> Thanks for the report. Is there any way I can reproduce this? How did
> you build and test GSASL with AddressSanitizer?
>
> /Simon
>
> "Joshua Rogers <Internot Bug Report>" <address@hidden> writes:
>
>> Hi,
>>
>> I'm trying to compile gsasl with AddressSanitizer, but during the
>> 'check-TESTS' sequence in `make', a buffer overrun is found..
>>
>> Here's the output:
>>
>>> =================================================================
>>> ==22281==ERROR: AddressSanitizer: global-buffer-overflow on address
>>> 0x000000415980 at pc 0x40f709 bp 0x7fffbca6af00 sp 0x7fffbca6aef8
>>> READ of size 9 at 0x000000415980 thread T0
>>> #0 0x40f708 in digest_md5_getsubopt
>>> /root/srcs/libgsasl7/gsasl-1.6.1/lib/digest-md5/getsubopt.c:73
>>> #1 0x407eb5 in parse_challenge
>>> /root/srcs/libgsasl7/gsasl-1.6.1/lib/digest-md5/parser.c:125
>>> #2 0x407eb5 in digest_md5_parse_challenge
>>> /root/srcs/libgsasl7/gsasl-1.6.1/lib/digest-md5/parser.c:582
>>> #3 0x401efe in main
>>> /root/srcs/libgsasl7/gsasl-1.6.1/lib/digest-md5/test-parser.c:48
>>> #4 0x2ae5c2c4276c in __libc_start_main
>>> (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
>>> #5 0x402ad0
>>> (/root/srcs/libgsasl7/gsasl-1.6.1/lib/digest-md5/test-parser+0x402ad0)
>>>
>>> 0x000000415986 is located 0 bytes to the right of global variable
>>> '*.LC17' from 'parser.c' (0x415980) of size 6
>>> '*.LC17' is ascii string 'realm'
>>> SUMMARY: AddressSanitizer: global-buffer-overflow
>>> /root/srcs/libgsasl7/gsasl-1.6.1/lib/digest-md5/getsubopt.c:73
>>> digest_md5_getsubopt
>>> Shadow bytes around the buggy address:
>>> 0x00008007aae0: 05 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
>>> 0x00008007aaf0: 00 02 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
>>> 0x00008007ab00: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
>>> 0x00008007ab10: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
>>> 0x00008007ab20: 00 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
>>> =>0x00008007ab30:[06]f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
>>> 0x00008007ab40: 07 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
>>> 0x00008007ab50: 04 f9 f9 f9 f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9
>>> 0x00008007ab60: 00 01 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
>>> 0x00008007ab70: 00 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
>>> 0x00008007ab80: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
>>> Shadow byte legend (one shadow byte represents 8 application bytes):
>>> Addressable: 00
>>> Partially addressable: 01 02 03 04 05 06 07
>>> Heap left redzone: fa
>>> Heap right redzone: fb
>>> Freed heap region: fd
>>> Stack left redzone: f1
>>> Stack mid redzone: f2
>>> Stack right redzone: f3
>>> Stack partial redzone: f4
>>> Stack after return: f5
>>> Stack use after scope: f8
>>> Global redzone: f9
>>> Global init order: f6
>>> Poisoned by user: f7
>>> Contiguous container OOB:fc
>>> ASan internal: fe
>>> ==22281==ABORTING
>>
>>
>> Thanks,
--
-- Joshua Rogers <https://internot.info/>
signature.asc
Description: OpenPGP digital signature