[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
I found a heap overflow in cflow
From: |
address@hidden |
Subject: |
I found a heap overflow in cflow |
Date: |
Mon, 8 Aug 2022 14:10:23 +0800 |
Dear Developers,
I have found a heap overflow in cflow commit:461aec2a575c11d5ce14ab44e1068e1f5c94db88.
The command and running output is:
yang@ubuntu:~/MyProject/remote_fuzz_suite/output/cflow/0/Slave1/crashes$ ../../../../../target_bin/cflow ./crash1
./crash1:24: missing `;' after struct declaration near `/'
../../../../../target_bin/cflow:./crash1:26: HAVE_PTHREAD_ATFORK redefined
../../../../../target_bin/cflow:./crash1:3: this is the place of previous definition
./crash1:42: missing `;' after struct declaration near `{'
../../../../../target_bin/cflow:./crash1:50: HAVE_PTHREAD_ATFORK redefined
../../../../../target_bin/cflow:./crash1:26: this is the place of previous definition
./crash1:67: missing `;' after struct declaration near `!'
../../../../../target_bin/cflow:./crash1:83: i redefined
../../../../../target_bin/cflow:./crash1:83: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:83: i redefined
../../../../../target_bin/cflow:./crash1:83: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:85: mt redefined
../../../../../target_bin/cflow:./crash1:70: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:88: MT_N redefined
../../../../../target_bin/cflow:./crash1:83: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:88: i redefined
../../../../../target_bin/cflow:./crash1:83: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:89: y redefined
../../../../../target_bin/cflow:./crash1:84: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:90: state redefined
../../../../../target_bin/cflow:./crash1:85: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:90: mt redefined
../../../../../target_bin/cflow:./crash1:85: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:463: guess_category_value/3 redefined
../../../../../target_bin/cflow:./crash1:458: this is the place of previous definition
=================================================================
==2628166==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000001d80 at pc 0x0000004c156a bp 0x7ffc45ca8570 sp 0x7ffc45ca7d20
READ of size 24 at 0x61d000001d80 thread T0
#0 0x4c1569 in __asan_memcpy /home/yang/build/llvm_tools/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
#1 0x50fdb1 in nexttoken /home/yang/MyProject/remote_fuzz_suite/target_src/cflow/build/src/../../src/parser.c:302:12
#2 0x511eef in parse_function_declaration /home/yang/MyProject/remote_fuzz_suite/target_src/cflow/build/src/../../src/parser.c:692:9
#3 0x511bc1 in yyparse /home/yang/MyProject/remote_fuzz_suite/target_src/cflow/build/src/../../src/parser.c
#4 0x50922f in main /home/yang/MyProject/remote_fuzz_suite/target_src/cflow/build/src/../../src/main.c:855:7
#5 0x7f8556366082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#6 0x41d4dd in _start (/home/yang/MyProject/remote_fuzz_suite/target_bin/cflow+0x41d4dd)
0x61d000001d80 is located 0 bytes to the right of 2304-byte region [0x61d000001480,0x61d000001d80)
allocated by thread T0 here:
#0 0x4c2978 in realloc /home/yang/build/llvm_tools/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
#1 0x552178 in xrealloc /home/yang/MyProject/remote_fuzz_suite/target_src/cflow/build/gnu/../../gnu/xmalloc.c:74:13
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/yang/build/llvm_tools/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c3a7fff8360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff8380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fff83b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2628166==ABORTING
And I attached the crash sample in this letter.
Thanks
Yi Yang
crash1
Description: Binary data
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- I found a heap overflow in cflow,
address@hidden <=