bug-cflow
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

I found a heap overflow in cflow

From: address@hidden
Subject: I found a heap overflow in cflow
Date: Mon, 8 Aug 2022 14:10:23 +0800
Dear Developers,
    I have found a heap overflow in cflow commit:461aec2a575c11d5ce14ab44e1068e1f5c94db88.
    The command and running output is:
    yang@ubuntu:~/MyProject/remote_fuzz_suite/output/cflow/0/Slave1/crashes$ ../../../../../target_bin/cflow ./crash1 
./crash1:24: missing `;' after struct declaration near `/'
../../../../../target_bin/cflow:./crash1:26: HAVE_PTHREAD_ATFORK redefined
../../../../../target_bin/cflow:./crash1:3: this is the place of previous definition
./crash1:42: missing `;' after struct declaration near `{'
../../../../../target_bin/cflow:./crash1:50: HAVE_PTHREAD_ATFORK redefined
../../../../../target_bin/cflow:./crash1:26: this is the place of previous definition
./crash1:67: missing `;' after struct declaration near `!'
../../../../../target_bin/cflow:./crash1:83: i redefined
../../../../../target_bin/cflow:./crash1:83: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:83: i redefined
../../../../../target_bin/cflow:./crash1:83: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:85: mt redefined
../../../../../target_bin/cflow:./crash1:70: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:88: MT_N redefined
../../../../../target_bin/cflow:./crash1:83: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:88: i redefined
../../../../../target_bin/cflow:./crash1:83: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:89: y redefined
../../../../../target_bin/cflow:./crash1:84: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:90: state redefined
../../../../../target_bin/cflow:./crash1:85: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:90: mt redefined
../../../../../target_bin/cflow:./crash1:85: this is the place of previous definition
../../../../../target_bin/cflow:./crash1:463: guess_category_value/3 redefined
../../../../../target_bin/cflow:./crash1:458: this is the place of previous definition
=================================================================
==2628166==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000001d80 at pc 0x0000004c156a bp 0x7ffc45ca8570 sp 0x7ffc45ca7d20
READ of size 24 at 0x61d000001d80 thread T0
    #0 0x4c1569 in __asan_memcpy /home/yang/build/llvm_tools/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x50fdb1 in nexttoken /home/yang/MyProject/remote_fuzz_suite/target_src/cflow/build/src/../../src/parser.c:302:12
    #2 0x511eef in parse_function_declaration /home/yang/MyProject/remote_fuzz_suite/target_src/cflow/build/src/../../src/parser.c:692:9
    #3 0x511bc1 in yyparse /home/yang/MyProject/remote_fuzz_suite/target_src/cflow/build/src/../../src/parser.c
    #4 0x50922f in main /home/yang/MyProject/remote_fuzz_suite/target_src/cflow/build/src/../../src/main.c:855:7
    #5 0x7f8556366082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x41d4dd in _start (/home/yang/MyProject/remote_fuzz_suite/target_bin/cflow+0x41d4dd)

0x61d000001d80 is located 0 bytes to the right of 2304-byte region [0x61d000001480,0x61d000001d80)
allocated by thread T0 here:
    #0 0x4c2978 in realloc /home/yang/build/llvm_tools/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
    #1 0x552178 in xrealloc /home/yang/MyProject/remote_fuzz_suite/target_src/cflow/build/gnu/../../gnu/xmalloc.c:74:13

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/yang/build/llvm_tools/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c3a7fff8360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fff83b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2628166==ABORTING

    And I attached the crash sample in this letter.

    Thanks

    Yi Yang

firefoxxp@hotmail.com

Attachment: crash1
Description: Binary data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]