[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-cpio] Multiple heap overflows found with ASAN
From: |
Jacek Wielemborek |
Subject: |
[Bug-cpio] Multiple heap overflows found with ASAN |
Date: |
Sat, 5 Sep 2015 19:06:04 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 |
Hi,
I built CPIO 2.11+dfsg (with Debian patches) and fuzzed it using
afl-fuzz with address sanitizer turned on. Here's an example crash I got
with base64-encoded archive "EAEBcceSlAFxx5KSkpIAQJKSx5IBcccAAJKSAECSkgA=":
address@hidden:~/fuzz/cpio# /root/pkg/cpio-2.11+dfsg/obj/src/cpio
-idmv <
o/crashes/id\:000000\,sig\:06\,src\:000011\,op\:int16\,pos\:23\,val\:+0
/root/pkg/cpio-2.11+dfsg/obj/src/cpio: warning: skipped 3 bytes of junk
/root/pkg/cpio-2.11+dfsg/obj/src/cpio: warning: archive header has
reverse byte-order
=================================================================
==20289==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000efd1 at pc 0x7f80edb61988 bp 0x7fff7dc9cbd0 sp 0x7fff7dc9c380
READ of size 1 at 0x60200000efd1 thread T0
#0 0x7f80edb61987 in strchr
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6e987)
#1 0x417e48 in path_contains_symlink ../../src/copyin.c:718
#2 0x417e48 in process_copy_in ../../src/copyin.c:1522
#3 0x404a6b in main ../../src/main.c:746
#4 0x7f80ed76bb44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#5 0x40661a (/root/pkg/cpio-2.11+dfsg/obj/src/cpio+0x40661a)
0x60200000efd1 is located 0 bytes to the right of 1-byte region
[0x60200000efd0,0x60200000efd1)
allocated by thread T0 here:
#0 0x7f80edb8737a in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9437a)
#1 0x4b0c84 in xmalloc ../../gnu/xmalloc.c:47
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 strchr
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa 05 fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==20289==ABORTING
I attach other crashes. Please let me know if there's anybody who can
fix it here, otherwise I'll be trying to file bug reports for Debian.
Cheers,
d33tah
cpio-2.11+dfsg-afl-fuzz-asan.tar.gz
Description: application/gzip
signature.asc
Description: OpenPGP digital signature
- [Bug-cpio] Multiple heap overflows found with ASAN,
Jacek Wielemborek <=