bug-cpio
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-cpio] Multiple heap overflows found with ASAN


From: Jacek Wielemborek
Subject: [Bug-cpio] Multiple heap overflows found with ASAN
Date: Sat, 5 Sep 2015 19:06:04 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0

Hi,

I built CPIO 2.11+dfsg (with Debian patches) and fuzzed it using
afl-fuzz with address sanitizer turned on. Here's an example crash I got
with base64-encoded archive "EAEBcceSlAFxx5KSkpIAQJKSx5IBcccAAJKSAECSkgA=":

address@hidden:~/fuzz/cpio# /root/pkg/cpio-2.11+dfsg/obj/src/cpio
-idmv  <
o/crashes/id\:000000\,sig\:06\,src\:000011\,op\:int16\,pos\:23\,val\:+0
/root/pkg/cpio-2.11+dfsg/obj/src/cpio: warning: skipped 3 bytes of junk
/root/pkg/cpio-2.11+dfsg/obj/src/cpio: warning: archive header has
reverse byte-order
=================================================================
==20289==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000efd1 at pc 0x7f80edb61988 bp 0x7fff7dc9cbd0 sp 0x7fff7dc9c380
READ of size 1 at 0x60200000efd1 thread T0
    #0 0x7f80edb61987 in strchr
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6e987)
    #1 0x417e48 in path_contains_symlink ../../src/copyin.c:718
    #2 0x417e48 in process_copy_in ../../src/copyin.c:1522
    #3 0x404a6b in main ../../src/main.c:746
    #4 0x7f80ed76bb44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #5 0x40661a  (/root/pkg/cpio-2.11+dfsg/obj/src/cpio+0x40661a)

0x60200000efd1 is located 0 bytes to the right of 1-byte region
[0x60200000efd0,0x60200000efd1)
allocated by thread T0 here:
    #0 0x7f80edb8737a in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9437a)
    #1 0x4b0c84 in xmalloc ../../gnu/xmalloc.c:47

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 strchr
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa 05 fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==20289==ABORTING

I attach other crashes. Please let me know if there's anybody who can
fix it here, otherwise I'll be trying to file bug reports for Debian.

Cheers,
d33tah

Attachment: cpio-2.11+dfsg-afl-fuzz-asan.tar.gz
Description: application/gzip

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]