Project

General

Profile

Actions

Bug #3610

closed

defrag: asan issue

Added by Jeff Lucovsky over 4 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

=================================================================
==11==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000036bd2 at pc 0x00000053484a bp 0x7ffcf3181ff0 sp 0x7ffcf31817b8
READ of size 4294942892 at 0x61e000036bd2 thread T0 (Suricata-Main)
SCARINESS: 26 (multi-byte-read-heap-buffer-overflow)
    #0 0x534849 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x803c16 in DefragInsertFrag /src/suricata/src/defrag.c:855:5
    #2 0x802226 in Defrag /src/suricata/src/defrag.c:1061:18
    #3 0x7d8a20 in DecodeIPV6 /src/suricata/src/decode-ipv6.c:655:22
    #4 0x7e52dd in DecodeRaw /src/suricata/src/decode-raw.c:70:9
    #5 0xeaa0a0 in DecodePcapFile /src/suricata/src/source-pcap-file.c:412:9
    #6 0x568197 in LLVMFuzzerTestOneInput /src/suricata/src/tests/fuzz/fuzz_sigpcap.c:155:25
    #7 0x46d871 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #8 0x46cf95 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #9 0x46f337 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #10 0x4700c5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5
    #11 0x45e148 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6
    #12 0x487f72 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #13 0x7fa3e0dc082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x431808 in _start (/out/fuzz_sigpcap+0x431808)

0x61e000036bd2 is located 0 bytes to the right of 2898-byte region [0x61e000036080,0x61e000036bd2)
allocated by thread T0 (Suricata-Main) here:
    #0 0x53540d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x446677 in operator new(unsigned long) (/out/fuzz_sigpcap+0x446677)
    #2 0x46e70e in operator= /work/llvm-stage2/projects/compiler-rt/lib/fuzzer/libcxx_fuzzer_x86_64/include/c++/v1/vector:1404:9
    #3 0x46e70e in fuzzer::InputCorpus::AddToCorpus(std::__Fuzzer::vector<unsigned char, fuzzer::fuzzer_allocator<unsigned char> > const&, unsigned long, bool, bool, std::__Fuzzer::vector<unsigned int, fuzzer::fuzzer_allocator<unsigned int> > const&, fuzzer::DataFlowTrace const&, fuzzer::InputInfo const*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerCorpus.h:97:10
    #4 0x46d287 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:489:25
    #5 0x46f337 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #6 0x4700c5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5
    #7 0x45e148 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6
    #8 0x487f72 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #9 0x7fa3e0dc082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c3c7fffed20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fffed30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fffed40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fffed50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fffed60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fffed70: 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa fa
  0x0c3c7fffed80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fffed90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fffeda0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fffedb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fffedc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==11==ABORTING

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #3496: defrag: asan issueClosedVictor JulienActions
Actions #1

Updated by Jeff Lucovsky over 4 years ago

  • Copied from Bug #3496: defrag: asan issue added
Actions #2

Updated by Victor Julien over 4 years ago

  • Status changed from Assigned to In Review
  • Assignee changed from Jeff Lucovsky to Victor Julien
  • Priority changed from High to Normal
Actions #4

Updated by Victor Julien almost 3 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF