Actions
Bug #3611
closeddefrag: asan issue
Affected Versions:
Effort:
Difficulty:
Label:
Description
================================================================= ==11==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000036bd2 at pc 0x00000053484a bp 0x7ffcf3181ff0 sp 0x7ffcf31817b8 READ of size 4294942892 at 0x61e000036bd2 thread T0 (Suricata-Main) SCARINESS: 26 (multi-byte-read-heap-buffer-overflow) #0 0x534849 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 #1 0x803c16 in DefragInsertFrag /src/suricata/src/defrag.c:855:5 #2 0x802226 in Defrag /src/suricata/src/defrag.c:1061:18 #3 0x7d8a20 in DecodeIPV6 /src/suricata/src/decode-ipv6.c:655:22 #4 0x7e52dd in DecodeRaw /src/suricata/src/decode-raw.c:70:9 #5 0xeaa0a0 in DecodePcapFile /src/suricata/src/source-pcap-file.c:412:9 #6 0x568197 in LLVMFuzzerTestOneInput /src/suricata/src/tests/fuzz/fuzz_sigpcap.c:155:25 #7 0x46d871 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15 #8 0x46cf95 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3 #9 0x46f337 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19 #10 0x4700c5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5 #11 0x45e148 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6 #12 0x487f72 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10 #13 0x7fa3e0dc082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x431808 in _start (/out/fuzz_sigpcap+0x431808) 0x61e000036bd2 is located 0 bytes to the right of 2898-byte region [0x61e000036080,0x61e000036bd2) allocated by thread T0 (Suricata-Main) here: #0 0x53540d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x446677 in operator new(unsigned long) (/out/fuzz_sigpcap+0x446677) #2 0x46e70e in operator= /work/llvm-stage2/projects/compiler-rt/lib/fuzzer/libcxx_fuzzer_x86_64/include/c++/v1/vector:1404:9 #3 0x46e70e in fuzzer::InputCorpus::AddToCorpus(std::__Fuzzer::vector<unsigned char, fuzzer::fuzzer_allocator<unsigned char> > const&, unsigned long, bool, bool, std::__Fuzzer::vector<unsigned int, fuzzer::fuzzer_allocator<unsigned int> > const&, fuzzer::DataFlowTrace const&, fuzzer::InputInfo const*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerCorpus.h:97:10 #4 0x46d287 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:489:25 #5 0x46f337 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19 #6 0x4700c5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5 #7 0x45e148 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6 #8 0x487f72 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10 #9 0x7fa3e0dc082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy Shadow bytes around the buggy address: 0x0c3c7fffed20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fffed30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fffed40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fffed50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fffed60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3c7fffed70: 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa fa 0x0c3c7fffed80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fffed90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fffeda0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fffedb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fffedc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==11==ABORTING
Updated by Jeff Lucovsky over 4 years ago
- Copied from Bug #3496: defrag: asan issue added
Updated by Shivani Bhardwaj over 4 years ago
- Priority changed from High to Immediate
Updated by Victor Julien over 4 years ago
- Assignee changed from Shivani Bhardwaj to Victor Julien
Updated by Victor Julien over 4 years ago
- Priority changed from Immediate to High
Updated by Victor Julien over 4 years ago
- Status changed from Assigned to In Review
Updated by Victor Julien over 4 years ago
- Status changed from In Review to Closed
- Priority changed from High to Normal
Actions