poke-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug default/30067] New: Heap buffer overflow found by libfuzzer in pkl_

From: dan.cermak at posteo dot net
Subject: [Bug default/30067] New: Heap buffer overflow found by libfuzzer in pkl_tab_lex
Date: Wed, 01 Feb 2023 16:36:28 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=30067

            Bug ID: 30067
           Summary: Heap buffer overflow found by libfuzzer in pkl_tab_lex
           Product: poke
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: default
          Assignee: unassigned at sourceware dot org
          Reporter: dan.cermak at posteo dot net
                CC: poke-devel at gnu dot org
  Target Milestone: ---

Created attachment 14648
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14648&action=edit
crashing file

The attached file was created by libfuzzer using the code in the branch
defolos/fuzzer. It caused the following heap-buffer-overflow (detected with
ASAN):

❯ ./a.out crash-3bfd324b5e6a6852dc5fb17de49c4a740a8ff280                        
=================================================================               
==1467405==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x631000010808 at pc 0x000000914639 bp 0x7ffe53828350 sp 0x7ffe53828348         
WRITE of size 4 at 0x631000010808 thread T0                                     
    #0 0x914638 in pkl_tab_lex
/home/dan/packages/git.savannah.nongnu.org/git/poke/libpoke/pkl-lex.c:1696:25   
    #1 0x8a8cea in pkl_tab_parse
/home/dan/packages/git.savannah.nongnu.org/git/poke/libpoke/pkl-tab.c:5344:16   
    #2 0x7cbdc4 in pkl_parse_buffer
/home/dan/packages/git.savannah.nongnu.org/git/poke/libpoke/pkl-parser.c:171:9  
    #3 0x51d383 in parse_buffer
/home/dan/packages/git.savannah.nongnu.org/git/poke/libpoke/pkl.c:993:3         
    #4 0x5179b9 in LLVMFuzzerTestOneInput
/home/dan/packages/git.savannah.nongnu.org/git/poke/fuzz/fuzz_compiler.c:20:3   
    #5 0x517c88 in main
/home/dan/packages/git.savannah.nongnu.org/git/poke/fuzz/fuzz_compiler.c:50:10  
    #6 0x7f84a3a4a50f in __libc_start_call_main
/usr/src/debug/glibc-2.36-9.fc37.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
 
    #7 0x7f84a3a4a5c8 in __libc_start_main@GLIBC_2.2.5
/usr/src/debug/glibc-2.36-9.fc37.x86_64/csu/../csu/libc-start.c:381:3           
    #8 0x41f324 in _start
(/home/dan/packages/git.savannah.nongnu.org/git/poke/fuzz/a.out+0x41f324)
(BuildId: ca808a8f58fb7570eb8c66ef066ce159c90fd7f5)                             

0x631000010808 is located 0 bytes to the right of 65544-byte region
[0x631000000800,0x631000010808)                                                 
allocated by thread T0 here:                                                    
    #0 0x4d40b7 in malloc
(/home/dan/packages/git.savannah.nongnu.org/git/poke/fuzz/a.out+0x4d40b7)
(BuildId: ca808a8f58fb7570eb8c66ef066ce159c90fd7f5)                             
    #1 0x8d6b69 in pkl_tab_alloc
/home/dan/packages/git.savannah.nongnu.org/git/poke/libpoke/pkl-lex.c:3933:9    
    #2 0x8d6b69 in pkl_tab_lex
/home/dan/packages/git.savannah.nongnu.org/git/poke/libpoke/pkl-lex.c:1617:50   
    #3 0x8a8cea in pkl_tab_parse
/home/dan/packages/git.savannah.nongnu.org/git/poke/libpoke/pkl-tab.c:5344:16   
    #4 0x7cbdc4 in pkl_parse_buffer
/home/dan/packages/git.savannah.nongnu.org/git/poke/libpoke/pkl-parser.c:171:9  
    #5 0x51d383 in parse_buffer
/home/dan/packages/git.savannah.nongnu.org/git/poke/libpoke/pkl.c:993:3         
    #6 0x5179b9 in LLVMFuzzerTestOneInput
/home/dan/packages/git.savannah.nongnu.org/git/poke/fuzz/fuzz_compiler.c:20:3   
    #7 0x517c88 in main
/home/dan/packages/git.savannah.nongnu.org/git/poke/fuzz/fuzz_compiler.c:50:10  
    #8 0x7f84a3a4a50f in __libc_start_call_main
/usr/src/debug/glibc-2.36-9.fc37.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
 

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dan/packages/git.savannah.nongnu.org/git/poke/libpoke/pkl-lex.c:1696:25
in pkl_tab_lex                                                                  
Shadow bytes around the buggy address:                                          
  0x0c627fffa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00               
  0x0c627fffa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00               
  0x0c627fffa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00               
  0x0c627fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00               
  0x0c627fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00               
=>0x0c627fffa100: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa               
  0x0c627fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa               
  0x0c627fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa               
  0x0c627fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa               
  0x0c627fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa               
  0x0c627fffa150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa               
Shadow byte legend (one shadow byte represents 8 application bytes):            
  Addressable:           00                                                     
  Partially addressable: 01 02 03 04 05 06 07                                   
  Heap left redzone:       fa                                                   
  Freed heap region:       fd                                                   
  Stack left redzone:      f1                                                   
  Stack mid redzone:       f2                                                   
  Stack right redzone:     f3                                                   
  Stack after return:      f5                                                   
  Stack use after scope:   f8                                                   
  Global redzone:          f9                                                   
  Global init order:       f6                                                   
  Poisoned by user:        f7                                                   
  Container overflow:      fc                                                   
  Array cookie:            ac                                                   
  Intra object redzone:    bb                                                   
  ASan internal:           fe                                                   
  Left alloca redzone:     ca                                                   
  Right alloca redzone:    cb                                                   
==1467405==ABORTING                                                             


When you load the file via poke 3.0 itself, then you get a failure instead:
❯ poke -L crash-3bfd324b5e6a6852dc5fb17de49c4a740a8ff280 
4:9: internal compiler error: input buffer overflow, can't enlarge buffer
because scanner uses REJECT
Important information has been dumped in /tmp/pokeIzFLf7.
Please attach it to a bug report and send it to poke-devel@gnu.org.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]