Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] heap-buffer-overflow on address 0x60d0000000c6 at pc 0x0000005b82c0 bp 0x7ffdb73f1bf0 sp 0x7ffdb73f1be8 READ of size 4 #423

Closed
zlowram opened this issue Apr 22, 2020 · 1 comment
Closed

[BUG] heap-buffer-overflow on address 0x60d0000000c6 at pc 0x0000005b82c0 bp 0x7ffdb73f1bf0 sp 0x7ffdb73f1be8 READ of size 4 #423

zlowram opened this issue Apr 22, 2020 · 1 comment
Labels
bug

Comments

@zlowram
Copy link
Contributor

zlowram commented Apr 22, 2020

Hi!

I've been running a fuzzer on PcapPlusPlus and found some bugs that I'm currently reporting.

Below you can find the AddressSanitizer stacktrace as well as the sample that triggers the bug. With this information you should be able to reproduce it.

If you'd like to reproduce the AddressSanitizer stacktrace, I've sent a PR that does an initial integration of the fuzzers within the project structure and build chain.

INFO: Seed: 1708740405
INFO: Loaded 1 modules   (68 inline 8-bit counters): 68 [0x784f60, 0x784fa4), 
INFO: Loaded 1 PC tables (68 PCs): 68 [0x7221d0,0x722610), 
Tests/Fuzzers/Bin/fuzz_target: Running 1 inputs 1 time(s) each.
Running: ../fuzzers/bugs/crash-8534c61cdf5987482365d7877ade12eef5aaf8b7
=================================================================
==370482==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d0000000c6 at pc 0x0000005b82c0 bp 0x7ffdb73f1bf0 sp 0x7ffdb73f1be8
READ of size 4 at 0x60d0000000c6 thread T0
    #0 0x5b82bf in pcpp::IPv4Layer::getSrcIpAddress() const /home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/../../Dist/header/IPv4Layer.h:463:77
    #1 0x5b794a in LLVMFuzzerTestOneInput /home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/fuzz_target.cc:58:77
    #2 0x4bf768 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/Bin/fuzz_target+0x4bf768)
    #3 0x4a4885 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/Bin/fuzz_target+0x4a4885)
    #4 0x4ad7c9 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/Bin/fuzz_target+0x4ad7c9)
    #5 0x466996 in main (/home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/Bin/fuzz_target+0x466996)
    #6 0x7f5db306d1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
    #7 0x49d87d in _start (/home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/Bin/fuzz_target+0x49d87d)

0x60d0000000c6 is located 4 bytes to the right of 130-byte region [0x60d000000040,0x60d0000000c2)
allocated by thread T0 here:
    #0 0x5b4707 in operator new[](unsigned long) (/home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/Bin/fuzz_target+0x5b4707)
    #1 0x5bb5da in pcpp::PcapFileReaderDevice::getNextPacket(pcpp::RawPacket&) /home/z/self/src/research/pcapplusplus/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:173:52
LLVMSymbolizer: error reading file: No such file or directory
    #2 0x7ffdb73f1d00  ([stack]+0x1dd00)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/../../Dist/header/IPv4Layer.h:463:77 in pcpp::IPv4Layer::getSrcIpAddress() const
Shadow bytes around the buggy address:
  0x0c1a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1a7fff8010: 00 00 00 00 00 00 00 00[02]fa fa fa fa fa fa fa
  0x0c1a7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==370482==ABORTING

Sample: crash-8534c61cdf5987482365d7877ade12eef5aaf8b7.zip
seladb added a commit that referenced this issue Apr 25, 2020
@seladb
Bugfixes #423 #425
4fa39e1
@seladb seladb added the bug label Apr 25, 2020
@seladb
Copy link
Owner

seladb commented Apr 25, 2020

Fixed

@seladb seladb closed this as completed Apr 25, 2020
@zlowram zlowram mentioned this issue Apr 25, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zlowram @seladb