You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[BUG] heap-buffer-overflow on address 0x6070000106e9 at pc 0x0000005b841d bp 0x7ffe9ba09790 sp 0x7ffe9ba09788 READ of size 4 at 0x6070000106e9 thread T0
#425
Closed
zlowram opened this issue
Apr 22, 2020
· 1 comment
I've been running a fuzzer on PcapPlusPlus and found some bugs that I'm currently reporting.
Below you can find the AddressSanitizer stacktrace as well as the sample that triggers the bug. With this information you should be able to reproduce it.
If you'd like to reproduce the AddressSanitizer stacktrace, I've sent a PR that does an initial integration of the fuzzers within the project structure and build chain.
INFO: Seed: 882780696
INFO: Loaded 1 modules (68 inline 8-bit counters): 68 [0x784f60, 0x784fa4),
INFO: Loaded 1 PC tables (68 PCs): 68 [0x7221d0,0x722610),
Tests/Fuzzers/Bin/fuzz_target: Running 1 inputs 1 time(s) each.
Running: ../fuzzers/bugs/crash-eec28dafde1f1ac2299674a75a914ae16d4046fa
=================================================================
==371984==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000106e9 at pc 0x0000005b841d bp 0x7ffe9ba09790 sp 0x7ffe9ba09788
READ of size 4 at 0x6070000106e9 thread T0
#0 0x5b841c in pcpp::IPv4Layer::getDstIpAddress() const /home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/../../Dist/header/IPv4Layer.h:475:77
#1 0x5b798d in LLVMFuzzerTestOneInput /home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/fuzz_target.cc:59:78
#2 0x4bf768 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/Bin/fuzz_target+0x4bf768)
#3 0x4a4885 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/Bin/fuzz_target+0x4a4885)
#4 0x4ad7c9 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/Bin/fuzz_target+0x4ad7c9)
#5 0x466996 in main (/home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/Bin/fuzz_target+0x466996)
#6 0x7f4963a4b1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
#7 0x49d87d in _start (/home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/Bin/fuzz_target+0x49d87d)
0x6070000106e9 is located 2 bytes to the right of 71-byte region [0x6070000106a0,0x6070000106e7)
allocated by thread T0 here:
#0 0x5b4707 in operator new[](unsigned long) (/home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/Bin/fuzz_target+0x5b4707)
#1 0x5bb5da in pcpp::PcapFileReaderDevice::getNextPacket(pcpp::RawPacket&) /home/z/self/src/research/pcapplusplus/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:173:52
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/z/self/src/research/pcapplusplus/PcapPlusPlus/Tests/Fuzzers/../../Dist/header/IPv4Layer.h:475:77 in pcpp::IPv4Layer::getDstIpAddress() const
Shadow bytes around the buggy address:
0x0c0e7fffa080: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
0x0c0e7fffa090: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0e7fffa0a0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
0x0c0e7fffa0b0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fffa0c0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 07
=>0x0c0e7fffa0d0: fa fa fa fa 00 00 00 00 00 00 00 00 07[fa]fa fa
0x0c0e7fffa0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fffa0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fffa100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==371984==ABORTING
Hi!
I've been running a fuzzer on PcapPlusPlus and found some bugs that I'm currently reporting.
Below you can find the AddressSanitizer stacktrace as well as the sample that triggers the bug. With this information you should be able to reproduce it.
If you'd like to reproduce the AddressSanitizer stacktrace, I've sent a PR that does an initial integration of the fuzzers within the project structure and build chain.
Sample: crash-eec28dafde1f1ac2299674a75a914ae16d4046fa.zip
The text was updated successfully, but these errors were encountered: