CupIvan
Heap Buffer Overflow at MemcmpInterceptorCommon function in config_load config.c:97:23
I triggered a heap-buffer-overflow bug reported by AddressSanitizer at the MemcmpInterceptorCommon function during a bcmp call. The issue arises from a read of 9 bytes at address 0x6130000001ac, which is immediately beyond the allocated memory region [0x613000000040, 0x6130000001ac) (364 bytes). The memory was allocated in the config_load function at line 97 of config.c. The overflow occurs in the config_parse function at line 76 of config.c, which is called from main at line 215 of main.c. This suggests that the bcmp operation is reading beyond the bounds of the allocated buffer, likely due to improper length validation or mismanagement of input data. To resolve this, review and ensure the input data length is properly checked and managed before calling bcmp or performing memory comparison operations in config_parse.
Asan Report:
=================================================================
==3137514==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6130000001ac at pc 0x000000432469 bp 0x7ffecaf94490 sp 0x7ffecaf93c38
READ of size 9 at 0x6130000001ac thread T0
#0 0x432468 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/root/protocolFuzz/dns/tinydns/tinydns+0x432468)
#1 0x4329ba in bcmp (/root/protocolFuzz/dns/tinydns/tinydns+0x4329ba)
#2 0x4c4e61 in config_parse /root/protocolFuzz/dns/tinydns/config.c:76:7
#3 0x4c6a2a in main /root/protocolFuzz/dns/tinydns/main.c:215:2
#4 0x7f3352f0d082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x41b3fd in _start (/root/protocolFuzz/dns/tinydns/tinydns+0x41b3fd)
0x6130000001ac is located 0 bytes to the right of 364-byte region [0x613000000040,0x6130000001ac)
allocated by thread T0 here:
#0 0x493b3d in malloc (/root/protocolFuzz/dns/tinydns/tinydns+0x493b3d)
#1 0x4c50d2 in config_load /root/protocolFuzz/dns/tinydns/config.c:97:23
SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/protocolFuzz/dns/tinydns/tinydns+0x432468) in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
0x0c267fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c267fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff8030: 00 00 00 00 00[04]fa fa fa fa fa fa fa fa fa fa
0x0c267fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3137514==ABORTING
