bytedance
使用asan和地址消毒进行稳定测试,parse出现heap-buffer-overflow.
问题现象
使用【“[[[[[[[[[[[[[[[[[[[[[[ "" ]”】字符串进行fuzz测试,链接asan库和添加-fsanitize=address -fsanitize-recover=address选项,报堆内存溢出。
==166314==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffffba003fc0 at pc 0xffffbcf5a84c bp 0xffffe8dd4e70 sp 0xffffe8dd4648 READ of size 16 at 0xffffba003fc0 thread T0 #0 0xffffbcf5a848 in __interceptor_memcpy (/usr/lib64/libasan.so.8+0x4a848) #1 0xaaaaaaf95fb0 (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x5fb0) #2 0xaaaaaafa0f7c (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x10f7c) #3 0xaaaaaaf9277c (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x277c) #4 0xffffbca7763c (/usr/lib64/libc.so.6+0x2763c) #5 0xffffbca77724 in __libc_start_main (/usr/lib64/libc.so.6+0x27724) #6 0xaaaaaaf928ac (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x28ac)
0xffffba003fc0 is located 0 bytes to the right of 256-byte region [0xffffba003ec0,0xffffba003fc0) allocated by thread T0 here: #0 0xffffbcfc4784 (/usr/lib64/libasan.so.8+0xb4784) #1 0xaaaaaaf934f8 (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x34f8) #2 0xaaaaaafa0f7c (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x10f7c) #3 0xaaaaaaf9277c (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x277c) #4 0xffffbca7763c (/usr/lib64/libc.so.6+0x2763c) #5 0xffffbca77724 in __libc_start_main (/usr/lib64/libc.so.6+0x27724) #6 0xaaaaaaf928ac (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x28ac)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib64/libasan.so.8+0x4a848) in __interceptor_memcpy Shadow bytes around the buggy address: 0x200ff74007a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff74007b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff74007c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff74007d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x200ff74007e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x200ff74007f0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa 0x200ff7400800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff7400810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff7400820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff7400830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff7400840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==166314==ABORTING
fuzz用例:
void testfor_parse_char(char *caseName, int count)
{
std::cout << "start ---- " << caseName << std::endl;
for(int i = 0; i < 30000000; i++) {
std::string data = "[[[[[[[[[[[[[[[[[[[[[[ \"\" ]";
sonic_json::Document doc;
doc.Parse(data.c_str());
}
std::cout << "---------- End execute " << caseName << " end ----------" << std::endl;
}
