kamby icon indicating copy to clipboard operation
kamby copied to clipboard

Published 20 hours ago verified publisher icon henriquegogo

heap-buffer-overflow

Open tankf33der opened this issue 2 years ago • 2 comments 

[root@fedora kamby]# make 
clang -fsanitize=address,undefined -c -fpic -o kamby.o kamby.c
clang -fsanitize=address,undefined -shared -o libkamby.so kamby.o
rm kamby.o
clang -fsanitize=address,undefined -o kamby main.c kamby.c
[root@fedora kamby]# make test
clang -fsanitize=address,undefined -c -fpic -o kamby.o kamby.c
clang -fsanitize=address,undefined -shared -o libkamby.so kamby.o
rm kamby.o
clang -fsanitize=address,undefined -o tests tests.c -L`pwd` -lkamby
TESTING...
- Initialization
=================================================================
==997==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000013 at pc 0x000000447f5a bp 0x7fffc64a3e90 sp 0x7fffc64a3650
WRITE of size 4 at 0x602000000013 thread T0
    #0 0x447f59 in __interceptor_strcpy.part.0 asan_interceptors.cpp.o
    #1 0x7f25902fae83 in ka_idf (/root/kamby/libkamby.so+0xde83) (BuildId: 57fe31e0ce1eb6ef4c07b16b7a75f7c740f59fec)
    #2 0x7f259030c052 in ka_init (/root/kamby/libkamby.so+0x1f052) (BuildId: 57fe31e0ce1eb6ef4c07b16b7a75f7c740f59fec)
    #3 0x51275b in test_init (/root/kamby/tests+0x51275b) (BuildId: 4487b6b2fc988d4eb27ee1a3afc04555cf122ae5)
    #4 0x517724 in main (/root/kamby/tests+0x517724) (BuildId: 4487b6b2fc988d4eb27ee1a3afc04555cf122ae5)
    #5 0x7f259002da4f in __libc_start_call_main (/lib64/libc.so.6+0x23a4f) (BuildId: 705c3497077980e84480c5ea1f24241b72863722)
    #6 0x7f259002db08 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x23b08) (BuildId: 705c3497077980e84480c5ea1f24241b72863722)
    #7 0x41d3c4 in _start (/root/kamby/tests+0x41d3c4) (BuildId: 4487b6b2fc988d4eb27ee1a3afc04555cf122ae5)

0x602000000013 is located 0 bytes to the right of 3-byte region [0x602000000010,0x602000000013)
allocated by thread T0 here:
    #0 0x4cfa97 in __interceptor_malloc (/root/kamby/tests+0x4cfa97) (BuildId: 4487b6b2fc988d4eb27ee1a3afc04555cf122ae5)
    #1 0x7f25902fac12 in ka_idf (/root/kamby/libkamby.so+0xdc12) (BuildId: 57fe31e0ce1eb6ef4c07b16b7a75f7c740f59fec)
    #2 0x7f259030c052 in ka_init (/root/kamby/libkamby.so+0x1f052) (BuildId: 57fe31e0ce1eb6ef4c07b16b7a75f7c740f59fec)
    #3 0x51275b in test_init (/root/kamby/tests+0x51275b) (BuildId: 4487b6b2fc988d4eb27ee1a3afc04555cf122ae5)
    #4 0x517724 in main (/root/kamby/tests+0x517724) (BuildId: 4487b6b2fc988d4eb27ee1a3afc04555cf122ae5)
    #5 0x7f259002da4f in __libc_start_call_main (/lib64/libc.so.6+0x23a4f) (BuildId: 705c3497077980e84480c5ea1f24241b72863722)

SUMMARY: AddressSanitizer: heap-buffer-overflow asan_interceptors.cpp.o in __interceptor_strcpy.part.0
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa[03]fa fa fa 03 fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==997==ABORTING
make: *** [Makefile:33: test] Error 1
#

tankf33der avatar Sep 08 '22 13:09 tankf33der

The expected compiler is GCC, and you are using clang. I did not test in clang and Makefile should not work with it. Please try to use gcc instead of clang and please tell me if it works or not.

henriquegogo avatar Sep 13 '22 20:09 henriquegogo

you do no understand the issue, there is gcc test run:

# make test
gcc -fsanitize=address,undefined -c -fpic -o kamby.o kamby.c
gcc -fsanitize=address,undefined -shared -o libkamby.so kamby.o
rm kamby.o
gcc -fsanitize=address,undefined -o tests tests.c -L`pwd` -lkamby
TESTING...
- Initialization
- Parser
=================================================================
==1061==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000972 at pc 0x7f208560bce3 bp 0x7ffd3218f4f0 sp 0x7ffd3218f4e8
READ of size 1 at 0x602000000972 thread T0
    #0 0x7f208560bce2 in ka_parser.localalias (/root/kamby/libkamby.so+0x20ce2)
    #1 0x7f20856086df in ka_parser.localalias (/root/kamby/libkamby.so+0x1d6df)
    #2 0x40148e in test_parser (/root/kamby/tests+0x40148e)
    #3 0x403ecd in main (/root/kamby/tests+0x403ecd)
    #4 0x7f2084448a4f in __libc_start_call_main (/lib64/libc.so.6+0x23a4f)
    #5 0x7f2084448b08 in __libc_start_main_alias_1 (/lib64/libc.so.6+0x23b08)
    #6 0x401244 in _start (/root/kamby/tests+0x401244)

0x602000000972 is located 1 bytes to the right of 1-byte region [0x602000000970,0x602000000971)
allocated by thread T0 here:
    #0 0x7f2084eba077 in calloc (/lib64/libasan.so.8+0xba077)
    #1 0x7f208560b112 in ka_parser.localalias (/root/kamby/libkamby.so+0x20112)
    #2 0x7f20856086df in ka_parser.localalias (/root/kamby/libkamby.so+0x1d6df)
    #3 0x40148e in test_parser (/root/kamby/tests+0x40148e)
    #4 0x403ecd in main (/root/kamby/tests+0x403ecd)
    #5 0x7f2084448a4f in __libc_start_call_main (/lib64/libc.so.6+0x23a4f)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/kamby/libkamby.so+0x20ce2) in ka_parser.localalias
Shadow bytes around the buggy address:
  0x0c047fff80d0: fa fa 02 fa fa fa fd fa fa fa 03 fa fa fa 03 fa
  0x0c047fff80e0: fa fa fd fa fa fa 02 fa fa fa 02 fa fa fa fd fa
  0x0c047fff80f0: fa fa 03 fa fa fa 03 fa fa fa fd fa fa fa 03 fa
  0x0c047fff8100: fa fa 03 fa fa fa fd fa fa fa 03 fa fa fa 03 fa
  0x0c047fff8110: fa fa fd fa fa fa 05 fa fa fa 05 fa fa fa fd fa
=>0x0c047fff8120: fa fa 06 fa fa fa 06 fa fa fa fd fa fa fa[01]fa
  0x0c047fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1061==ABORTING
make: *** [Makefile:33: test] Error 1

tankf33der avatar Sep 14 '22 04:09 tankf33der