phoenix Heap buffer overflow in `string_match` benchmark when `malloc` is used.

Heap buffer overflow in `string_match` benchmark when `malloc` is used.

Open dimstav23 opened this issue 10 months ago • 0 comments

Heap buffer overflow in `string_match` benchmark when `malloc` is used.

How to reproduce:

Compile the benchmarks with a patch that enables the `NO_MMAP` flag and `AddressSanitizer` (`ASan`):

$ git clone https://github.com/kozyraki/phoenix.git

$ cd phoenix/phoenix-2.0/

$ echo 'diff --git a/phoenix-2.0/tests/string_match/Makefile b/phoenix-2.0/tests/string_match/Makefile
index be7d94b..310b965 100644
--- a/phoenix-2.0/tests/string_match/Makefile
+++ b/phoenix-2.0/tests/string_match/Makefile
@@ -46,16 +46,16 @@ default: all
 all: $(PROGS)
 
 string_match: $(STR_MATCH_OBJS) $(LIB_DEP)
-    $(CC) $(CFLAGS) -o $@ $(STR_MATCH_OBJS) $(LIBS)
+    $(CC) $(CFLAGS) -o $@ $(STR_MATCH_OBJS) $(LIBS) -fsanitize=address
 
 string_match-seq: $(STR_MATCH_SEQ_OBJS)
-    $(CC) $(CFLAGS) -o $@ $(STR_MATCH_SEQ_OBJS) $(LIBS)
+    $(CC) $(CFLAGS) -o $@ $(STR_MATCH_SEQ_OBJS) $(LIBS) -fsanitize=address
 
 string_match-pthread: $(STR_MATCH_PTHREAD_OBJS)
-    $(CC) $(CFLAGS) -o $@ $(STR_MATCH_PTHREAD_OBJS) $(LIBS)
+    $(CC) $(CFLAGS) -o $@ $(STR_MATCH_PTHREAD_OBJS) $(LIBS) -fsanitize=address
 
 %.o: %.c
-    $(CC) $(CFLAGS) -c $< -o $@ -I$(HOME)/$(INC_DIR)
+    $(CC) $(CFLAGS) -c $< -o $@ -I$(HOME)/$(INC_DIR) -DNO_MMAP=1 -fsanitize=address
 
 clean:
     rm -f $(PROGS) $(STR_MATCH_OBJS) $(STR_MATCH_SEQ_OBJS) $(STR_MATCH_PTHREAD_OBJS)' > sm_overflow.patch

$ git apply sm_overflow.patch

$ make

Retrieve the inputs for the `string_match` benchmark:

$ cd tests/string_match

$ wget http://csl.stanford.edu/~christos/data/string_match.tar.gz

$ tar -xvf string_match.tar.gz

Run the `string_match`benchmark and observe the output of `ASan`:

$ ./string_match string_match_datafiles/key_file_50MB.txt

How to fix:

To fix the issue, you need to add 1 byte in the malloc call (to match the one used by the default mmap). Then, the execution with ASan no longer reports the heap buffer overflow. A sample patch is attached to this issue. sm_overflow_fix_patch.txt

Tested on:

OS: Ubuntu 22.04.4 LTS Kernel: 6.2.0-39-generic gcc: 11.4.0

Apr 12 '24 09:04 dimstav23

phoenix phoenix copied to clipboard

Heap buffer overflow in `string_match` benchmark when `malloc` is used.

Heap buffer overflow in string_match benchmark when malloc is used.

How to reproduce:

Compile the benchmarks with a patch that enables the NO_MMAP flag and AddressSanitizer (ASan):

Retrieve the inputs for the string_match benchmark:

Run the string_matchbenchmark and observe the output of ASan:

How to fix:

Tested on:

phoenix
phoenix copied to clipboard

Heap buffer overflow in `string_match` benchmark when `malloc` is used.

Compile the benchmarks with a patch that enables the `NO_MMAP` flag and `AddressSanitizer` (`ASan`):

Retrieve the inputs for the `string_match` benchmark:

Run the `string_match`benchmark and observe the output of `ASan`: