bamtools icon indicating copy to clipboard operation
bamtools copied to clipboard
verified publisher icon pezmaster31

global-buffer-overflow in BamReader_p.cpp:462:23, BamTools::Internal::BamReaderPrivate::LoadNextAlignment(BamTools::BamAlignment&)

Open schsiung opened this issue 2 years ago • 0 comments

Expected behavior and actual behavior.

global-buffer-overflow_POC_bamtools-2.5.2.tar.gz

Expect running without global-buffer-overflow .

Steps to reproduce the problem.

  1. bin/bamtools convert -format json -in out/default/crashes/id:000000,sig:06,src:000000,time:639,execs:197,op:havoc,rep:2 -out myData1.json
[AFL++ 4547ba12d0d6] /data/openeuler/bamtools/bamtools-2.5.2/build/obj # bin/bamtools convert -format json -in out/default/crashes/id:000000,sig:06,src:000000,time:639,execs:197,op:havoc,rep:2 -out myData1.json
=================================================================
==4107560==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55d46664a18b at pc 0x55d4664d39e8 bp 0x7fff2d7c78b0 sp 0x7fff2d7c78a8
READ of size 1 at 0x55d46664a18b thread T0
    #0 0x55d4664d39e7 in BamTools::Internal::BamReaderPrivate::LoadNextAlignment(BamTools::BamAlignment&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:462:23
    #1 0x55d4664d1d2c in BamTools::Internal::BamReaderPrivate::GetNextAlignmentCore(BamTools::BamAlignment&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:171:14
    #2 0x55d4664ba390 in BamTools::Internal::BamMultiReaderPrivate::SaveNextAlignment(BamTools::BamReader*, BamTools::BamAlignment*) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamMultiReader_p.cpp:745:17
    #3 0x55d4664ba390 in BamTools::Internal::BamMultiReaderPrivate::PopNextCachedAlignment(BamTools::BamAlignment&, bool) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamMultiReader_p.cpp:682:5
    #4 0x55d46638e85a in BamTools::ConvertTool::ConvertToolPrivate::Run() /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:305:31
    #5 0x55d4663a3388 in BamTools::ConvertTool::Run(int, char**) /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:1050:17
    #6 0x55d46638b9f6 in main /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools.cpp:207:34
    #7 0x7f2c4eaf2d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #8 0x7f2c4eaf2e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #9 0x55d4662c9434 in _start (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xdf434) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)

0x55d46664a18b is located 21 bytes to the left of global variable '<string literal>' defined in '/data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:523:49' (0x55d46664a1a0) of size 27
  '<string literal>' is ascii string 'could not locate index: 
        '
0x55d46664a18b is located 1 bytes to the right of global variable '<string literal>' defined in '/data/openeuler/bamtools/bamtools-2.5.2/src/api/BamConstants.h:49:38' (0x55d46664a180) of size 10
  '<string literal>' is ascii string 'MIDNSHP=X'
SUMMARY: AddressSanitizer: global-buffer-overflow /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:462:23 in BamTools::Internal::BamReaderPrivate::LoadNextAlignment(BamTools::BamAlignment&)
Shadow bytes around the buggy address:
  0x0abb0ccc13e0: 00 00 01 f9 f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9
  0x0abb0ccc13f0: 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 00 00 00 03
  0x0abb0ccc1400: f9 f9 f9 f9 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9
  0x0abb0ccc1410: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 04 f9 f9
  0x0abb0ccc1420: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 03 f9 f9 f9
=>0x0abb0ccc1430: 00[02]f9 f9 00 00 00 03 f9 f9 f9 f9 00 00 07 f9
  0x0abb0ccc1440: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 03 f9 f9 f9
  0x0abb0ccc1450: 00 00 f9 f9 00 00 00 01 f9 f9 f9 f9 00 00 05 f9
  0x0abb0ccc1460: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 02 f9
  0x0abb0ccc1470: f9 f9 f9 f9 00 00 f9 f9 00 00 00 00 01 f9 f9 f9
  0x0abb0ccc1480: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 03 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4107560==ABORTING
  1. GDB info gdb bin/bamtools
 Reading symbols from bin/bamtools...
(gdb) run convert -format json -in out/default/crashes/id:000000,sig:06,src:000000,time:639,execs:197,op:havoc,rep:2 -out myData1.json
Starting program: /data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools convert -format json -in out/default/crashes/id:000000,sig:06,src:000000,time:639,execs:197,op:havoc,rep:2 -out myData1.json
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
=================================================================
==39361==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5555559b418b at pc 0x55555583d9e8 bp 0x7fffffffd130 sp 0x7fffffffd128
READ of size 1 at 0x5555559b418b thread T0
[Detaching after fork from child process 39370]
    #0 0x55555583d9e7 in BamTools::Internal::BamReaderPrivate::LoadNextAlignment(BamTools::BamAlignment&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:462:23
    #1 0x55555583bd2c in BamTools::Internal::BamReaderPrivate::GetNextAlignmentCore(BamTools::BamAlignment&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:171:14
    #2 0x555555824390 in BamTools::Internal::BamMultiReaderPrivate::SaveNextAlignment(BamTools::BamReader*, BamTools::BamAlignment*) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamMultiReader_p.cpp:745:17
    #3 0x555555824390 in BamTools::Internal::BamMultiReaderPrivate::PopNextCachedAlignment(BamTools::BamAlignment&, bool) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamMultiReader_p.cpp:682:5
    #4 0x5555556f885a in BamTools::ConvertTool::ConvertToolPrivate::Run() /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:305:31
    #5 0x55555570d388 in BamTools::ConvertTool::Run(int, char**) /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:1050:17
    #6 0x5555556f59f6 in main /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools.cpp:207:34
    #7 0x7ffff7a67d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #8 0x7ffff7a67e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #9 0x555555633434 in _start (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xdf434) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)

0x5555559b418b is located 21 bytes to the left of global variable '<string literal>' defined in '/data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:523:49' (0x5555559b41a0) of size 27
  '<string literal>' is ascii string 'could not locate index: 
        '
0x5555559b418b is located 1 bytes to the right of global variable '<string literal>' defined in '/data/openeuler/bamtools/bamtools-2.5.2/src/api/BamConstants.h:49:38' (0x5555559b4180) of size 10
  '<string literal>' is ascii string 'MIDNSHP=X'
SUMMARY: AddressSanitizer: global-buffer-overflow /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:462:23 in BamTools::Internal::BamReaderPrivate::LoadNextAlignment(BamTools::BamAlignment&)
Shadow bytes around the buggy address:
  0x0aab2ab2e7e0: 00 00 01 f9 f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9
  0x0aab2ab2e7f0: 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 00 00 00 03
  0x0aab2ab2e800: f9 f9 f9 f9 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9
  0x0aab2ab2e810: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 04 f9 f9
  0x0aab2ab2e820: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 03 f9 f9 f9
=>0x0aab2ab2e830: 00[02]f9 f9 00 00 00 03 f9 f9 f9 f9 00 00 07 f9
  0x0aab2ab2e840: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 03 f9 f9 f9
  0x0aab2ab2e850: 00 00 f9 f9 00 00 00 01 f9 f9 f9 f9 00 00 05 f9
  0x0aab2ab2e860: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 02 f9
  0x0aab2ab2e870: f9 f9 f9 f9 00 00 f9 f9 00 00 00 00 01 f9 f9 f9
  0x0aab2ab2e880: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 03 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==39361==ABORTING
[Inferior 1 (process 39361) exited with code 01]
(gdb) bt
No stack.

Operating system

[AFL++ 4547ba12d0d6] /data/openeuler/bamtools/bamtools-2.5.2/build/obj # uname -a
Linux 4547ba12d0d6 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
[AFL++ 4547ba12d0d6] /data/openeuler/bamtools/bamtools-2.5.2/build/obj #

version

bamtools-2.5.2

From: [email protected]

schsiung avatar Jan 04 '24 06:01 schsiung