bamtools icon indicating copy to clipboard operation
bamtools copied to clipboard
verified publisher icon pezmaster31

heap-buffer-overflow in bam/BamReader_p.cpp:507:30, BamReaderPrivate::LoadReferenceData()

Open schsiung opened this issue 2 years ago • 0 comments

Expected behavior and actual behavior.

global-buffer-overflow_POC_bamtools-2.5.2.tar.gz

Expect running without heap-buffer-overflow .

Steps to reproduce the problem.

  1. bin/bamtools convert -format json -in /data/openeuler/bamtools/bamtools-2.5.2/build/obj/out/default/crashes/id:000004,sig:06,src:000000+000010,time:6133,execs:603,op:splice,rep:7 -out myData1.json
 [AFL++ 4547ba12d0d6] /data/openeuler/bamtools # /data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools convert -format json -in /data/openeuler/bamtools/bamtools-2.5.2/build/obj/out/default/crashes/id:000004,sig:06,src:000000+000010,time:6133,execs:603,op:splice,rep:7 -out myData1.json
=================================================================
==1725245==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000034 at pc 0x5572ec655576 bp 0x7ffe0d913230 sp 0x7ffe0d9129f8
READ of size 5 at 0x602000000034 thread T0
    #0 0x5572ec655575 in __interceptor_strlen (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xf5575) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)
    #1 0x5572ec84bfaa in std::char_traits<char>::length(char const*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/char_traits.h:399:9
    #2 0x5572ec84bfaa in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/basic_string.h:536:36
    #3 0x5572ec84bfaa in BamTools::Internal::BamReaderPrivate::LoadReferenceData() /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:507:30
    #4 0x5572ec8444d4 in BamTools::Internal::BamReaderPrivate::Open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:543:9
    #5 0x5572ec829246 in BamTools::Internal::BamMultiReaderPrivate::Open(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamMultiReader_p.cpp:548:43
    #6 0x5572ec703587 in BamTools::ConvertTool::ConvertToolPrivate::Run() /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:197:17
    #7 0x5572ec719388 in BamTools::ConvertTool::Run(int, char**) /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:1050:17
    #8 0x5572ec7019f6 in main /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools.cpp:207:34
    #9 0x7f670a3bcd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #10 0x7f670a3bce3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #11 0x5572ec63f434 in _start (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xdf434) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)

0x602000000034 is located 0 bytes to the right of 4-byte region [0x602000000030,0x602000000034)
allocated by thread T0 here:
    #0 0x5572ec6fd15d in operator new[](unsigned long) (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0x19d15d) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)
    #1 0x5572ec84bd81 in BamTools::RaiiBuffer::RaiiBuffer(unsigned long) /data/openeuler/bamtools/bamtools-2.5.2/src/api/BamAux.h:381:18
    #2 0x5572ec84bd81 in BamTools::Internal::BamReaderPrivate::LoadReferenceData() /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:495:20
    #3 0x5572ec8444d4 in BamTools::Internal::BamReaderPrivate::Open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:543:9
    #4 0x5572ec829246 in BamTools::Internal::BamMultiReaderPrivate::Open(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamMultiReader_p.cpp:548:43
    #5 0x5572ec703587 in BamTools::ConvertTool::ConvertToolPrivate::Run() /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:197:17
    #6 0x5572ec719388 in BamTools::ConvertTool::Run(int, char**) /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:1050:17
    #7 0x5572ec7019f6 in main /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools.cpp:207:34
    #8 0x7f670a3bcd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xf5575) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396) in __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 fa fa fa[04]fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1725245==ABORTING
  1. GDB info gdb bin/bamtools
 Reading symbols from /data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools...
(gdb) Starting program: /data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools convert -format json -in /data/openeuler/bamtools/bamtools-2.5.2/build/obj/out/default/crashes/id:000004,sig:06,src:000000+000010,time:6133,execs:603,op:splice,rep:7 -out myData1.json
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
=================================================================
==1709286==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000034 at pc 0x555555649576 bp 0x7fffffffcb90 sp 0x7fffffffc358
READ of size 5 at 0x602000000034 thread T0
[Detaching after fork from child process 1709414]
    #0 0x555555649575 in __interceptor_strlen (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xf5575) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)
    #1 0x55555583ffaa in std::char_traits<char>::length(char const*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/char_traits.h:399:9
    #2 0x55555583ffaa in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/basic_string.h:536:36
    #3 0x55555583ffaa in BamTools::Internal::BamReaderPrivate::LoadReferenceData() /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:507:30
    #4 0x5555558384d4 in BamTools::Internal::BamReaderPrivate::Open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:543:9
    #5 0x55555581d246 in BamTools::Internal::BamMultiReaderPrivate::Open(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamMultiReader_p.cpp:548:43
    #6 0x5555556f7587 in BamTools::ConvertTool::ConvertToolPrivate::Run() /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:197:17
    #7 0x55555570d388 in BamTools::ConvertTool::Run(int, char**) /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:1050:17
    #8 0x5555556f59f6 in main /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools.cpp:207:34
    #9 0x7ffff7a67d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #10 0x7ffff7a67e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #11 0x555555633434 in _start (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xdf434) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)

0x602000000034 is located 0 bytes to the right of 4-byte region [0x602000000030,0x602000000034)
allocated by thread T0 here:
    #0 0x5555556f115d in operator new[](unsigned long) (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0x19d15d) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)
    #1 0x55555583fd81 in BamTools::RaiiBuffer::RaiiBuffer(unsigned long) /data/openeuler/bamtools/bamtools-2.5.2/src/api/BamAux.h:381:18
    #2 0x55555583fd81 in BamTools::Internal::BamReaderPrivate::LoadReferenceData() /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:495:20
    #3 0x5555558384d4 in BamTools::Internal::BamReaderPrivate::Open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:543:9
    #4 0x55555581d246 in BamTools::Internal::BamMultiReaderPrivate::Open(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamMultiReader_p.cpp:548:43
    #5 0x5555556f7587 in BamTools::ConvertTool::ConvertToolPrivate::Run() /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:197:17
    #6 0x55555570d388 in BamTools::ConvertTool::Run(int, char**) /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:1050:17
    #7 0x5555556f59f6 in main /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools.cpp:207:34
    #8 0x7ffff7a67d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xf5575) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396) in __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 fa fa fa[04]fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1709286==ABORTING
[Inferior 1 (process 1709286) exited with code 01]
(gdb) No stack.

Operating system

[AFL++ 4547ba12d0d6] /data/openeuler/bamtools/bamtools-2.5.2/build/obj # uname -a
Linux 4547ba12d0d6 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
[AFL++ 4547ba12d0d6] /data/openeuler/bamtools/bamtools-2.5.2/build/obj #

version

bamtools-2.5.2

From: [email protected]

schsiung avatar Jan 04 '24 08:01 schsiung