Heap Buffer Overflow at printf_common

Open Terminator111 opened this issue 1 year ago • 0 comments

I triggered a heap-buffer-overflow bug reported by AddressSanitizer at printf_common. The issue occurs because the program attempts to read 2 bytes at address 0x602000000031, which is immediately beyond the allocated 1-byte heap memory region ([0x602000000030, 0x602000000031)). This memory was allocated in the dns_request_parse function at line 49 of dns_protocol.c. The error propagates from the printf call in the dns_loop function at line 91 of server.c, eventually leading to program termination. The root cause is likely improper handling of a string or buffer, where the program reads beyond the allocated memory boundary. To resolve this, ensure all memory accesses and string operations are properly validated against the allocated size, especially in dns_request_parse and dns_loop.

Asan Report:

=================================================================
==3132806==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000031 at pc 0x000000439c7b bp 0x7ffc2c2020c0 sp 0x7ffc2c201848
READ of size 2 at 0x602000000031 thread T0
    #0 0x439c7a in printf_common(void*, char const*, __va_list_tag*) (/root/protocolFuzz/dns/simple-dns/src/simple-dns+0x439c7a)
    #1 0x43afbe in printf (/root/protocolFuzz/dns/simple-dns/src/simple-dns+0x43afbe)
    #2 0x4c389c in dns_loop /root/protocolFuzz/dns/simple-dns/src/server.c:91:3
    #3 0x4c3b5b in main /root/protocolFuzz/dns/simple-dns/src/simple-dns.c:43:2
    #4 0x7f4cc607f082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41b3dd in _start (/root/protocolFuzz/dns/simple-dns/src/simple-dns+0x41b3dd)

0x602000000031 is located 0 bytes to the right of 1-byte region [0x602000000030,0x602000000031)
allocated by thread T0 here:
    #0 0x493b1d in malloc (/root/protocolFuzz/dns/simple-dns/src/simple-dns+0x493b1d)
    #1 0x4c41a3 in dns_request_parse /root/protocolFuzz/dns/simple-dns/src/dns_protocol.c:49:14

SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/protocolFuzz/dns/simple-dns/src/simple-dns+0x439c7a) in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 07 fa fa[01]fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3132806==ABORTING

Nov 17 '24 10:11 Terminator111