New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stack-buffer-over in libRaw #400
Comments
|
Could not reproduce the problem. Also, please specify exact LibRaw version used (commit ID or so) |
|
Sorry. ==============This is stack trace: (gdb) r Thread 1 "libraw_fuzzer" hit Breakpoint 1, LibRaw::parse_tiff_ifd(int) () at src/metadata/tiff.cpp:758 =================This is GDB info: (gdb) r Thread 1 "libraw_fuzzer" hit Breakpoint 2, LibRaw::identify() () at src/metadata/identify.cpp:410 Thread 1 "libraw_fuzzer" hit Breakpoint 3, LibRaw::identify() () at src/metadata/identify.cpp:477 Thread 1 "libraw_fuzzer" hit Breakpoint 4, LibRaw::identify() () at src/metadata/identify.cpp:503 Thread 1 "libraw_fuzzer" hit Breakpoint 5, LibRaw::parse_tiff(int) () at src/metadata/tiff.cpp:1495 Thread 1 "libraw_fuzzer" hit Breakpoint 8, LibRaw::parse_tiff_ifd(int) () at src/metadata/tiff.cpp:757 Thread 1 "libraw_fuzzer" hit Breakpoint 9, LibRaw::parse_tiff_ifd(int) () at src/metadata/tiff.cpp:758 Thread 1 "libraw_fuzzer" hit Breakpoint 10, LibRaw::parse_exif(int) () at src/metadata/exif_gps.cpp:73 ================================================================= Address 0x7ffffff3d39f is located in stack of thread T0 at offset 95 in frame This frame has 7 object(s): |
|
Sorry, your reply/gdb backtracr does not make things clear Initial report refers to mn_text variable. I do not see any possibility to access mn_text with negative offsets. Things are still not clear. |
|
Sorry, |
|
Hello,Friend~ |
|
Is there any chance to see what exact line of code underflows mn_text variable? |
|
Sorry,I am not very good at gdb tools. Running: projects/libraw/poc==175051==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeb21459ff at pc 0x00000058a035 bp 0x7ffeb2145920 sp 0x7ffeb2145918 Address 0x7ffeb21459ff is located in stack of thread T0 at offset 95 in frame This frame has 7 object(s): |
|
Thanks. I'm still unable to understand how this may result into buffer underflow. Also: could you please specify EXACT LibRaw version you're testing (commit ID or something like that) |
|
OK. This is my Dockerfile: FROM gcr.io/oss-fuzz-base/base-builder |
|
No I do not. Please assign it yourself if you need it. |
|
I do not know, please deal with it yourself. I'm still unable to reproduce the problem using POC file you provided and LibRaw/latest-github with gcc11 -fsanitize=address. |
|
thanks. |
|
This circus is too complex for me. So, I put it on hold unless someone reproduces the problem and explain it to us. |
|
thanks, I will try it later. |
this is built with afl
|
|
Much much clearer now, thanks. This patch should fix it: bc3aaf4 |
|
yeah! |
|
closed |
poc-libRaw.zip
Reproduce step :
compile libraw with Address sanitizer
run cmd : ./libraw_cr2_fuzzer poc
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3355647081
INFO: Loaded 1 modules (18101 inline 8-bit counters): 18101 [0xb3b730, 0xb3fde5),
INFO: Loaded 1 PC tables (18101 PCs): 18101 [0x815158,0x85bca8),
./libraw_cr2_fuzzer: Running 1 inputs 1 time(s) each.
Running: crash-5f77e83098892cb416521525ef399068c83941fe
==173755==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc443b133f at pc 0x0000005b1375 bp 0x7ffc443b1260 sp 0x7ffc443b1258
WRITE of size 1 at 0x7ffc443b133f thread T0
#0 0x5b1374 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x5b1374)
#1 0x6e29f0 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x6e29f0)
#2 0x6b0d68 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x6b0d68)
#3 0x6bf88c (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x6bf88c)
#4 0x663f0e (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x663f0e)
#5 0x598252 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x598252)
#6 0x59735a (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x59735a)
#7 0x4c916a (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x4c916a)
#8 0x5179e6 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x5179e6)
#9 0x4c9d9f (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x4c9d9f)
#10 0x4d7e93 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x4d7e93)
#11 0x4c9417 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x4c9417)
#12 0x7fc5fb3df0b2 (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#13 0x41e908 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x41e908)
Address 0x7ffc443b133f is located in stack of thread T0 at offset 95 in frame
#0 0x6e080f (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x6e080f)
This frame has 7 object(s):
[32, 36) 'tag' (line 64)
[48, 52) 'type' (line 64)
[64, 68) 'len' (line 64)
[80, 84) 'save' (line 64)
[96, 608) 'mn_text' (line 219) <== Memory access at offset 95 underflows this variable
[672, 1184) 'ccms' (line 221)
[1248, 1256) 'last' (line 253)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x5b1374)
Shadow bytes around the buggy address:
0x10000886e210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e250: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x10000886e260: 04 f2 04 f2 04 f2 04[f2]00 00 00 00 00 00 00 00
0x10000886e270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e2a0: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2
0x10000886e2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==173755==ABORTING
The text was updated successfully, but these errors were encountered: