ASAN: global buffer-overflow

[p1ngfl0yd]

Hi Team,

Summary

I have build master branch using clang 6.0 with ASAN and a global-buffer overflow was observed in encodingstest.c

Vulnerable code from encodingstest.c

#ifndef VERY_VERBOSE

	static const char* progress="|/-\\";
	static int counter=0;

	if(++counter>sizeof(progress)) counter=0;
	fprintf(stderr,"%c\r",progress[counter]);
#else
	clientData* cd=(clientData*)client->clientData;
	rfbClientLog("Got update (encoding=%s): (%d,%d)-(%d,%d)\n",
			testEncodings[cd->encodingIndex].str,
			x,y,x+w,y+h);
#endif
}

ASAN

==19953==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000005260e5 at pc 0x00000050d80e bp 0x7ff96f7f8ea0 sp 0x7ff96f7f8e98
READ of size 1 at 0x0000005260e5 thread T3
31/01/2019 01:23:23 rfbProcessClientSecurityType: executing handler for type 1
31/01/2019 01:23:23 rfbProcessClientSecurityType: returning securityResult for client rfb version >= 3.8
31/01/2019 01:23:23 (client) VNC authentication succeeded
31/01/2019 01:23:23 Pixel format for client 127.0.0.1:
31/01/2019 01:23:23   32 bpp, depth 24, little endian
31/01/2019 01:23:23   true colour: max r 255 g 255 b 255, shift r 0 g 8 b 16
31/01/2019 01:23:23 (client) Desktop name "LibVNCServer"
31/01/2019 01:23:23 (client) Connected to VNC server, using protocol version 3.8
==19953==AddressSanitizer: while reporting a bug found another one. Ignoring.
31/01/2019 01:23:23 (client) VNC server default format:
31/01/2019 01:23:23 (client)   32 bits per pixel.
31/01/2019 01:23:23 Enabling KeyboardLedState protocol extension for client 127.0.0.1
31/01/2019 01:23:23 (client) 31/01/2019 01:23:23   Least significant byte first in each pixel.
Enabling SupportedMessages protocol extension for client 127.0.0.1
31/01/2019 01:23:23 (client) 31/01/2019 01:23:23   TRUE colour: max red 255 green 255 blue 255, shift red 0 green 8 blue 16
Enabling SupportedEncodings protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling ServerIdentity protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Using CoRRE encoding for client 127.0.0.1
31/01/2019 01:23:23 Using compression level 3 for client 127.0.0.1
31/01/2019 01:23:23 Using image quality level 7 for client 127.0.0.1
31/01/2019 01:23:23 Using JPEG subsampling 0, Q86 for client 127.0.0.1
31/01/2019 01:23:23 Enabling KeyboardLedState protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling LastRect protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling SupportedMessages protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling SupportedEncodings protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling ServerIdentity protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Using tight encoding for client 127.0.0.1
==19953==AddressSanitizer: while reporting a bug found another one. Ignoring.
31/01/2019 01:23:23 (client) 31/01/2019 01:23:23 Desktop name "LibVNCServer"
Pixel format for client 127.0.0.1:
31/01/2019 01:23:23 (client) Connected to VNC server, using protocol version 3.8
31/01/2019 01:23:23   32 bpp, depth 24, little endian
31/01/2019 01:23:23 (client) VNC server default format:
31/01/2019 01:23:23 (client)   32 bits per pixel.
31/01/2019 01:23:23   true colour: max r 255 g 255 b 255, shift r 0 g 8 b 16
31/01/2019 01:23:23 (client)   Least significant byte first in each pixel.
31/01/2019 01:23:23 Using compression level 3 for client 127.0.0.1
31/01/2019 01:23:23 (client)   TRUE colour: max red 255 green 255 blue 255, shift red 0 green 8 blue 16
31/01/2019 01:23:23 Enabling KeyboardLedState protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling SupportedMessages protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling SupportedEncodings protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling ServerIdentity protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Using zlib encoding for client 127.0.0.1
31/01/2019 01:23:23 Pixel format for client 127.0.0.1:
31/01/2019 01:23:23   32 bpp, depth 24, little endian
31/01/2019 01:23:23   true colour: max r 255 g 255 b 255, shift r 0 g 8 b 16
31/01/2019 01:23:23 Enabling KeyboardLedState protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling SupportedMessages protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling SupportedEncodings protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling ServerIdentity protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Using ZRLE encoding for client 127.0.0.1
31/01/2019 01:23:23 Pixel format for client 127.0.0.1:
31/01/2019 01:23:23   32 bpp, depth 24, little endian
31/01/2019 01:23:23   true colour: max r 255 g 255 b 255, shift r 0 g 8 b 16
31/01/2019 01:23:23 Enabling KeyboardLedState protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling SupportedMessages protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling SupportedEncodings protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling ServerIdentity protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Using hextile encoding for client 127.0.0.1
31/01/2019 01:23:23 rfbProcessClientNormalMessage: ignoring unsupported encoding type ultraZip
31/01/2019 01:23:23 Enabling KeyboardLedState protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling SupportedMessages protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling SupportedEncodings protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Enabling ServerIdentity protocol extension for client 127.0.0.1
31/01/2019 01:23:23 Using ultra encoding for client 127.0.0.1
31/01/2019 01:23:23 (client) client2server supported messages (bit flags)
31/01/2019 01:23:23 (client) 00: 00ff 0081 0000 0000 - 0000 0000 0000 0000
31/01/2019 01:23:23 (client) 08: 0000 0000 0000 0000 - 0000 0000 0000 0000
31/01/2019 01:23:23 (client) 10: 0000 0000 0000 0000 - 0000 0000 0000 0000
31/01/2019 01:23:23 (client) 18: 0000 0000 0000 0000 - 0000 0000 0000 0000
31/01/2019 01:23:23 (client) server2client supported messages (bit flags)
31/01/2019 01:23:23 (client) 00: 001f 0080 0000 0000 - 0000 0000 0000 0000
31/01/2019 01:23:23 (client) 08: 0000 0000 0000 0000 - 0000 0000 0000 0000
31/01/2019 01:23:23 (client) 10: 0000 0000 0000 0000 - 0000 0000 0000 0000
31/01/2019 01:23:23 (client) 18: 0000 0000 0000 0000 - 0000 0000 0000 0000
31/01/2019 01:23:23 (client) Connected to Server "unknown (LibVNCServer 0.9.12)"
    #0 0x50d80d in update /home/input0/Desktop/libvncserver/test/encodingstest.c:125:24
    #1 0x7ff977589e62 in HandleRFBServerMessage /home/input0/Desktop/libvncserver/libvncclient/rfbproto.c:2196:7
    #2 0x50e649 in clientLoop /home/input0/Desktop/libvncserver/test/encodingstest.c:170:8
    #3 0x4dfc82 in __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) (/home/input0/Desktop/libvncserver/test/encodingstest+0x4dfc82)
    #4 0x7ff9756c76da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #5 0x7ff974dcc88e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x0000005260e5 is located 59 bytes to the left of global variable '<string literal>' defined in '/home/input0/Desktop/libvncserver/test/encodingstest.c:125:17' (0x526120) of size 4
' '<string literal>' is ascii string '%c
0x0000005260e5 is located 0 bytes to the right of global variable '<string literal>' defined in '/home/input0/Desktop/libvncserver/test/encodingstest.c:121:30' (0x5260e0) of size 5
  '<string literal>' is ascii string '|/-\'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/input0/Desktop/libvncserver/test/encodingstest.c:125:24 in update
Shadow bytes around the buggy address:
  0x00008009cbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008009cbd0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9
  0x00008009cbe0: f9 f9 f9 f9 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9
  0x00008009cbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008009cc00: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 06 f9
=>0x00008009cc10: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9[05]f9 f9 f9
  0x00008009cc20: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008009cc30: 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 00 04 f9 f9
  0x00008009cc40: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x00008009cc50: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x00008009cc60: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Thread T3 created by T0 here:
    #0 0x4356c0 in pthread_create (/home/input0/Desktop/libvncserver/test/encodingstest+0x4356c0)
    #1 0x50c611 in startClient /home/input0/Desktop/libvncserver/test/encodingstest.c:200:2
    #2 0x50c611 in main /home/input0/Desktop/libvncserver/test/encodingstest.c:299
    #3 0x7ff974cccb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

==19953==ABORTING

Request team to kindly validate.

Thanks.

[bk138]

thanks for reporting! can you please provide exact build instructions?

[bk138]

Tentatively closing, please re-open if issue persists.