Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A stack buffer overflow has been found. #24

Closed
fCorleone opened this issue Jul 12, 2018 · 2 comments
Closed

A stack buffer overflow has been found. #24

fCorleone opened this issue Jul 12, 2018 · 2 comments

Comments

@fCorleone
Copy link

A stack buffer overflow has been found in genann.c:299:

=================================================================
==12375==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd0e981ce0 at pc 0x0000004081b4 bp 0x7ffd0e981b50 sp 0x7ffd0e981b40
READ of size 8 at 0x7ffd0e981ce0 thread T0
    #0 0x4081b3 in genann_train /home/mfc_fuzz/genann/genann.c:299
    #1 0x40147c in main /home/mfc_fuzz/genann/example1.c:36
    #2 0x7f823226182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #3 0x4018a8 in _start (/home/mfc_fuzz/genann/example1+0x4018a8)

Address 0x7ffd0e981ce0 is located in stack of thread T0 at offset 160 in frame
    #0 0x40110f in main /home/mfc_fuzz/genann/example1.c:5

  This frame has 3 object(s):
    [64, 80) 'a'
    [128, 160) 'output' <== Memory access at offset 160 overflows this variable
    [192, 256) 'input'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/mfc_fuzz/genann/genann.c:299 genann_train
Shadow bytes around the buggy address:
  0x100021d28340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100021d28350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100021d28360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100021d28370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100021d28380: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 f1 f1
=>0x100021d28390: 00 00 f4 f4 f2 f2 f2 f2 00 00 00 00[f2]f2 f2 f2
  0x100021d283a0: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3
  0x100021d283b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100021d283c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100021d283d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100021d283e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==12375==ABORTING

The program I ran was example1, but I have made some changes in that file.
The example1 I wrote has been placed at : https://github.com/fCorleone/fuzz_programs/blob/master/genann/example1.c
The input file has been put here:
https://github.com/fCorleone/fuzz_programs/blob/master/genann/testcase

@fCorleone
Copy link
Author

A SIGSEGV issue has been found too. The program is the same as the one above.
The test case has been put here:https://github.com/fCorleone/fuzz_programs/blob/master/genann/testcase2
Detail information :

ASAN:SIGSEGV
=================================================================
==12505==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x000000404345 bp 0x7ffded8a22b0 sp 0x7ffded8a1ff0 T0)
    #0 0x404344 in genann_run /home/mfc_fuzz/genann/genann.c:213
    #1 0x40641a in genann_train /home/mfc_fuzz/genann/genann.c:280
    #2 0x40145e in main /home/mfc_fuzz/genann/example1.c:35
    #3 0x7fde1d4fd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #4 0x4018a8 in _start (/home/mfc_fuzz/genann/example1+0x4018a8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/mfc_fuzz/genann/genann.c:213 genann_run
==12505==ABORTING

@codeplea
Copy link
Owner

You're giving it bad data. Of course it will crash.

For example, you're telling it to expect an array of four outputs, then you're giving it the last item in the array. So of course it's going to read past the end. What did you expect? Essentially any C function you give a bad pointer to will crash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants