Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

negative-size-param in server_example_ca.c #127

Closed
HopefulWei opened this issue Feb 25, 2019 · 9 comments
Closed

negative-size-param in server_example_ca.c #127

HopefulWei opened this issue Feb 25, 2019 · 9 comments

Comments

@HopefulWei
Copy link

Hi team,

Their are negative-size-param in server_example_ca.c
libIEC61850 1.3.0 1.3.1 1.3.2 version has this problem.
Snip server_example_ca.c

==2158==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x45825b  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x45825b)
    #1 0x52cc98  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x52cc98)
    #2 0x52cdcc  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x52cdcc)
    #3 0x52ce1a  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x52ce1a)
    #4 0x5130d8  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x5130d8)
    #5 0x5139d4  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x5139d4)
    #6 0x4f2adc  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4f2adc)
    #7 0x7f97959016b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #8 0x7f9794d0c41c  (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x625000007907 is located 7 bytes inside of 8196-byte region [0x625000007900,0x625000009904)
allocated by thread T1 here:
    #0 0x4b9088  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4b9088)
    #1 0x4f2c9d  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4f2c9d)
    #2 0x513ad8  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x513ad8)
    #3 0x512722  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x512722)
    #4 0x51287d  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x51287d)
    #5 0x7f97959016b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T4 created by T1 here:
    #0 0x42b499  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x42b499)
    #1 0x4f2b28  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4f2b28)
    #2 0x513c7e  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x513c7e)
    #3 0x512722  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x512722)
    #4 0x51287d  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x51287d)
    #5 0x7f97959016b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T1 created by T0 here:
    #0 0x42b499  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x42b499)
    #1 0x4f2b61  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4f2b61)
    #2 0x512a7e  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x512a7e)
    #3 0x4f619d  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4f619d)
    #4 0x4f1470  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4f1470)
    #5 0x4ea90b  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4ea90b)
    #6 0x7f9794c2582f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
@mzillgith
Copy link
Contributor

Hi,
Not sure what that means.
How can I reproduce this?

@HopefulWei
Copy link
Author

Hi,
Not sure what that means.
How can I reproduce this?

You can reproduce it by continuously sending MMS packets to the server. In fact, it is fuzzing。

@mzillgith
Copy link
Contributor

Can you create stack more expressive stack traces (with source line information)?

@HopefulWei
Copy link
Author

OK,I will.
The problematic code is on lines 100 and 101.

 while (running) {
                Thread_sleep(1000);

ASAN’s error is

root@90900a8541e8:/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array# ./server_example_ca
=================================================================
==2503==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x45825b  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x45825b)
    #1 0x52d064  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x52d064)
    #2 0x52d198  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x52d198)
    #3 0x52d1e6  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x52d1e6)
    #4 0x513441  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x513441)
    #5 0x513d3d  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x513d3d)
    #6 0x4f2b3a  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4f2b3a)
    #7 0x7ff39d3b16b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #8 0x7ff39c7bc41c  (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x625000007907 is located 7 bytes inside of 8196-byte region [0x625000007900,0x625000009904)
allocated by thread T1 here:
    #0 0x4b9088  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4b9088)
    #1 0x4f2cfb  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4f2cfb)
    #2 0x513e41  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x513e41)
    #3 0x512a8b  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x512a8b)
    #4 0x512be6  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x512be6)
    #5 0x7ff39d3b16b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T4 created by T1 here:
    #0 0x42b499  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x42b499)
    #1 0x4f2b86  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4f2b86)
    #2 0x513fe7  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x513fe7)
    #3 0x512a8b  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x512a8b)
    #4 0x512be6  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x512be6)
    #5 0x7ff39d3b16b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T1 created by T0 here:
    #0 0x42b499  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x42b499)
    #1 0x4f2bbf  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4f2bbf)
    #2 0x512de7  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x512de7)
    #3 0x4f61fb  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4f61fb)
    #4 0x4f14ce  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4f14ce)
    #5 0x4ea90b  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4ea90b)
    #6 0x7ff39c6d582f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: negative-size-param (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x45825b) 
==2503==ABORTING

@HopefulWei
Copy link
Author

CVE-2016-4073 has the same problem.

@mzillgith
Copy link
Contributor

while (running) { Thread_sleep(1000);

That makes not so much sense. The problem has to be in another thread where the MMS messages are processed.

@HopefulWei
Copy link
Author

The problem code I am targeting is indeed

while (running) { Thread_sleep(1000);

I don't know if you have any good code debugging methods.

@mzillgith
Copy link
Contributor

I don't understand why you think there is a problem when calling
Thread_sleep(1000);
That would mean there is a problem in glibc.

@mzillgith
Copy link
Contributor

duplicate (see #128)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants