Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

negative-size-param in server_example_ca.c #127

Closed
HopefulWei opened this issue Feb 25, 2019 · 9 comments

Comments

@HopefulWei
Copy link

commented Feb 25, 2019

Hi team,

Their are negative-size-param in server_example_ca.c
libIEC61850 1.3.0 1.3.1 1.3.2 version has this problem.
Snip server_example_ca.c

==2158==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x45825b  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x45825b)
    #1 0x52cc98  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x52cc98)
    #2 0x52cdcc  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x52cdcc)
    #3 0x52ce1a  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x52ce1a)
    #4 0x5130d8  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x5130d8)
    #5 0x5139d4  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x5139d4)
    #6 0x4f2adc  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4f2adc)
    #7 0x7f97959016b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #8 0x7f9794d0c41c  (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x625000007907 is located 7 bytes inside of 8196-byte region [0x625000007900,0x625000009904)
allocated by thread T1 here:
    #0 0x4b9088  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4b9088)
    #1 0x4f2c9d  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4f2c9d)
    #2 0x513ad8  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x513ad8)
    #3 0x512722  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x512722)
    #4 0x51287d  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x51287d)
    #5 0x7f97959016b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T4 created by T1 here:
    #0 0x42b499  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x42b499)
    #1 0x4f2b28  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4f2b28)
    #2 0x513c7e  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x513c7e)
    #3 0x512722  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x512722)
    #4 0x51287d  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x51287d)
    #5 0x7f97959016b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T1 created by T0 here:
    #0 0x42b499  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x42b499)
    #1 0x4f2b61  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4f2b61)
    #2 0x512a7e  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x512a7e)
    #3 0x4f619d  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4f619d)
    #4 0x4f1470  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4f1470)
    #5 0x4ea90b  (/home/gw/share/libiec61850-1.3/examples/server_example_complex_array/server_example_ca+0x4ea90b)
    #6 0x7f9794c2582f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
@mzillgith

This comment has been minimized.

Copy link
Contributor

commented Feb 26, 2019

Hi,
Not sure what that means.
How can I reproduce this?

@HopefulWei

This comment has been minimized.

Copy link
Author

commented Feb 26, 2019

Hi,
Not sure what that means.
How can I reproduce this?

You can reproduce it by continuously sending MMS packets to the server. In fact, it is fuzzing。

@mzillgith

This comment has been minimized.

Copy link
Contributor

commented Feb 26, 2019

Can you create stack more expressive stack traces (with source line information)?

@HopefulWei

This comment has been minimized.

Copy link
Author

commented Feb 26, 2019

OK,I will.
The problematic code is on lines 100 and 101.

 while (running) {
                Thread_sleep(1000);

ASAN’s error is

root@90900a8541e8:/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array# ./server_example_ca
=================================================================
==2503==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x45825b  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x45825b)
    #1 0x52d064  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x52d064)
    #2 0x52d198  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x52d198)
    #3 0x52d1e6  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x52d1e6)
    #4 0x513441  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x513441)
    #5 0x513d3d  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x513d3d)
    #6 0x4f2b3a  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4f2b3a)
    #7 0x7ff39d3b16b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #8 0x7ff39c7bc41c  (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x625000007907 is located 7 bytes inside of 8196-byte region [0x625000007900,0x625000009904)
allocated by thread T1 here:
    #0 0x4b9088  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4b9088)
    #1 0x4f2cfb  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4f2cfb)
    #2 0x513e41  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x513e41)
    #3 0x512a8b  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x512a8b)
    #4 0x512be6  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x512be6)
    #5 0x7ff39d3b16b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T4 created by T1 here:
    #0 0x42b499  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x42b499)
    #1 0x4f2b86  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4f2b86)
    #2 0x513fe7  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x513fe7)
    #3 0x512a8b  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x512a8b)
    #4 0x512be6  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x512be6)
    #5 0x7ff39d3b16b9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T1 created by T0 here:
    #0 0x42b499  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x42b499)
    #1 0x4f2bbf  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4f2bbf)
    #2 0x512de7  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x512de7)
    #3 0x4f61fb  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4f61fb)
    #4 0x4f14ce  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4f14ce)
    #5 0x4ea90b  (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x4ea90b)
    #6 0x7ff39c6d582f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: negative-size-param (/home/gw/share/libiec61850-1.3.2/examples/server_example_complex_array/server_example_ca+0x45825b) 
==2503==ABORTING
@HopefulWei

This comment has been minimized.

Copy link
Author

commented Feb 26, 2019

CVE-2016-4073 has the same problem.

@mzillgith

This comment has been minimized.

Copy link
Contributor

commented Feb 26, 2019

while (running) { Thread_sleep(1000);

That makes not so much sense. The problem has to be in another thread where the MMS messages are processed.

@HopefulWei

This comment has been minimized.

Copy link
Author

commented Feb 26, 2019

The problem code I am targeting is indeed

while (running) { Thread_sleep(1000);

I don't know if you have any good code debugging methods.

@mzillgith

This comment has been minimized.

Copy link
Contributor

commented Feb 26, 2019

I don't understand why you think there is a problem when calling
Thread_sleep(1000);
That would mean there is a problem in glibc.

@mzillgith

This comment has been minimized.

Copy link
Contributor

commented Mar 1, 2019

duplicate (see #128)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.