Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in nxt_sprintf.c:429 #174

Closed
xcainiao opened this issue Jun 3, 2019 · 3 comments
Closed

heap-buffer-overflow in nxt_sprintf.c:429 #174

xcainiao opened this issue Jun 3, 2019 · 3 comments

Comments

@xcainiao
Copy link

xcainiao commented Jun 3, 2019

Hello, I am shuoz of alpha lab of topsec. I fuzz njs and found a heap overflow bug.

./njs ./tmp.js

fuzz@fuzz:~/Desktop/fuzzproject/njs/build$ ./njs  ./tmp.js
INFO: Seed: 2208882516
INFO: Loaded 1 modules (8780 guards): [0x8a15a0, 0x8a9ed0),
./njs: Running 1 inputs 1 time(s) each.
Running: crash-0c9fced77823aa506239627a5473e8c4bb55ec96
=================================================================
==16711==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000039b at pc 0x0000004dc4e2 bp 0x7ffc117a8770 sp 0x7ffc117a7f20
READ of size 217 at 0x61100000039b thread T0
    #0 0x4dc4e1 in __asan_memcpy (/home/fuzz/Desktop/fuzzproject/njs/build/njs+0x4dc4e1)
    #1 0x521ce2 in nxt_vsprintf /home/fuzz/Desktop/fuzzproject/njs/nxt/nxt_sprintf.c:429:15
    #2 0x5ada7b in njs_parser_scope_error /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:2365:9
    #3 0x5ada7b in njs_parser_lexer_error /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:2395
    #4 0x58ab62 in njs_regexp_literal /home/fuzz/Desktop/fuzzproject/njs/njs/njs_regexp.c:364:5
    #5 0x5b55fc in njs_parser_terminal /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_terminal.c:106:17
    #6 0x5bcd95 in njs_parser_call_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:748:17
    #7 0x5bc19b in njs_parser_post_inc_dec_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:689:13
    #8 0x5bc19b in njs_parser_inc_dec_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:649
    #9 0x5bc19b in njs_parser_unary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:553
    #10 0x5bbb9b in njs_parser_exponential_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:476:13
    #11 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #12 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #13 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #14 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #15 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #16 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #17 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #18 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #19 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #20 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #21 0x5bafec in njs_parser_conditional_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:352:13
    #22 0x5bafec in njs_parser_assignment_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:228
    #23 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #24 0x5af3f1 in njs_parser_statement /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:413:21
    #25 0x5a9f04 in njs_parser_statement_chain /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:280:13
    #26 0x5b3af6 in njs_parser_block_statement /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:465:17
    #27 0x5ae2a2 in njs_parser_statement /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:365:16
    #28 0x5a9f04 in njs_parser_statement_chain /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:280:13
    #29 0x5a940a in njs_parser /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:131:17
    #30 0x527ae4 in njs_vm_compile /home/fuzz/Desktop/fuzzproject/njs/njs/njs.c:254:11
    #31 0x517338 in njs_process_script /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:780:11
    #32 0x516714 in njs_process_file /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:637:11
    #33 0x516714 in LLVMFuzzerTestOneInput /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:298
    #34 0x6046a4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerLoop.cpp:451:13
    #35 0x6048d1 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerLoop.cpp:408:3
    #36 0x5fab41 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerDriver.cpp:268:6
    #37 0x5fda01 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerDriver.cpp:585:9
    #38 0x5fa8c0 in main /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerMain.cpp:20:10
    #39 0x7f07973cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #40 0x41d769 in _start (/home/fuzz/Desktop/fuzzproject/njs/build/njs+0x41d769)

0x61100000039b is located 0 bytes to the right of 219-byte region [0x6110000002c0,0x61100000039b)
allocated by thread T0 here:
    #0 0x4ddaa0 in realloc (/home/fuzz/Desktop/fuzzproject/njs/build/njs+0x4ddaa0)
    #1 0x516488 in njs_process_file /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:569:20
    #2 0x516488 in LLVMFuzzerTestOneInput /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:298
    #3 0x6046a4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerLoop.cpp:451:13
    #4 0x6048d1 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerLoop.cpp:408:3
    #5 0x5fab41 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerDriver.cpp:268:6
    #6 0x5fda01 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerDriver.cpp:585:9
    #7 0x5fa8c0 in main /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerMain.cpp:20:10
    #8 0x7f07973cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/Desktop/fuzzproject/njs/build/njs+0x4dc4e1) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c227fff8020: 00 00 00 03 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8040: 00 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa
  0x0c227fff8050: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8070: 00 00 00[03]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8090: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c227fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16711==ABORTING

pocfile:https://github.com/xcainiao/poc/blob/master/tmp.js

@Dor1s
Copy link

Dor1s commented Jun 3, 2019

This was also found as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15093 last week.

@xeioex
Copy link
Contributor

xeioex commented Jun 3, 2019

Permission denied.

HI @Dor1s , can I get access to the ticket details?

@Dor1s
Copy link

Dor1s commented Jun 3, 2019

Yes! Please update the project.yaml file as per this comment: google/oss-fuzz#2481 (comment)

Or give me the contact emails and I can update it for you :)

After that, OSS-Fuzz will propagate the changes and the specified emails will get access to the bug tracker as well as ClusterFuzz interface.

@xeioex xeioex self-assigned this Aug 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants