Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in nxt_sprintf.c:429 #174

Open
xcainiao opened this issue Jun 3, 2019 · 3 comments

Comments

@xcainiao
Copy link

commented Jun 3, 2019

Hello, I am shuoz of alpha lab of topsec. I fuzz njs and found a heap overflow bug.

./njs ./tmp.js

fuzz@fuzz:~/Desktop/fuzzproject/njs/build$ ./njs  ./tmp.js
INFO: Seed: 2208882516
INFO: Loaded 1 modules (8780 guards): [0x8a15a0, 0x8a9ed0),
./njs: Running 1 inputs 1 time(s) each.
Running: crash-0c9fced77823aa506239627a5473e8c4bb55ec96
=================================================================
==16711==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000039b at pc 0x0000004dc4e2 bp 0x7ffc117a8770 sp 0x7ffc117a7f20
READ of size 217 at 0x61100000039b thread T0
    #0 0x4dc4e1 in __asan_memcpy (/home/fuzz/Desktop/fuzzproject/njs/build/njs+0x4dc4e1)
    #1 0x521ce2 in nxt_vsprintf /home/fuzz/Desktop/fuzzproject/njs/nxt/nxt_sprintf.c:429:15
    #2 0x5ada7b in njs_parser_scope_error /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:2365:9
    #3 0x5ada7b in njs_parser_lexer_error /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:2395
    #4 0x58ab62 in njs_regexp_literal /home/fuzz/Desktop/fuzzproject/njs/njs/njs_regexp.c:364:5
    #5 0x5b55fc in njs_parser_terminal /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_terminal.c:106:17
    #6 0x5bcd95 in njs_parser_call_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:748:17
    #7 0x5bc19b in njs_parser_post_inc_dec_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:689:13
    #8 0x5bc19b in njs_parser_inc_dec_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:649
    #9 0x5bc19b in njs_parser_unary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:553
    #10 0x5bbb9b in njs_parser_exponential_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:476:13
    #11 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #12 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #13 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #14 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #15 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #16 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #17 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #18 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #19 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #20 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #21 0x5bafec in njs_parser_conditional_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:352:13
    #22 0x5bafec in njs_parser_assignment_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:228
    #23 0x5bab67 in njs_parser_binary_expression /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser_expression.c:421:13
    #24 0x5af3f1 in njs_parser_statement /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:413:21
    #25 0x5a9f04 in njs_parser_statement_chain /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:280:13
    #26 0x5b3af6 in njs_parser_block_statement /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:465:17
    #27 0x5ae2a2 in njs_parser_statement /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:365:16
    #28 0x5a9f04 in njs_parser_statement_chain /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:280:13
    #29 0x5a940a in njs_parser /home/fuzz/Desktop/fuzzproject/njs/njs/njs_parser.c:131:17
    #30 0x527ae4 in njs_vm_compile /home/fuzz/Desktop/fuzzproject/njs/njs/njs.c:254:11
    #31 0x517338 in njs_process_script /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:780:11
    #32 0x516714 in njs_process_file /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:637:11
    #33 0x516714 in LLVMFuzzerTestOneInput /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:298
    #34 0x6046a4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerLoop.cpp:451:13
    #35 0x6048d1 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerLoop.cpp:408:3
    #36 0x5fab41 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerDriver.cpp:268:6
    #37 0x5fda01 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerDriver.cpp:585:9
    #38 0x5fa8c0 in main /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerMain.cpp:20:10
    #39 0x7f07973cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #40 0x41d769 in _start (/home/fuzz/Desktop/fuzzproject/njs/build/njs+0x41d769)

0x61100000039b is located 0 bytes to the right of 219-byte region [0x6110000002c0,0x61100000039b)
allocated by thread T0 here:
    #0 0x4ddaa0 in realloc (/home/fuzz/Desktop/fuzzproject/njs/build/njs+0x4ddaa0)
    #1 0x516488 in njs_process_file /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:569:20
    #2 0x516488 in LLVMFuzzerTestOneInput /home/fuzz/Desktop/fuzzproject/njs/njs/njs_shell.c:298
    #3 0x6046a4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerLoop.cpp:451:13
    #4 0x6048d1 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerLoop.cpp:408:3
    #5 0x5fab41 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerDriver.cpp:268:6
    #6 0x5fda01 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerDriver.cpp:585:9
    #7 0x5fa8c0 in main /home/fuzz/Desktop/libfuzzer-workshop-master/libFuzzer/Fuzzer/./FuzzerMain.cpp:20:10
    #8 0x7f07973cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/Desktop/fuzzproject/njs/build/njs+0x4dc4e1) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c227fff8020: 00 00 00 03 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8040: 00 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa
  0x0c227fff8050: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8070: 00 00 00[03]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8090: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c227fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16711==ABORTING

pocfile:https://github.com/xcainiao/poc/blob/master/tmp.js

@xeioex xeioex added bug fuzzer labels Jun 3, 2019

@Dor1s

This comment has been minimized.

Copy link

commented Jun 3, 2019

@xeioex

This comment has been minimized.

Copy link
Contributor

commented Jun 3, 2019

Permission denied.

HI @Dor1s , can I get access to the ticket details?

@Dor1s

This comment has been minimized.

Copy link

commented Jun 3, 2019

Yes! Please update the project.yaml file as per this comment: google/oss-fuzz#2481 (comment)

Or give me the contact emails and I can update it for you :)

After that, OSS-Fuzz will propagate the changes and the specified emails will get access to the bug tracker as well as ClusterFuzz interface.

@xeioex xeioex added the libFuzzer label Jun 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.