-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in libdap::XDRFileUnMarshaller::get_vector #40
Comments
On Feb 1, 2018, at 11:04 PM, gy741 ***@***.***> wrote:
Hello.
I found a heap-buffer-overflow bug in libdap4.
Please confirm.
Will this show up on CentOS 7? Other versions of Ubuntu? I don’t have easy access ubuntu 17.
James
… Thanks.
OS: Ubuntu 17.04 64bit
Version: commit 724b8ee <724b8ee>
PoC Download: libdap__XDRFileUnMarshaller__get_vector.zip <https://github.com/OPENDAP/libdap4/files/1688230/libdap__XDRFileUnMarshaller__get_vector.zip>
Steps to reproduce:
1.Download the .POC files.
2.Compile the source code with ASan.
3.Execute the following command
: ./getdap -k $POC
=================================================================
==15996==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000e040 at pc 0x7faf8d2d50c3 bp 0x7fff519c0500 sp 0x7fff519bfca8
WRITE of size 2 at 0x60300000e040 thread T0
#0 0x7faf8d2d50c2 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6a0c2)
#1 0x7faf8bcc3792 in xdr_array (/lib/x86_64-linux-gnu/libc.so.6+0x13a792)
#2 0x7faf8ca06ca4 in libdap::XDRFileUnMarshaller::get_vector(char**, unsigned int&, int, libdap::Vector&) /home/karas/libdap4/XDRFileUnMarshaller.cc:186
#3 0x7faf8c8c3896 in libdap::Vector::deserialize(libdap::UnMarshaller&, libdap::DDS*, bool) /home/karas/libdap4/Vector.cc:813
#4 0x7faf8cf985ca in libdap::Connect::process_data(libdap::DataDDS&, libdap::Response*) /home/karas/libdap4/Connect.cc:143
#5 0x7faf8cf9f1d4 in libdap::Connect::read_data_no_mime(libdap::DataDDS&, libdap::Response*) /home/karas/libdap4/Connect.cc:1071
#6 0x4061f2 in main /home/karas/libdap4/getdap.cc:276
#7 0x7faf8bba982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x40c278 in _start (/home/karas/libdap4/run/bin/getdap+0x40c278)
0x60300000e040 is located 0 bytes to the right of 32-byte region [0x60300000e020,0x60300000e040)
allocated by thread T0 here:
#0 0x7faf8d3046b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
#1 0x7faf8c8aabe7 in libdap::Vector::m_create_cardinal_data_buffer_for_type(unsigned int) /home/karas/libdap4/Vector.cc:202
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c067fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9c00: fa fa fa fa 00 00 00 00[fa]fa fd fd fd fd fa fa
0x0c067fff9c10: 00 00 00 07 fa fa 00 00 00 01 fa fa fd fd fd fd
0x0c067fff9c20: fa fa fd fd fd fd fa fa 00 00 00 07 fa fa 00 00
0x0c067fff9c30: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff9c40: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fff9c50: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==15996==ABORTING
==========
[Acknowledgement]
This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, Innovation hub for high Performance Computing]
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#40>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AH8OKsvYnIA4HMVqZNSiL2-N7L2YFN6Qks5tQqVfgaJpZM4R2uJo>.
--
James Gallagher
jgallagher@opendap.org
|
Hello, CentOS 7 was able to reproduce the problem. Thanks.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello.
I found a heap-buffer-overflow bug in libdap4.
Please confirm.
Thanks.
OS: Ubuntu 17.04 64bit
Version: commit 724b8ee
PoC Download: libdap__XDRFileUnMarshaller__get_vector.zip
Steps to reproduce:
1.Download the .POC files.
2.Compile the source code with ASan.
3.Execute the following command
: ./getdap -k $POC
==========
[Acknowledgement]
This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, Innovation hub for high Performance Computing]
The text was updated successfully, but these errors were encountered: