Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASan: invalid read in AddExporterStat ./bin/exporter.c:255 #174

Closed
fgeek opened this issue Aug 3, 2019 · 3 comments

Comments

@fgeek
Copy link

commented Aug 3, 2019

Tested commit: 0b45172
Credits: Henri Salo
Tools: american fuzzy lop 2.53b, afl-utils
002-nfcapd.txt

/bin/nfdump -r 002-nfcapd.txt
Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
AddressSanitizer:DEADLYSIGNAL
=================================================================
==22587==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fefd415a073 bp 0x000000000000 sp 0x7fff89126bc0 T0)
==22587==The signal is caused by a READ memory access.
==22587==Hint: address points to the zero page.
    #0 0x7fefd415a072 in AddExporterStat /home/hsalo/src/nfdump/bin/exporter.c:255
    #1 0x55e2c2b962eb in process_data /home/hsalo/src/nfdump/bin/nfdump.c:662
    #2 0x55e2c2b962eb in main /home/hsalo/src/nfdump/bin/nfdump.c:1213
    #3 0x7fefd3e8f09a in __libc_start_main ../csu/libc-start.c:308
    #4 0x55e2c2b9e499 in _start (/home/hsalo/builds/nfdump/0b45172134d354081d80212cb33e224a46c48298/bin/nfdump+0x1a499)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hsalo/src/nfdump/bin/exporter.c:255 in AddExporterStat
==22587==ABORTING
$ hexdump -C 002-nfcapd.txt
00000000  0c a5 01 00 00 30 30 30  30 30 30 30 30 30 30 30  |.....00000000000|
00000010  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
00000110  30 30 30 30 30 30 30 30  30 00 00 00 02 00 30 30  |000000000.....00|
00000120  02 00 0c 00 30 30 00 00  00 00 30 30 08 00 30 00  |....00....00..0.|
00000130  01 00 00 00 30 30 51 00  30 30 30 30 30 30 30 30  |....00Q.00000000|
00000140  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
00000150
@fgeek

This comment has been minimized.

Copy link
Author

commented Aug 3, 2019

Another crash in same location might give more information when debugging.
003-nfcapd.txt (a5eb05072ef3d1ca12246a44cad006cbb15a1d94)

./bin/nfdump -r 003-nfcapd.txt                 Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
=================================================================
==9224==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000172 at pc 0x7f8bf55e1415 bp 0x7ffc5598b6d0 sp 0x7ffc5598b6c8
READ of size 2 at 0x602000000172 thread T0
    #0 0x7f8bf55e1414 in AddExporterStat /home/hsalo/src/nfdump/bin/exporter.c:255
    #1 0x560ef88832eb in process_data /home/hsalo/src/nfdump/bin/nfdump.c:662
    #2 0x560ef88832eb in main /home/hsalo/src/nfdump/bin/nfdump.c:1213
    #3 0x7f8bf531609a in __libc_start_main ../csu/libc-start.c:308
    #4 0x560ef888b499 in _start (/home/hsalo/builds/nfdump/0b45172134d354081d80212cb33e224a46c48298/bin/nfdump+0x1a499)

0x602000000172 is located 1 bytes to the right of 1-byte region [0x602000000170,0x602000000171)
allocated by thread T0 here:
    #0 0x7f8bf571d330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f8bf55e1287 in AddExporterStat /home/hsalo/src/nfdump/bin/exporter.c:232

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hsalo/src/nfdump/bin/exporter.c:255 in AddExporterStat
Shadow bytes around the buggy address:
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 07 fa fa 02 fa fa fa 02 fa fa fa 02 fa
  0x0c047fff8010: fa fa 05 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
=>0x0c047fff8020: fa fa fd fa fa fa 00 fa fa fa 04 fa fa fa[01]fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9224==ABORTING
$ hexdump -C 003-nfcapd.txt
00000000  0c a5 01 00 00 30 30 30  30 30 30 30 30 30 30 30  |.....00000000000|
00000010  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
00000110  30 30 30 30 30 30 30 30  30 00 00 00 02 00 30 30  |000000000.....00|
00000120  08 00 00 00 30 30 30 30  30 30 30 30 30 30 30 30  |....000000000000|
00000130  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
00000150
@fgeek

This comment has been minimized.

Copy link
Author

commented Aug 3, 2019

Additionally this seems to be infinite loop when executed without AddressSanitizer.

phaag pushed a commit that referenced this issue Aug 5, 2019
@phaag

This comment has been minimized.

Copy link
Owner

commented Aug 5, 2019

Fixed in 859ea2c.
Thanks for reporting.

@phaag phaag closed this Aug 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.