If we control src and n of memmove, stack overflow may happen which lead to ROP even code execution!
ASAN
sa_common_1293 ./sadf stack_oob
ASAN:DEADLYSIGNAL
=================================================================
==12760==ERROR: AddressSanitizer: SEGV on unknown address 0x100089c809c6 (pc 0x7f03a0cf6b85 bp 0x7fff4e445550 sp 0x7fff4e444cc0 T0)
==12760==The signal is caused by a READ memory access.
#0 0x7f03a0cf6b84 in __interceptor_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ab84)#1 0x55d39dbc7e5e in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40#2 0x55d39dbc7e5e in remap_struct /home/m4x/Projects/sysstat-12.1.1/sa_common.c:1293#3 0x55d39dbc806f in read_record_hdr /home/m4x/Projects/sysstat-12.1.1/sa_common.c:1424#4 0x55d39db93f7b in read_next_sample /home/m4x/Projects/sysstat-12.1.1/sadf.c:239#5 0x55d39db958e5 in logic2_display_loop /home/m4x/Projects/sysstat-12.1.1/sadf.c:1173#6 0x55d39db9625c in read_stats_from_file /home/m4x/Projects/sysstat-12.1.1/sadf.c:1432#7 0x55d39db931f0 in main /home/m4x/Projects/sysstat-12.1.1/sadf.c:1799#8 0x7f03a08acb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)#9 0x55d39db93c59 in _start (/home/m4x/Projects/huawei/crash/analyses/sysstat-sadf/sa_common_1293/sadf+0x4c59)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ab84) in __interceptor_memmove
==12760==ABORTING
The text was updated successfully, but these errors were encountered:
bash-c
changed the title
[bug report]: out of bound read in sadf whilch may lead to code execution
[bug report]: out of bound read in sadf which may lead to code execution
Nov 21, 2018
Information:
memmove()doesn't check the args andsadfcrashes when the args is invalid. The following is my debug infoIf we control
srcandnofmemmove, stack overflow may happen which lead to ROP even code execution!sa_common_1293 ./sadf stack_oob ASAN:DEADLYSIGNAL ================================================================= ==12760==ERROR: AddressSanitizer: SEGV on unknown address 0x100089c809c6 (pc 0x7f03a0cf6b85 bp 0x7fff4e445550 sp 0x7fff4e444cc0 T0) ==12760==The signal is caused by a READ memory access. #0 0x7f03a0cf6b84 in __interceptor_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ab84) #1 0x55d39dbc7e5e in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40 #2 0x55d39dbc7e5e in remap_struct /home/m4x/Projects/sysstat-12.1.1/sa_common.c:1293 #3 0x55d39dbc806f in read_record_hdr /home/m4x/Projects/sysstat-12.1.1/sa_common.c:1424 #4 0x55d39db93f7b in read_next_sample /home/m4x/Projects/sysstat-12.1.1/sadf.c:239 #5 0x55d39db958e5 in logic2_display_loop /home/m4x/Projects/sysstat-12.1.1/sadf.c:1173 #6 0x55d39db9625c in read_stats_from_file /home/m4x/Projects/sysstat-12.1.1/sadf.c:1432 #7 0x55d39db931f0 in main /home/m4x/Projects/sysstat-12.1.1/sadf.c:1799 #8 0x7f03a08acb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x55d39db93c59 in _start (/home/m4x/Projects/huawei/crash/analyses/sysstat-sadf/sa_common_1293/sadf+0x4c59) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ab84) in __interceptor_memmove ==12760==ABORTINGpoc here
The text was updated successfully, but these errors were encountered: