Closed
Description
Information:
- version:
analyses ./sadf -V
sysstat 版本 12.1.1
(C) Sebastien Godard (sysstat <at> orange.fr)- related code(sa_common.c:1293)
1290 │ /* Remap [unsigned] long fields */
1291 │ d = gtypes_nr[0] - ftypes_nr[0];
1292 │ if (d) {
1293 │ memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1294 │ ((char *) ps) + ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1295 │ MINIMUM(f_size - ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1296 │ g_size - gtypes_nr[0] * ULL_ALIGNMENT_WIDTH));
1297 │ if (d > 0) {
1298 │ memset(((char *) ps) + ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1299 │ 0, d * ULL_ALIGNMENT_WIDTH);
1300 │ }
1301 │ }- Description:
memmove()doesn't check the args andsadfcrashes when the args is invalid. The following is my debug info
pwndbg>
memmove (__len=8, __src=0x8000ffffcf00, __dest=0x7fffffffd700) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40
40 return __builtin___memmove_chk (__dest, __src, __len, __bos0 (__dest));
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────
RAX 0x800
RBX 0x5555557aba88 (file_hdr+40) ◂— 0xffffffff02
RCX 0x10
RDX 0x8
RDI 0x7fffffffd700 ◂— 0x3
RSI 0x8000ffffcf00
R8 0x18
R9 0xfffff810
R10 0x8
R11 0x1
R12 0x5555557a5b50 (rec_types_nr) ◂— 0x2
R13 0x18
R14 0x7fffffffd6f0 ◂— 0x3030303030303030 ('00000000')
R15 0x100
RBP 0x10
RSP 0x7fffffffd630 ◂— 0x0
RIP 0x55555558cd8a (remap_struct+346) ◂— call 0x555555557e70
──────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────
0x55555558cd7c <remap_struct+332> sub edx, edi
0x55555558cd7e <remap_struct+334> sub eax, r9d
0x55555558cd81 <remap_struct+337> cmp edx, eax
0x55555558cd83 <remap_struct+339> cmova rdx, rax
0x55555558cd87 <remap_struct+343> add rdi, r14
► 0x55555558cd8a <remap_struct+346> call memmove@plt <0x555555557e70>
dest: 0x7fffffffd700 ◂— 0x3
src: 0x8000ffffcf00
n: 0x8
0x55555558cd8f <remap_struct+351> test r15d, r15d
0x55555558cd92 <remap_struct+354> jle remap_struct+386 <0x55555558cdb2>
0x55555558cd94 <remap_struct+356> mov eax, dword ptr [rbx]
0x55555558cd96 <remap_struct+358> lea edx, [r15*8]
0x55555558cd9e <remap_struct+366> xor esi, esi
──────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────
35 }
36
37 __fortify_function void *
38 __NTH (memmove (void *__dest, const void *__src, size_t __len))
39 {
► 40 return __builtin___memmove_chk (__dest, __src, __len, __bos0 (__dest));
41 }
42
43 #ifdef __USE_GNU
44 __fortify_function void *
45 __NTH (mempcpy (void *__restrict __dest, const void *__restrict __src,
──────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd630 ◂— 0x0
01:0008│ 0x7fffffffd638 —▸ 0x5555557aba60 (file_hdr) ◂— 0x3030303030303030 ('00000000')
02:0010│ 0x7fffffffd640 —▸ 0x7fffffffd6f0 ◂— 0x3030303030303030 ('00000000')
03:0018│ 0x7fffffffd648 —▸ 0x5555557abc80 (record_hdr) ◂— 0x0
04:0020│ 0x7fffffffd650 ◂— 0x0
... ↓
06:0030│ 0x7fffffffd660 —▸ 0x7fffffffda40 ◂— 0x20 /* ' ' */
07:0038│ 0x7fffffffd668 —▸ 0x55555558cfa0 (read_record_hdr+96) ◂— movdqu xmm0, xmmword ptr [rbp]If we control src and n of memmove, stack overflow may happen which lead to ROP even code execution!
- ASAN
sa_common_1293 ./sadf stack_oob
ASAN:DEADLYSIGNAL
=================================================================
==12760==ERROR: AddressSanitizer: SEGV on unknown address 0x100089c809c6 (pc 0x7f03a0cf6b85 bp 0x7fff4e445550 sp 0x7fff4e444cc0 T0)
==12760==The signal is caused by a READ memory access.
#0 0x7f03a0cf6b84 in __interceptor_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ab84)
#1 0x55d39dbc7e5e in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40
#2 0x55d39dbc7e5e in remap_struct /home/m4x/Projects/sysstat-12.1.1/sa_common.c:1293
#3 0x55d39dbc806f in read_record_hdr /home/m4x/Projects/sysstat-12.1.1/sa_common.c:1424
#4 0x55d39db93f7b in read_next_sample /home/m4x/Projects/sysstat-12.1.1/sadf.c:239
#5 0x55d39db958e5 in logic2_display_loop /home/m4x/Projects/sysstat-12.1.1/sadf.c:1173
#6 0x55d39db9625c in read_stats_from_file /home/m4x/Projects/sysstat-12.1.1/sadf.c:1432
#7 0x55d39db931f0 in main /home/m4x/Projects/sysstat-12.1.1/sadf.c:1799
#8 0x7f03a08acb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#9 0x55d39db93c59 in _start (/home/m4x/Projects/huawei/crash/analyses/sysstat-sadf/sa_common_1293/sadf+0x4c59)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ab84) in __interceptor_memmove
==12760==ABORTINGMetadata
Metadata
Assignees
Labels
No labels