Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

buffer overflow in tnt_strptime #8502

Closed
ligurio opened this issue Mar 27, 2023 · 0 comments
Closed

buffer overflow in tnt_strptime #8502

ligurio opened this issue Mar 27, 2023 · 0 comments
Assignees
@tsafin
Labels
bug Something isn't working

Comments

@ligurio
Copy link
Member

ligurio commented Mar 27, 2023

Bug description

  • OS: Linux
  • OS Version: 22.04
  • Architecture: amd64

10f7109

Steps to reproduce

  • git checkout ligurio/gh-8490-fix-datetime_strptime
  • CC=clang-17 CXX=clang++-17 cmake -S . -B build -DENABLE_ASAN=ON -DENABLE_FUZZER=ON -DCMAKE_BUILD_TYPE=Debug
  • cmake --build build --parallel -t datetime_strptime_fuzzer
  • ./build/test/fuzz/datetime_strptime_fuzzer

Actual behavior

no buffer overflow

Expected behavior

buffer overflow

Log:

=================================================================
==663346==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55780588dab5 at pc 0x5578057d7b32 bp 0x7fff41198070 sp 0x7fff41198068
READ of size 1 at 0x55780588dab5 thread T0
    #0 0x5578057d7b31 in tnt_strptime /home/sergeyb/sources/MRG/tarantool/src/lib/tzcode/strptime.c:124:9
    #1 0x5578056d94c0 in datetime_strptime /home/sergeyb/sources/MRG/tarantool/src/lib/core/datetime.c:171:14
    #2 0x5578056d5d30 in LLVMFuzzerTestOneInput /home/sergeyb/sources/MRG/tarantool/test/fuzz/datetime_strptime_fuzzer.cc:19:2
    #3 0x5578055e6560 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/sergeyb/sources/MRG/tarantool/build/test/fuzz/datetime_strptime_fuzzer+0xc1560) (BuildId: 2ea24fd6980c3b2f0911af6b0657c732147fbd2a)
    #4 0x5578055e5cd5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/sergeyb/sources/MRG/tarantool/build/test/fuzz/datetime_strptime_fuzzer+0xc0cd5) (BuildId: 2ea24fd6980c3b2f0911af6b0657c732147fbd2a)
    #5 0x5578055e74b5 in fuzzer::Fuzzer::MutateAndTestOne() (/home/sergeyb/sources/MRG/tarantool/build/test/fuzz/datetime_strptime_fuzzer+0xc24b5) (BuildId: 2ea24fd6980c3b2f0911af6b0657c732147fbd2a)
    #6 0x5578055e80c5 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/sergeyb/sources/MRG/tarantool/build/test/fuzz/datetime_strptime_fuzzer+0xc30c5) (BuildId: 2ea24fd6980c3b2f0911af6b0657c732147fbd2a)
    #7 0x5578055d6260 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/sergeyb/sources/MRG/tarantool/build/test/fuzz/datetime_strptime_fuzzer+0xb1260) (BuildId: 2ea24fd6980c3b2f0911af6b0657c732147fbd2a)
    #8 0x5578055ff332 in main (/home/sergeyb/sources/MRG/tarantool/build/test/fuzz/datetime_strptime_fuzzer+0xda332) (BuildId: 2ea24fd6980c3b2f0911af6b0657c732147fbd2a)
    #9 0x7f5b7b629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x7f5b7b629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #11 0x5578055cb6b4 in _start (/home/sergeyb/sources/MRG/tarantool/build/test/fuzz/datetime_strptime_fuzzer+0xa66b4) (BuildId: 2ea24fd6980c3b2f0911af6b0657c732147fbd2a)

0x55780588dab5 is located 0 bytes after global variable '.str.1' defined in '/home/sergeyb/sources/MRG/tarantool/test/fuzz/datetime_strptime_fuzzer.cc:19' (0x55780588daa0) of size 21
  '.str.1' is ascii string '%6666666666666666666'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/sergeyb/sources/MRG/tarantool/src/lib/tzcode/strptime.c:124:9 in tnt_strptime
Shadow bytes around the buggy address:
  0x55780588d800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x55780588d880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x55780588d900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x55780588d980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x55780588da00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 f9
=>0x55780588da80: f9 f9 f9 f9 00 00[05]f9 f9 f9 f9 f9 00 00 00 00
  0x55780588db00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x55780588db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x55780588dc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x55780588dc80: 00 00 00 00 00 05 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x55780588dd00: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==663346==ABORTING
MS: 3 ShuffleBytes-EraseBytes-ChangeByte-; base unit: 0a31ccee3458170413b627d659af9c639bdc4c21
0x36,0xa,
6\012
artifact_prefix='./'; Test unit written to ./crash-ccf271b7830882da1791852baeca1737fcbe4b90
Base64: Ngo=
@ligurio ligurio added the bug Something isn't working label Mar 27, 2023
@tsafin tsafin self-assigned this Mar 27, 2023
@ligurio ligurio mentioned this issue Mar 27, 2023
Merged
@tsafin tsafin mentioned this issue Mar 28, 2023
Closed
ligurio pushed a commit to ligurio/tarantool that referenced this issue Mar 31, 2023
@tsafin @ligurio
datetime: fix buffer overflow in tnt_strptime
9a72c36 
Fixes tarantool#8502
Needed for tarantool#8490

NO_DOC=bugfix
NO_TEST=covered by fuzzing test
ligurio pushed a commit to ligurio/tarantool that referenced this issue Jul 14, 2023
@tsafin @ligurio
datetime: fix buffer overflow in tnt_strptime
8580c82 
Fixes tarantool#8502
Needed for tarantool#8490

NO_DOC=bugfix
NO_TEST=covered by fuzzing test
ligurio pushed a commit to ligurio/tarantool that referenced this issue Jul 14, 2023
@tsafin @ligurio
datetime: fix buffer overflow in tnt_strptime
13addb7 
Fixes tarantool#8502
Needed for tarantool#8490

NO_DOC=bugfix
NO_TEST=covered by fuzzing test
@ligurio ligurio mentioned this issue Jul 14, 2023
Merged
ligurio pushed a commit to ligurio/tarantool that referenced this issue Jul 14, 2023
@tsafin @ligurio
datetime: fix buffer overflow in tnt_strptime
2fb7cd3 
Fixes tarantool#8502
Needed for tarantool#8490

NO_DOC=bugfix
NO_TEST=covered by fuzzing test

(cherry picked from commit 783a704)
igormunkin pushed a commit that referenced this issue Jul 18, 2023
@tsafin @igormunkin
datetime: fix buffer overflow in tnt_strptime
70b0fc1 
Fixes #8502
Needed for #8490

NO_DOC=bugfix
NO_TEST=covered by fuzzing test

(cherry picked from commit 783a704)
ligurio pushed a commit to ligurio/tarantool that referenced this issue Aug 18, 2023
@tsafin @ligurio
datetime: fix buffer overflow in tnt_strptime
33f0726 
Fixes tarantool#8502
Needed for tarantool#8490

NO_DOC=bugfix
NO_TEST=covered by fuzzing test

(cherry picked from commit 783a704)
@ligurio ligurio mentioned this issue Aug 18, 2023
Merged
ligurio pushed a commit to ligurio/tarantool that referenced this issue Aug 22, 2023
@tsafin @ligurio
datetime: fix buffer overflow in tnt_strptime
5ec9aab 
Fixes tarantool#8502
Needed for tarantool#8490

NO_DOC=bugfix
NO_TEST=covered by fuzzing test

(cherry picked from commit 783a704)
igormunkin pushed a commit that referenced this issue Aug 22, 2023
@tsafin @igormunkin
datetime: fix buffer overflow in tnt_strptime
996a287 
Fixes #8502
Needed for #8490

NO_DOC=bugfix
NO_TEST=covered by fuzzing test

(cherry picked from commit 783a704)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsafin tsafin

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

datetime: fix strptime fuzzer tsafin/tarantool
2 participants
@ligurio @tsafin