New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap buffer overflow in xrow_decode_error #9098
Comments
We allocate 15 bytes for tarantool/src/lib/core/error_payload.h Lines 17 to 24 in 307f3c5
tarantool/src/lib/core/error_payload.c Line 58 in 307f3c5
But in See also: https://gitlab.inria.fr/gustedt/p99/-/blob/master/p99/p99_new.h#L425
|
If `strlen(name)` is 1, `value_size` is 1, and `extra` is 0, then 15 bytes are allocated for `struct error_field` in error_payload_prepare(). However, the size of this structure is 16 because of the padding for the alignment. Thus TRASH() in error_payload_destroy() writes 1 byte beyond the structure. Closes tarantool#9098 NO_DOC=bugfix
If `strlen(name)` is 1, `value_size` is 1, and `extra` is 0, then 15 bytes are allocated for `struct error_field` in error_payload_prepare(). However, the size of this structure is 16 because of the padding for the alignment. Thus TRASH() in error_payload_destroy() writes 1 byte beyond the structure. Closes tarantool#9098 NO_DOC=bugfix
If `strlen(name)` is 1, `value_size` is 1, and `extra` is 0, then 15 bytes are allocated for `struct error_field` in error_payload_prepare(). However, the size of this structure is 16 because of the padding for the alignment. Thus TRASH() in error_payload_destroy() writes 1 byte beyond the structure. Closes #9098 NO_DOC=bugfix
If `strlen(name)` is 1, `value_size` is 1, and `extra` is 0, then 15 bytes are allocated for `struct error_field` in error_payload_prepare(). However, the size of this structure is 16 because of the padding for the alignment. Thus TRASH() in error_payload_destroy() writes 1 byte beyond the structure. Closes #9098 NO_DOC=bugfix (cherry picked from commit 454ffd1)
The patch adds a fuzzing test for IPROTO decoding function xrow_decode_error(). Follows up tarantool#8921 Follows up tarantool#9098 NO_DOC=testing NO_CHANGELOG=testing
The patch adds a fuzzing test for IPROTO decoding function xrow_decode_error(). Follows up tarantool#8921 Follows up tarantool#9098 NO_DOC=testing NO_CHANGELOG=testing
Bug description
On using function
xrow_decode_error
Address Sanitizers reports heap-buffer-overflow.The bug was found by fuzzing test committed in a branch https://github.com/ligurio/tarantool/tree/ligurio/gh-xxxx-add-xrow_decode_error_fuzzer and PR #9022.
Steps to reproduce
How to run:
Apply a patch below and run
cmake -S . -B build -DENABLE_ASAN=ON -DENABLE_FUZZER=ON && cmake --build build --parallel --target xrow_decode_error_fuzzer && ./build/test/fuzz/xrow_decode_error_fuzzer <path to reproducer>
.Reproducer:
crash-97b93cdd0c8d06e7fadafb5feccfdbbd13f12da3.txt
Actual behavior
Expected behavior
no heap-buffer-overflow
The text was updated successfully, but these errors were encountered: