We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A crafted input will lead to crash in mat5.c at matio 1.5.17. Triggered by ./matdump POC
Poc 004Mat_VarRead53574
The ASAN information is as follows:
./matdump 004Mat_VarRead53574 ==22145==ERROR: AddressSanitizer failed to allocate 0x4c1a84000 (20428898304) bytes of LargeMmapAllocator (errno: 12) ==22145==Process memory map follows: 0x000000400000-0x00000040d000 /usr/local/matio_asan/bin/matdump 0x00000060c000-0x00000060d000 /usr/local/matio_asan/bin/matdump 0x00000060d000-0x000000610000 /usr/local/matio_asan/bin/matdump 0x00007fff7000-0x00008fff7000 0x00008fff7000-0x02008fff7000 0x02008fff7000-0x10007fff8000 0x600000000000-0x602000000000 0x602000000000-0x602000010000 0x602000010000-0x603000000000 0x603000000000-0x603000010000 0x603000010000-0x604000000000 0x604000000000-0x604000010000 0x604000010000-0x607000000000 0x607000000000-0x607000010000 0x607000010000-0x60b000000000 0x60b000000000-0x60b000010000 0x60b000010000-0x60c000000000 0x60c000000000-0x60c000010000 0x60c000010000-0x616000000000 0x616000000000-0x616000020000 0x616000020000-0x619000000000 0x619000000000-0x619000020000 0x619000020000-0x621000000000 0x621000000000-0x621000020000 0x621000020000-0x624000000000 0x624000000000-0x624000020000 0x624000020000-0x62d000000000 0x62d000000000-0x62d000020000 0x62d000020000-0x640000000000 0x640000000000-0x640000003000 0x7fd221600000-0x7fd221700000 0x7fd221800000-0x7fd221900000 0x7fd22191d000-0x7fd223c6f000 0x7fd223c6f000-0x7fd223c8a000 /usr/local/lib/libz.so.1.2.11 0x7fd223c8a000-0x7fd223e89000 /usr/local/lib/libz.so.1.2.11 0x7fd223e89000-0x7fd223e8a000 /usr/local/lib/libz.so.1.2.11 0x7fd223e8a000-0x7fd223e8b000 /usr/local/lib/libz.so.1.2.11 0x7fd223e8b000-0x7fd223ea1000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7fd223ea1000-0x7fd2240a0000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7fd2240a0000-0x7fd2240a1000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7fd2240a1000-0x7fd2240a4000 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7fd2240a4000-0x7fd2242a3000 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7fd2242a3000-0x7fd2242a4000 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7fd2242a4000-0x7fd2242a5000 /lib/x86_64-linux-gnu/libdl-2.23.so 0x7fd2242a5000-0x7fd2242bd000 /lib/x86_64-linux-gnu/libpthread-2.23.so 0x7fd2242bd000-0x7fd2244bc000 /lib/x86_64-linux-gnu/libpthread-2.23.so 0x7fd2244bc000-0x7fd2244bd000 /lib/x86_64-linux-gnu/libpthread-2.23.so 0x7fd2244bd000-0x7fd2244be000 /lib/x86_64-linux-gnu/libpthread-2.23.so 0x7fd2244be000-0x7fd2244c2000 0x7fd2244c2000-0x7fd224682000 /lib/x86_64-linux-gnu/libc-2.23.so 0x7fd224682000-0x7fd224882000 /lib/x86_64-linux-gnu/libc-2.23.so 0x7fd224882000-0x7fd224886000 /lib/x86_64-linux-gnu/libc-2.23.so 0x7fd224886000-0x7fd224888000 /lib/x86_64-linux-gnu/libc-2.23.so 0x7fd224888000-0x7fd22488c000 0x7fd22488c000-0x7fd224994000 /lib/x86_64-linux-gnu/libm-2.23.so 0x7fd224994000-0x7fd224b93000 /lib/x86_64-linux-gnu/libm-2.23.so 0x7fd224b93000-0x7fd224b94000 /lib/x86_64-linux-gnu/libm-2.23.so 0x7fd224b94000-0x7fd224b95000 /lib/x86_64-linux-gnu/libm-2.23.so 0x7fd224b95000-0x7fd224d18000 /usr/local/matio_asan/lib/libmatio.so.10.0.2 0x7fd224d18000-0x7fd224f17000 /usr/local/matio_asan/lib/libmatio.so.10.0.2 0x7fd224f17000-0x7fd224f18000 /usr/local/matio_asan/lib/libmatio.so.10.0.2 0x7fd224f18000-0x7fd224f1b000 /usr/local/matio_asan/lib/libmatio.so.10.0.2 0x7fd224f1b000-0x7fd22500f000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0 0x7fd22500f000-0x7fd22520f000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0 0x7fd22520f000-0x7fd225212000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0 0x7fd225212000-0x7fd225213000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0 0x7fd225213000-0x7fd225e88000 0x7fd225e88000-0x7fd225eae000 /lib/x86_64-linux-gnu/ld-2.23.so 0x7fd22605c000-0x7fd226093000 0x7fd226096000-0x7fd2260ad000 0x7fd2260ad000-0x7fd2260ae000 /lib/x86_64-linux-gnu/ld-2.23.so 0x7fd2260ae000-0x7fd2260af000 /lib/x86_64-linux-gnu/ld-2.23.so 0x7fd2260af000-0x7fd2260b0000 0x7ffe32830000-0x7ffe32851000 [stack] 0x7ffe328fa000-0x7ffe328fd000 [vvar] 0x7ffe328fd000-0x7ffe328ff000 [vdso] 0xffffffffff600000-0xffffffffff601000 [vsyscall] ==22145==End of process memory map. ==22145==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0) #0 0x7fd224fbb631 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631) #1 0x7fd224fc05e3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3) #2 0x7fd224fc8611 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xad611) #3 0x7fd224f3dc0c (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22c0c) #4 0x7fd224fb35d2 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2) #5 0x7fd224c486d6 in Mat_VarRead5 /home/matio_asan/src/mat5.c:3574 #6 0x7fd224c333b5 in ReadNextCell /home/matio_asan/src/mat5.c:1063 #7 0x7fd224cf0e78 in Mat_VarReadNextInfo5 /home/matio_asan/src/mat5.c:4961 #8 0x7fd224d0746b in Mat_VarReadNextInfo /home/matio_asan/src/mat.c:2342 #9 0x408126 in main /home/matio_asan/tools/matdump.c:944 #10 0x7fd2244e282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #11 0x401b58 in _start (/usr/local/matio_asan/bin/matdump+0x401b58)
about code (3574)
Mat_VarReadNumeric5(mat,matvar,complex_data->Im,nelems); matvar->data = complex_data; } else { err = SafeMul(&matvar->nbytes, nelems, matvar->data_size); if ( err ) { Mat_Critical("Integer multiplication overflow"); break; } ----------> matvar->data = malloc(matvar->nbytes); if ( NULL == matvar->data ) { Mat_Critical("Couldn't allocate memory for the data");
The text was updated successfully, but these errors were encountered:
No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues.
Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.
Sorry, something went wrong.
No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues. Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.
Yes, I just use 'git clone' to fetch the current master of the matio,the issue is still reproducible.
i 'm sure the issue is different from the fuzzing issues on OSS-fuzz.
I can confirm that the number of allocated bytes is high, but I cannot confirm the crash.
CVE-2019-20019 has been assigned for this issue.
No branches or pull requests
A crafted input will lead to crash in mat5.c at matio 1.5.17.
Triggered by
./matdump POC
Poc
004Mat_VarRead53574
The ASAN information is as follows:
about code (3574)
The text was updated successfully, but these errors were encountered: