Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap out of bound read #92

Closed
kcwu opened this issue Aug 25, 2015 · 5 comments
Closed

heap out of bound read #92

kcwu opened this issue Aug 25, 2015 · 5 comments

Comments

@kcwu
Copy link

@kcwu kcwu commented Aug 25, 2015

How to reproduce:
0. build tmux with clang-3.6 -fsanitize=address
(version: latest master)

  1. ./tmux.asan new -d cat tmux-read-error.bug

Input

$ xxd tmux-read-error.bug   # use "xxd -r" to revert
0000000: e456 9937 0000 0121 380c 0004 1e00 152d  .V.7...!8......-
0000010: 6a6a 1b4b 0040 2052 0001 3e0d 401b 7435  jj.K.@ R..>.@.t5
0000020: 1b5b 3232 3243 321b 5b32 3220 3232 4332  .[222C2.[22 22C2
0000030: 9b5b 3239 3243 3232 3232 1b5b ffff 3243  .[292C2222.[..2C
0000040: 321b 5b32 3232 3232 4332 1b5b 3339 3212  2.[22222C2.[392.
0000050: ee1b 5b32 320f 431f 1b5b 3232 325a 3243  ..[22.C..[222Z2C
0000060: 321b 5b32 3232 64e0 e043 035b 3239 3243  2.[222d..C.[292C
0000070: 3232 3200 805b 3232 3243 321b 5b32 4b32  222..[222C2.[2K2
0000080: 3232 5332 0400 ffff 3232 4543 3200 805b  22S2....22EC2..[
0000090: 64df 647b 62ee 035a 7676 7676 7676 7676  d.d{b..Zvvvvvvvv
00000a0: 7676 7676 7676 7676 7676 7676 7676 40ee  vvvvvvvvvvvvvv@.
00000b0: ef00 ef09 1b1b 6f00 ba00 ff00 5b5b 5b5b  ......o.....[[[[
00000c0: 1b6a 0040 2000 001b 5b01 3e0d 401b 3a80  .j.@ ...[.>.@.:.
00000d0: 2000 e31a 5b01 3e0d 401b 3a80 8d35 3b31   ...[.>.@.:..5;1
00000e0: 3b74 356d 0397 f6e6 e685 b2ee 4332 3200  ;t5m........C22.
00000f0: 0035 3b1c 3b74 356d 0397 f6e6 e632 4380  .5;.;t5m.....2C.
0000100: 0032 321b 5b50 3245 3232 4330 1b5b f800  .22.[P2E22C0.[..
0000110: 0064 3a45 320b 5b4a 3932 4332 3232 321b  .d:E2.[J92C2222.
0000120: 5b50 3232 ffff 0000 3232 4a39 3243 3232  [P22....22J92C22
0000130: 5b32 3932 12ee 1b5b 3232 3243 3220 5b5b  [292...[222C2 [[
0000140: 3232 3232 3243 321b 5b33 3932 12ee 1b5b  22222C2.[392...[
0000150: 3232 0f43 1f1b 5b32 3232 5a32 321b 5bff  22.C..[222Z22.[.
0000160: ff44 4332 ff00 0032 32e8 0332 4332 1b5b  .DC2...22..2C2.[
0000170: 6f00 ba00 ff00 5b5b 401b                 o.....[[@.
=================================================================                                                                                                                                                                                                                                                   
==10491==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000016f9 at pc 0x00000057504d bp 0x7fff9f38c8d0 sp 0x7fff9f38c8c8                                                                                                                                                                           
READ of size 1 at 0x6040000016f9 thread T0                                                                                                                                                                                                                                                                          
    #0 0x57504c  (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x57504c)                                                                                                                                                                                                                                              
    #1 0x577710  (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x577710)                                                                                                                                                                                                                                              
    #2 0x66dca0  (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x66dca0)                                                                                                                                                                                                                                              
    #3 0x7ff4c35da7c9  (/usr/lib/x86_64-linux-gnu/libevent-2.0.so.5+0x187c9)                                                                                                                                                                                                                                        
    #4 0x7ff4c35cff23  (/usr/lib/x86_64-linux-gnu/libevent-2.0.so.5+0xdf23)                                                                                                                                                                                                                                         
    #5 0x5dea39  (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x5dea39)                                                                                                                                                                                                                                              
    #6 0x4fa830  (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x4fa830)                                                                                                                                                                                                                                              
    #7 0x4fb05f  (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x4fb05f)                                                                                                                                                                                                                                              
    #8 0x5fff02  (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x5fff02)                                                                                                                                                                                                                                              
    #9 0x7ff4c24bdec4  (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)                                                                                                                                                                                                                                                    
    #10 0x44acb6  (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x44acb6)                                                                                                                                                                                                                                             

0x6040000016f9 is located 2 bytes to the right of 39-byte region [0x6040000016d0,0x6040000016f7)                                                                                                                                                                                                                    
allocated by thread T0 here:                                                                                                                                                                                                                                                                                        
    #0 0x4d1deb  (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x4d1deb)                                                                                                                                                                                                                                              
    #1 0x5c8e7f  (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x5c8e7f)                                                                                                                                                                                                                                              

Shadow bytes around the buggy address:                                                                                                                                                                                                                                                                              
  0x0c087fff8280: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa                                                                                                                                                                                                                                                   
  0x0c087fff8290: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa                                                                                                                                                                                                                                                   
  0x0c087fff82a0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 01 fa                                                                                                                                                                                                                                                   
  0x0c087fff82b0: fa fa 00 00 00 00 02 fa fa fa 00 00 00 00 01 fa                                                                                                                                                                                                                                                   
  0x0c087fff82c0: fa fa 00 00 00 00 02 fa fa fa 00 00 00 00 01 fa                                                                                                                                                                                                                                                   
=>0x0c087fff82d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 07[fa]                                                                                                                                                                                                                                                  
  0x0c087fff82e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa                                                                                                                                                                                                                                                   
  0x0c087fff82f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa                                                                                                                                                                                                                                                   
  0x0c087fff8300: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd                                                                                                                                                                                                                                                   
  0x0c087fff8310: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd                                                                                                                                                                                                                                                   
  0x0c087fff8320: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd                                                                                                                                                                                                                                                   
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                                                                                                                                
  Addressable:           00                                                                                                                                                                                                                                                                                         
  Partially addressable: 01 02 03 04 05 06 07                                                                                                                                                                                                                                                                       
  Heap left redzone:       fa                                                                                                                                                                                                                                                                                       
  Heap right redzone:      fb                                                                                                                                                                                                                                                                                       
  Freed heap region:       fd                                                                                                                                                                                                                                                                                       
  Stack left redzone:      f1                                                                                                                                                                                                                                                                                       
  Stack mid redzone:       f2                                                                                                                                                                                                                                                                                       
  Stack right redzone:     f3                                                                                                                                                                                                                                                                                       
  Stack partial redzone:   f4                                                                                                                                                                                                                                                                                       
  Stack after return:      f5                                                                                                                                                                                                                                                                                       
  Stack use after scope:   f8                                                                                                                                                                                                                                                                                       
  Global redzone:          f9                                                                                                                                                                                                                                                                                       
  Global init order:       f6                                                                                                                                                                                                                                                                                       
  Poisoned by user:        f7                                                                                                                                                                                                                                                                                       
  Container overflow:      fc                                                                                                                                                                                                                                                                                       
  Array cookie:            ac                                                                                                                                                                                                                                                                                       
  Intra object redzone:    bb                                                                                                                                                                                                                                                                                       
  ASan internal:           fe                                                                                                                                                                                                                                                                                       
  Left alloca redzone:     ca                                                                                                                                                                                                                                                                                       
  Right alloca redzone:    cb                                                                                                                                                                                                                                                                                       
==10491==ABORTING                                      

this is found by afl-fuzz

@nicm
Copy link
Member

@nicm nicm commented Aug 25, 2015

This should be fixed now, thanks

@nicm nicm closed this Aug 25, 2015
@kcwu
Copy link
Author

@kcwu kcwu commented Aug 25, 2015

Do you mean fixed by 3219e03 ?
If so, no, this is detected with 3219e03 applied.

@kcwu
Copy link
Author

@kcwu kcwu commented Aug 28, 2015

I found this is fixed by 2ffbd5b
thanks.

@nicm
Copy link
Member

@nicm nicm commented Aug 28, 2015

Yes that's the one I meant. Thanks!

@lock
Copy link

@lock lock bot commented Feb 16, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Feb 16, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.