Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

【fuzz】heap-buffer-overflow #956

Closed
zhangtaoXT5 opened this issue Jun 3, 2021 · 0 comments · Fixed by #1097
Closed

【fuzz】heap-buffer-overflow #956

zhangtaoXT5 opened this issue Jun 3, 2021 · 0 comments · Fixed by #1097
Assignees
@michael-grunder
Labels
bug

Comments

@zhangtaoXT5
Copy link
Contributor

1、python infra/helper.py build_fuzzers --sanitizer address hiredis
2、python infra/helper.py run_fuzzer hiredis format_command_fuzzer -rss_limit_mb=0

==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000024715 at pc 0x00000054f1bb bp 0x7ffc63cf1490 sp 0x7ffc63cf1488
READ of size 1 at 0x602000024715 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x54f1ba in redisvFormatCommand /src/hiredis/hiredis.c:231:11
#1 0x54f45e in redisFormatCommand /src/hiredis/hiredis.c:460:11
#2 0x54d599 in LLVMFuzzerTestOneInput /src/hiredis/format_command_fuzzer.c:51:5
#3 0x458241 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#4 0x457985 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
#5 0x459a57 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
#6 0x45a4d5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocatorfuzzer::SizedFile >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
#7 0x4494ae in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
#8 0x471c82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#9 0x7ff76646882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x41dbb8 in _start (/out/format_command_fuzzer+0x41dbb8)

0x602000024715 is located 0 bytes to the right of 5-byte region [0x602000024710,0x602000024715)
allocated by thread T0 here:
#0 0x51d8fd in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x54d54a in LLVMFuzzerTestOneInput /src/hiredis/format_command_fuzzer.c:44:15
#2 0x458241 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#3 0x457985 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
#4 0x459a57 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
#5 0x45a4d5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocatorfuzzer::SizedFile >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
#6 0x4494ae in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
#7 0x471c82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#8 0x7ff76646882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/hiredis/hiredis.c:231:11 in redisvFormatCommand
Shadow bytes around the buggy address:
0x0c047fffc890: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fffc8a0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fffc8b0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffc8c0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fffc8d0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa 04 fa
=>0x0c047fffc8e0: fa fa[05]fa fa fa fd fd fa fa 00 03 fa fa 00 fa
0x0c047fffc8f0: fa fa 00 01 fa fa fd fd fa fa fa fa fa fa fa fa
0x0c047fffc900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffc910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffc920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffc930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==13==ABORTING
MS: 4 InsertByte-ChangeByte-CopyPart-CrossOver-; base unit: 3b14a47b85ca3137afa69b9a883507a1bb29eeb8
0x23,0x20,0x25,0x20,

%

artifact_prefix='./'; Test unit written to ./crash-9178db74f1ab7d2b70b823088539af55ad353c9d
@zhangtaoXT5 zhangtaoXT5 changed the title 【fuzz】缓冲区溢出 【fuzz】fix heap-buffer-overflow Jun 3, 2021
@zhangtaoXT5 zhangtaoXT5 changed the title 【fuzz】fix heap-buffer-overflow 【fuzz】heap-buffer-overflow Jun 3, 2021
@zhangtaoXT5 zhangtaoXT5 mentioned this issue Jun 3, 2021
Merged
@michael-grunder michael-grunder self-assigned this Aug 29, 2022
@bjosv bjosv mentioned this issue Sep 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michael-grunder michael-grunder

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix heap-buffer-overflow issue in redisvFormatCommad Nordix/hiredis
2 participants
@michael-grunder @zhangtaoXT5