Re: glibc, asan and libfuzzer

Fri, 19 Feb 2016 10:32:40 -0800 

>
> FYI, this bug can be found by patched AddressSanitizer:
>

==18133==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 
0x7ffc15acc820 at pc 0x00000048fea6 bp 0x7ffc15aca950 sp 0x7ffc15aca0f0
info: UDP server 1: sending response: 2076 bytes, RCODE 0 (for 
www123.example/1/28)
READ of size 65536 at 0x7ffc15acc820 thread T0
    #0 0x48fea5 in recvfrom 
/home/max/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:223:3
    #1 0x7febc202028d in send_dg 
/home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_send.c:1265:19
    #2 0x7febc202028d in __libc_res_nsend 
/home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_send.c:527
    #3 0x7febc2015c95 in __GI___libc_res_nquery 
/home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_query.c:227:6
    #4 0x7febc2017a1b in __libc_res_nquerydomain 
/home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_query.c:594:10
    #5 0x7febc2017a1b in __GI___libc_res_nsearch 
/home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_query.c:381
    #6 0x7fea334eddd8 in _nss_dns_gethostbyname4_r 
/home/max/src/CVE-2015-7547/glibc-2.22/resolv/nss_dns/dns-host.c:316:11
    #7 0x7febc139e51a in gaih_inet 
/home/max/src/CVE-2015-7547/glibc-2.22/posix/../sysdeps/posix/getaddrinfo.c:862
    #8 0x7febc13a06ec in __GI_getaddrinfo 
/home/max/src/CVE-2015-7547/glibc-2.22/posix/../sysdeps/posix/getaddrinfo.c:2417
    #9 0x43bf6c in __interceptor_getaddrinfo 
/home/max/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1967:13
    #10 0x4d860c in test_different_sizes 
/home/max/src/CVE-2015-7547/bug18665.c:114:9
    #11 0x4d7dd4 in main /home/max/src/CVE-2015-7547/bug18665.c:139:3
    #12 0x7febc11ed514 in __libc_start_main 
/home/max/src/CVE-2015-7547/glibc-2.22/csu/libc-start.c:289
    #13 0x418fa5 in _start (/home/max/src/CVE-2015-7547/bug18665+0x418fa5)

Address 0x7ffc15acc820 is located in stack of thread T0 at offset 4768 in 
frame
    #0 0x7febc201733f in __GI___libc_res_nsearch 
/home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_query.c:342

  This frame has 2 object(s):
    [32, 1057) 'nbuf.i'
    [1200, 2225) 'tmp' <== Memory access at offset 4768 overflows this 
variable
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow 
/home/max/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:223:3 
in recvfrom
Shadow bytes around the buggy address:
  0x100002b518b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100002b518c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100002b518d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100002b518e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100002b518f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100002b51900: 00 00 00 00[cb]cb cb cb f1 f1 f1 f1 00 f2 f2 f2
  0x100002b51910: 00 f2 f2 f2 00 f2 f2 f2 04 f2 00 f2 f2 f2 00 f2
  0x100002b51920: f2 f2 04 f2 04 f2 04 f3 00 00 00 00 00 00 00 00
  0x100002b51930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100002b51940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100002b51950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18133==ABORTING

diff --git a/lib/asan/asan_interceptors.cc b/lib/asan/asan_interceptors.cc
index faac15b..d41a665 100644
--- a/lib/asan/asan_interceptors.cc
+++ b/lib/asan/asan_interceptors.cc
@@ -214,6 +214,17 @@ DECLARE_REAL_AND_INTERCEPTOR(void, free, void *)
   } while (false)
 #include "sanitizer_common/sanitizer_common_syscalls.inc"
 
+
+INTERCEPTOR(SSIZE_T, recvfrom, int fd, void *buf, SIZE_T len, int flags,
+            void *srcaddr, int *addrlen) {
+  ENSURE_ASAN_INITED();
+  SIZE_T srcaddr_sz;
+  if (srcaddr) srcaddr_sz = *addrlen;
+  ASAN_READ_RANGE(nullptr, buf, len);
+  SSIZE_T res = REAL(recvfrom)(fd, buf, len, flags, srcaddr, addrlen);
+  return res;
+}
+
 struct ThreadStartParam {
   atomic_uintptr_t t;
   atomic_uintptr_t is_registered;
@@ -759,6 +770,8 @@ void InitializeAsanInterceptors() {
     ASAN_INTERCEPT_FUNC(memcpy);
   }
 
+  INTERCEPT_FUNCTION(recvfrom);
+
   // Intercept str* functions.
   ASAN_INTERCEPT_FUNC(strcat);  // NOLINT
   ASAN_INTERCEPT_FUNC(strchr);



Kostya, perhaps it makes sense to add recvfrom interceptor to ASan? MSan 
has it.
 

-- 
You received this message because you are subscribed to the Google Groups 
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to