Re: glibc, asan and libfuzzer

Fri, 19 Feb 2016 10:34:56 -0800 

Alloca instrumentation is really cool :)

пятница, 19 февраля 2016 г., 21:31:46 UTC+3 пользователь Maxim Ostapenko 
написал:
>
> FYI, this bug can be found by patched AddressSanitizer:
>>
>
> ==18133==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 
> 0x7ffc15acc820 at pc 0x00000048fea6 bp 0x7ffc15aca950 sp 0x7ffc15aca0f0
> info: UDP server 1: sending response: 2076 bytes, RCODE 0 (for 
> www123.example/1/28)
> READ of size 65536 at 0x7ffc15acc820 thread T0
>     #0 0x48fea5 in recvfrom 
> /home/max/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:223:3
>     #1 0x7febc202028d in send_dg 
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_send.c:1265:19
>     #2 0x7febc202028d in __libc_res_nsend 
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_send.c:527
>     #3 0x7febc2015c95 in __GI___libc_res_nquery 
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_query.c:227:6
>     #4 0x7febc2017a1b in __libc_res_nquerydomain 
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_query.c:594:10
>     #5 0x7febc2017a1b in __GI___libc_res_nsearch 
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_query.c:381
>     #6 0x7fea334eddd8 in _nss_dns_gethostbyname4_r 
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/nss_dns/dns-host.c:316:11
>     #7 0x7febc139e51a in gaih_inet 
> /home/max/src/CVE-2015-7547/glibc-2.22/posix/../sysdeps/posix/getaddrinfo.c:862
>     #8 0x7febc13a06ec in __GI_getaddrinfo 
> /home/max/src/CVE-2015-7547/glibc-2.22/posix/../sysdeps/posix/getaddrinfo.c:2417
>     #9 0x43bf6c in __interceptor_getaddrinfo 
> /home/max/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1967:13
>     #10 0x4d860c in test_different_sizes 
> /home/max/src/CVE-2015-7547/bug18665.c:114:9
>     #11 0x4d7dd4 in main /home/max/src/CVE-2015-7547/bug18665.c:139:3
>     #12 0x7febc11ed514 in __libc_start_main 
> /home/max/src/CVE-2015-7547/glibc-2.22/csu/libc-start.c:289
>     #13 0x418fa5 in _start (/home/max/src/CVE-2015-7547/bug18665+0x418fa5)
>
> Address 0x7ffc15acc820 is located in stack of thread T0 at offset 4768 in 
> frame
>     #0 0x7febc201733f in __GI___libc_res_nsearch 
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_query.c:342
>
>   This frame has 2 object(s):
>     [32, 1057) 'nbuf.i'
>     [1200, 2225) 'tmp' <== Memory access at offset 4768 overflows this 
> variable
> HINT: this may be a false positive if your program uses some custom stack 
> unwind mechanism or swapcontext
>       (longjmp and C++ exceptions *are* supported)
> SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow 
> /home/max/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:223:3 
> in recvfrom
> Shadow bytes around the buggy address:
>   0x100002b518b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x100002b518c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x100002b518d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x100002b518e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x100002b518f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x100002b51900: 00 00 00 00[cb]cb cb cb f1 f1 f1 f1 00 f2 f2 f2
>   0x100002b51910: 00 f2 f2 f2 00 f2 f2 f2 04 f2 00 f2 f2 f2 00 f2
>   0x100002b51920: f2 f2 04 f2 04 f2 04 f3 00 00 00 00 00 00 00 00
>   0x100002b51930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x100002b51940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x100002b51950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==18133==ABORTING
>
> diff --git a/lib/asan/asan_interceptors.cc b/lib/asan/asan_interceptors.cc
> index faac15b..d41a665 100644
> --- a/lib/asan/asan_interceptors.cc
> +++ b/lib/asan/asan_interceptors.cc
> @@ -214,6 +214,17 @@ DECLARE_REAL_AND_INTERCEPTOR(void, free, void *)
>    } while (false)
>  #include "sanitizer_common/sanitizer_common_syscalls.inc"
>  
> +
> +INTERCEPTOR(SSIZE_T, recvfrom, int fd, void *buf, SIZE_T len, int flags,
> +            void *srcaddr, int *addrlen) {
> +  ENSURE_ASAN_INITED();
> +  SIZE_T srcaddr_sz;
> +  if (srcaddr) srcaddr_sz = *addrlen;
> +  ASAN_READ_RANGE(nullptr, buf, len);
> +  SSIZE_T res = REAL(recvfrom)(fd, buf, len, flags, srcaddr, addrlen);
> +  return res;
> +}
> +
>  struct ThreadStartParam {
>    atomic_uintptr_t t;
>    atomic_uintptr_t is_registered;
> @@ -759,6 +770,8 @@ void InitializeAsanInterceptors() {
>      ASAN_INTERCEPT_FUNC(memcpy);
>    }
>  
> +  INTERCEPT_FUNCTION(recvfrom);
> +
>    // Intercept str* functions.
>    ASAN_INTERCEPT_FUNC(strcat);  // NOLINT
>    ASAN_INTERCEPT_FUNC(strchr);
>
>
>
> Kostya, perhaps it makes sense to add recvfrom interceptor to ASan? MSan 
> has it.
>  
>

-- 
You received this message because you are subscribed to the Google Groups 
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to