On Fri, Feb 19, 2016 at 10:28 AM, Maxim Ostapenko <[email protected]>
wrote:
> FYI, this bug can be found by patched AddressSanitizer:
>>
>
By patched, you mean the recvfrom interceptor below, right?
Would you like to contribute it?
>
> ==18133==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address
> 0x7ffc15acc820 at pc 0x00000048fea6 bp 0x7ffc15aca950 sp 0x7ffc15aca0f0
> info: UDP server 1: sending response: 2076 bytes, RCODE 0 (for
> www123.example/1/28)
> READ of size 65536 at 0x7ffc15acc820 thread T0
> #0 0x48fea5 in recvfrom
> /home/max/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:223:3
> #1 0x7febc202028d in send_dg
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_send.c:1265:19
> #2 0x7febc202028d in __libc_res_nsend
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_send.c:527
> #3 0x7febc2015c95 in __GI___libc_res_nquery
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_query.c:227:6
> #4 0x7febc2017a1b in __libc_res_nquerydomain
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_query.c:594:10
> #5 0x7febc2017a1b in __GI___libc_res_nsearch
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_query.c:381
> #6 0x7fea334eddd8 in _nss_dns_gethostbyname4_r
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/nss_dns/dns-host.c:316:11
> #7 0x7febc139e51a in gaih_inet
> /home/max/src/CVE-2015-7547/glibc-2.22/posix/../sysdeps/posix/getaddrinfo.c:862
> #8 0x7febc13a06ec in __GI_getaddrinfo
> /home/max/src/CVE-2015-7547/glibc-2.22/posix/../sysdeps/posix/getaddrinfo.c:2417
> #9 0x43bf6c in __interceptor_getaddrinfo
> /home/max/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1967:13
> #10 0x4d860c in test_different_sizes
> /home/max/src/CVE-2015-7547/bug18665.c:114:9
> #11 0x4d7dd4 in main /home/max/src/CVE-2015-7547/bug18665.c:139:3
> #12 0x7febc11ed514 in __libc_start_main
> /home/max/src/CVE-2015-7547/glibc-2.22/csu/libc-start.c:289
> #13 0x418fa5 in _start (/home/max/src/CVE-2015-7547/bug18665+0x418fa5)
>
> Address 0x7ffc15acc820 is located in stack of thread T0 at offset 4768 in
> frame
> #0 0x7febc201733f in __GI___libc_res_nsearch
> /home/max/src/CVE-2015-7547/glibc-2.22/resolv/res_query.c:342
>
> This frame has 2 object(s):
> [32, 1057) 'nbuf.i'
> [1200, 2225) 'tmp' <== Memory access at offset 4768 overflows this
> variable
> HINT: this may be a false positive if your program uses some custom stack
> unwind mechanism or swapcontext
> (longjmp and C++ exceptions *are* supported)
> SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow
> /home/max/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:223:3
> in recvfrom
> Shadow bytes around the buggy address:
> 0x100002b518b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x100002b518c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x100002b518d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x100002b518e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x100002b518f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x100002b51900: 00 00 00 00[cb]cb cb cb f1 f1 f1 f1 00 f2 f2 f2
> 0x100002b51910: 00 f2 f2 f2 00 f2 f2 f2 04 f2 00 f2 f2 f2 00 f2
> 0x100002b51920: f2 f2 04 f2 04 f2 04 f3 00 00 00 00 00 00 00 00
> 0x100002b51930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x100002b51940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x100002b51950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==18133==ABORTING
>
> diff --git a/lib/asan/asan_interceptors.cc b/lib/asan/asan_interceptors.cc
> index faac15b..d41a665 100644
> --- a/lib/asan/asan_interceptors.cc
> +++ b/lib/asan/asan_interceptors.cc
> @@ -214,6 +214,17 @@ DECLARE_REAL_AND_INTERCEPTOR(void, free, void *)
> } while (false)
> #include "sanitizer_common/sanitizer_common_syscalls.inc"
>
> +
> +INTERCEPTOR(SSIZE_T, recvfrom, int fd, void *buf, SIZE_T len, int flags,
> + void *srcaddr, int *addrlen) {
> + ENSURE_ASAN_INITED();
> + SIZE_T srcaddr_sz;
> + if (srcaddr) srcaddr_sz = *addrlen;
> + ASAN_READ_RANGE(nullptr, buf, len);
> + SSIZE_T res = REAL(recvfrom)(fd, buf, len, flags, srcaddr, addrlen);
> + return res;
> +}
> +
> struct ThreadStartParam {
> atomic_uintptr_t t;
> atomic_uintptr_t is_registered;
> @@ -759,6 +770,8 @@ void InitializeAsanInterceptors() {
> ASAN_INTERCEPT_FUNC(memcpy);
> }
>
> + INTERCEPT_FUNCTION(recvfrom);
> +
> // Intercept str* functions.
> ASAN_INTERCEPT_FUNC(strcat); // NOLINT
> ASAN_INTERCEPT_FUNC(strchr);
>
>
>
> Kostya, perhaps it makes sense to add recvfrom interceptor to ASan? MSan
> has it.
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "address-sanitizer" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
