Jiri Danek created PROTON-1359:
----------------------------------
Summary: heap-buffer-overflow in pn_decoder_readf32 when invoking
pn_message_decode
Key: PROTON-1359
URL: https://issues.apache.org/jira/browse/PROTON-1359
Project: Qpid Proton
Issue Type: Bug
Components: proton-c
Affects Versions: 0.16.0
Reporter: Jiri Danek
{noformat}
$ nc -l 5672 <
crafted_from_minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43
$ ./libuv_receive -a 127.0.0.1:5672/jms.queue.example
Segmentation fault (core dumped)
(gdb) thread apply all bt
<snip>
#5209 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970,
data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
#5210 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970,
data=0x209c480, code=0x7ffd99972817 "")
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
#5211 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970,
data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
#5212 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970,
data=0x209c480, code=0x7ffd99972897 "")
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
#5213 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970,
data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
#5214 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970,
data=0x209c480, code=0x7ffd99972917 "")
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
#5215 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970,
data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
#5216 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970,
data=0x209c480, code=0x7ffd99972997 "")
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
#5217 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970,
data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
#5218 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970,
data=0x209c480, code=0x7ffd99972a17 "")
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
#5219 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970,
data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
#5220 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970,
data=0x209c480, code=0x7ffd99972a97 "")
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
#5221 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970,
data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
#5222 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970,
data=0x209c480, code=0x7ffd99972b17 "\377\200\304\t\002")
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
#5223 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970,
data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
#5224 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970,
data=0x209c480, code=0x7ffd99972b97 "")
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
#5225 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970,
data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
#5226 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970,
data=0x209c480, code=0x7ffd99972c17 "")
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
#5227 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970,
data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
#5228 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970,
data=0x209c480, code=0x7ffd99972c97 "")
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
#5229 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970,
data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
#5230 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970,
data=0x209c480, code=0x7ffd99972e0d "")
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
#5231 0x00007f36d947b2ac in pni_decoder_decode_value (decoder=0x209c970,
data=0x209c480, code=240 '\360') at
/home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:395
#5232 0x00007f36d947a67a in pni_decoder_single (decoder=0x209c970,
data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:476
#5233 0x00007f36d947a5b8 in pn_decoder_decode (decoder=0x209c970, src=0x6095c0
<decode_message.buffer> "\360\001", size=2, dst=0x209c480)
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:490
#5234 0x00007f36d947956d in pn_data_decode (data=0x209c480, bytes=0x6095c0
<decode_message.buffer> "\360\001", size=2)
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/codec.c:1437
#5235 0x00007f36d94925fb in pn_message_decode (msg=0x209bc80, bytes=0x6095c0
<decode_message.buffer> "\360\001", size=2)
at /home/jdanek/Bin/qpid-proton/proton-c/src/core/message.c:635
#5236 0x0000000000404742 in decode_message (dlv=0x208a9b0) at
/home/jdanek/Bin/qpid-proton/examples/c/proactor/receive.c:73
#5237 0x00000000004044c6 in handle (app=0x7ffd99973288, event=0x20968e0) at
/home/jdanek/Bin/qpid-proton/examples/c/proactor/receive.c:106
#5238 0x00000000004042e3 in main (argc=3, argv=0x7ffd99973ba8) at
/home/jdanek/Bin/qpid-proton/examples/c/proactor/receive.c:197
{noformat}
I created the input file used in Steps to Reproduce by first finding an input
that causes memory error when given to {{pn_message_decode}} and then putting
it as a payload of AMQP frame. The memory issue in {{pn_message decode}} when
decoding data in {{minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43}} is
{noformat}
==31043==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000035 at pc 0x7ff26f426ba1 bp 0x7fff7d5fcf30 sp 0x7fff7d5fcf28
READ of size 1 at 0x602000000035 thread T0
#0 0x7ff26f426ba0 in pn_decoder_readf32
/home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:80:26
#1 0x7ff26f426ba0 in pni_decoder_decode_value
/home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:377
#2 0x7ff26f423369 in pni_decoder_single
/home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:476:9
#3 0x7ff26f423369 in pn_decoder_decode
/home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:490
#4 0x7ff26f41fde2 in pn_data_decode
/home/jdanek/Work/qpid-proton/proton-c/src/core/codec.c:1437:10
#5 0x7ff26f468f3c in pn_message_decode
/home/jdanek/Work/qpid-proton/proton-c/src/core/message.c:635:20
#6 0x4f5abf in LLVMFuzzerTestOneInput
/home/jdanek/Work/qpid-proton/proton-c/src/tests/fuzz_message_decode.c:8:15
#7 0x4fdd97 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:515:13
#8 0x4fdf85 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned
long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3
#9 0x4f5c7c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6
#10 0x4f7a1c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9
#11 0x4f5b70 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10
#12 0x7ff26d875290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
#13 0x4234a9 in _start
(/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz_message_decode+0x4234a9)
0x602000000035 is located 3 bytes to the right of 2-byte region
[0x602000000030,0x602000000032)
allocated by thread T0 here:
#0 0x4c9cac in __interceptor_malloc
(/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz_message_decode+0x4c9cac)
#1 0x7ff26edc8a47 in operator new(unsigned long)
/build/gcc/src/gcc/libstdc++-v3/libsupc++/new_op.cc:50
#2 0x4fdf85 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned
long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3
#3 0x4f5c7c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6
#4 0x4f7a1c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9
#5 0x4f5b70 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10
#6 0x7ff26d875290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:80:26 in
pn_decoder_readf32
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 02 fa fa fa[02]fa fa fa 00 00 fa fa 00 00
0x0c047fff8010: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8020: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8030: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8040: fa fa 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31043==ABORTING
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
