[Issue 9935] New: buffer overflow in UTF8StringValidate

openldap-its Wed, 19 Oct 2022 21:52:31 -0700

https://bugs.openldap.org/show_bug.cgi?id=9935


          Issue ID: 9935
           Summary: buffer overflow in UTF8StringValidate
           Product: OpenLDAP
           Version: 2.6.3
          Hardware: x86_64
                OS: Linux
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: slapd
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

I get a heap buffer overflow running this on the latest openldap on git.
Built with CFLAGS="-fsanitize=address" using clang 15.

./servers/slapd/slapd $(python2 -c 'print("-Td \x4c\x3d\xc2\x8c\xf0\xf0")')


SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/juhee/project/foxfuzz/programs/network/openldap-ori/servers/slapd/slapd
+0x3961ac)                                                                      
Shadow bytes around the buggy address:                                          
  0x0c047fffcb00: fa fa 00 06 fa fa 00 00 fa fa 00 07 fa fa 00 00               
  0x0c047fffcb10: fa fa 00 07 fa fa 00 00 fa fa 03 fa fa fa 00 05               
  0x0c047fffcb20: fa fa 02 fa fa fa 02 fa fa fa 03 fa fa fa 07 fa               
  0x0c047fffcb30: fa fa 02 fa fa fa 03 fa fa fa 06 fa fa fa 00 03               
  0x0c047fffcb40: fa fa 00 06 fa fa 00 02 fa fa 00 01 fa fa 00 04               
=>0x0c047fffcb50: fa fa 00 00 fa fa 00 fa fa fa 00 02 fa fa[05]fa               
  0x0c047fffcb60: fa fa 00 00 fa fa fa fa fa fa fa fa fa fa fa fa               
  0x0c047fffcb70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa               
  0x0c047fffcb80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa               
  0x0c047fffcb90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa               
  0x0c047fffcba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa               
Shadow byte legend (one shadow byte represents 8 application bytes):            
  Addressable:           00                                                     
  Partially addressable: 01 02 03 04 05 06 07                                   
  Heap left redzone:       fa                                                   
  Freed heap region:       fd                                                   
  Stack left redzone:      f1                                                   
  Stack mid redzone:       f2                                                   
  Stack right redzone:     f3                                                   
  Stack after return:      f5                                                   
  Stack use after scope:   f8                                                   
  Global redzone:          f9                                                   
  Global init order:       f6                                                   
  Poisoned by user:        f7                                                   
  Container overflow:      fc                                                   
  Array cookie:            ac                                                   
  Intra object redzone:    bb                                                   
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2202218==ABORTING

Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff78ca859 in __GI_abort () at abort.c:79
#2  0x00005555556eb04f in __sanitizer::Abort ()
    at
/home/juhee/project/foxfuzz/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp:143
#3  0x00005555556e8aac in __sanitizer::Die ()
    at
/home/juhee/project/foxfuzz/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:58
#4  0x00005555556c5dda in __asan::ScopedInErrorReport::~ScopedInErrorReport
(this=0x7fffffffc4d6, __in_chrg=<optimized out>)
    at
/home/juhee/project/foxfuzz/llvm-project/compiler-rt/lib/asan/asan_report.cpp:192
#5  0x00005555556c6461 in __asan::ReportGenericError (pc=<optimized out>,
bp=0x7fffffffd140, sp=0x7fffffffd138, 
    addr=0x602000025af5, is_write=is_write@entry=0x0, access_size=0x1,
fatal=0x1, exp=<optimized out>)
    at
/home/juhee/project/foxfuzz/llvm-project/compiler-rt/lib/asan/asan_report.cpp:199
#6  0x00005555556c99d6 in __asan::ReportGenericError (pc=<optimized out>,
bp=bp@entry=0x7fffffffd140, 
    sp=sp@entry=0x7fffffffd138, addr=<optimized out>,
is_write=is_write@entry=0x0, access_size=access_size@entry=0x1, 
    exp=<optimized out>, fatal=0x1)
    at
/home/juhee/project/foxfuzz/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:74
#7  0x00005555556ca34c in __asan::__asan_report_load1 (addr=<optimized out>)
    at
/home/juhee/project/foxfuzz/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:118
#8  0x00005555558ea1ad in UTF8StringValidate ()
#9  0x000055555581e5a7 in LDAPRDN_rewrite ()
#10 0x000055555581d059 in LDAPDN_rewrite ()
#11 0x0000555555820f7f in dnPrettyNormal ()
#12 0x0000555555a37d1d in slapdn ()
#13 0x000055555570901f in main ()
#14 0x00007ffff78cc083 in __libc_start_main (main=0x555555706ef0 <main>,
argc=0x3, argv=0x7fffffffdfd8, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffdfc8)
    at ../csu/libc-start.c:308
#15 0x000055555561011e in _start ()
    at
/home/juhee/project/foxfuzz/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_internal_defs.h:397

-- 
You are receiving this mail because:
You are on the CC list for the issue.

[Issue 9935] New: buffer overflow in UTF8StringValidate

Reply via email to