[Tinycc-devel] Out of Bounds Write in asm_parse_directive

Wed, 12 Dec 2018 10:22:53 -0800 

Dear all,
An out of bounds write in the asm_parse_directive function was found while fuzzing tcc. 


You can find the input producing the crash and the output of the clang 
address sanitizer and valgrind in the attachments.
The input file contains four lines, each of which triggered the bug on 
my system.

The ASAN output was generated on an older version of Ubuntu (16.04),
but I could also reproduce the crashes on a current Arch Linux.

To reproduce, compile the attached input file with tcc

    tcc asm_parse-oob_write.c


I tested the latest git version of tcc (commit 
c4787e3626904fc542bd640cc368a9d306347008).


Credits: SysSec chair of Ruhr University Bochum
//__asm(".align 0");
// __asm(".align+0");
 __asm(".balign+0");
// __asm(".align 7>7");

==8636== Memcheck, a memory error detector
==8636== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==8636== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==8636== Command: ./tcc /home/prakti/Downloads/asm_parse-oob_write.c
==8636== 
==8636== Invalid write of size 8
==8636==    at 0x4C3453F: memset (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8636==    by 0x4220E7: memset (string3.h:90)
==8636==    by 0x4220E7: asm_parse_directive (tccasm.c:501)
==8636==    by 0x422EBA: tcc_assemble_internal (tccasm.c:927)
==8636==    by 0x422F81: tcc_assemble_inline (tccasm.c:995)
==8636==    by 0x423577: asm_global_instr (tccasm.c:1267)
==8636==    by 0x415694: decl0.isra.25 (tccgen.c:7164)
==8636==    by 0x41AA34: decl (tccgen.c:7383)
==8636==    by 0x41AA34: tccgen_compile (tccgen.c:275)
==8636==    by 0x4031B1: tcc_compile (libtcc.c:648)
==8636==    by 0x40478D: tcc_add_file_internal (libtcc.c:1064)
==8636==    by 0x401B95: main (tcc.c:332)
==8636==  Address 0x58e0570 is 0 bytes after a block of size 64 alloc'd
==8636==    at 0x4C2DB8F: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8636==    by 0x4C2FDEF: realloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8636==    by 0x4039C8: tcc_realloc (libtcc.c:224)
==8636==    by 0x41B3E3: section_realloc (tccelf.c:267)
==8636==    by 0x41B462: section_add (tccelf.c:282)
==8636==    by 0x41F7CC: section_ptr_add (tccelf.c:293)
==8636==    by 0x41F7CC: tcc_load_object_file (tccelf.c:2432)
==8636==    by 0x404874: tcc_add_file_internal (libtcc.c:1028)
==8636==    by 0x40494E: tcc_add_library_internal (libtcc.c:1109)
==8636==    by 0x404AD0: tcc_add_crt (libtcc.c:1125)
==8636==    by 0x404BA8: tcc_set_output_type (libtcc.c:978)
==8636==    by 0x401AF1: main (tcc.c:312)
==8636== 
==8636== 
==8636== Process terminating with default action of signal 11 (SIGSEGV)
==8636==  Access not within mapped region at address 0x5B11000
==8636==    at 0x4C3453F: memset (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8636==    by 0x4220E7: memset (string3.h:90)
==8636==    by 0x4220E7: asm_parse_directive (tccasm.c:501)
==8636==    by 0x422EBA: tcc_assemble_internal (tccasm.c:927)
==8636==    by 0x422F81: tcc_assemble_inline (tccasm.c:995)
==8636==    by 0x423577: asm_global_instr (tccasm.c:1267)
==8636==    by 0x415694: decl0.isra.25 (tccgen.c:7164)
==8636==    by 0x41AA34: decl (tccgen.c:7383)
==8636==    by 0x41AA34: tccgen_compile (tccgen.c:275)
==8636==    by 0x4031B1: tcc_compile (libtcc.c:648)
==8636==    by 0x40478D: tcc_add_file_internal (libtcc.c:1064)
==8636==    by 0x401B95: main (tcc.c:332)
==8636==  If you believe this happened as a result of a stack
==8636==  overflow in your program's main thread (unlikely but
==8636==  possible), you can try to increase the size of the
==8636==  main thread stack using the --main-stacksize= flag.
==8636==  The main thread stack size used in this run was 8388608.
==8636== 
==8636== HEAP SUMMARY:
==8636==     in use at exit: 1,869,677 bytes in 71 blocks
==8636==   total heap usage: 133 allocs, 62 frees, 1,918,735 bytes allocated
==8636== 
==8636== LEAK SUMMARY:
==8636==    definitely lost: 10,701 bytes in 18 blocks
==8636==    indirectly lost: 0 bytes in 0 blocks
==8636==      possibly lost: 0 bytes in 0 blocks
==8636==    still reachable: 1,858,976 bytes in 53 blocks
==8636==         suppressed: 0 bytes in 0 blocks
==8636== Rerun with --leak-check=full to see details of leaked memory
==8636== 
==8636== For counts of detected and suppressed errors, rerun with: -v
==8636== ERROR SUMMARY: 285363 errors from 1 contexts (suppressed: 0 from 0)

=================================================================
==8500==ERROR: AddressSanitizer: negative-size-param: (size=-42)
    #0 0x7f79ab4b8c69 in __asan_memset 
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cc69)
    #1 0x43ff83 in memset /usr/include/x86_64-linux-gnu/bits/string3.h:90
    #2 0x43ff83 in asm_parse_directive 
/home/prakti/Downloads/tcc-0.9.27/tccasm.c:501
    #3 0x44173c in tcc_assemble_internal 
/home/prakti/Downloads/tcc-0.9.27/tccasm.c:927
    #4 0x441b5f in tcc_assemble_inline 
/home/prakti/Downloads/tcc-0.9.27/tccasm.c:995
    #5 0x442a8a in asm_global_instr 
/home/prakti/Downloads/tcc-0.9.27/tccasm.c:1267
    #6 0x426034 in decl0 /home/prakti/Downloads/tcc-0.9.27/tccgen.c:7164
    #7 0x42fdc6 in decl /home/prakti/Downloads/tcc-0.9.27/tccgen.c:7383
    #8 0x42fdc6 in tccgen_compile /home/prakti/Downloads/tcc-0.9.27/tccgen.c:275
    #9 0x4052c9 in tcc_compile /home/prakti/Downloads/tcc-0.9.27/libtcc.c:648
    #10 0x407891 in tcc_add_file_internal 
/home/prakti/Downloads/tcc-0.9.27/libtcc.c:1064
    #11 0x407cd4 in tcc_add_file /home/prakti/Downloads/tcc-0.9.27/libtcc.c:1092
    #12 0x404886 in main /home/prakti/Downloads/tcc-0.9.27/tcc.c:332
    #13 0x7f79aab7582f in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x402448 in _start (/home/prakti/Downloads/tcc-asan/tcc+0x402448)

0x60600000ee6a is located 42 bytes inside of 64-byte region 
[0x60600000ee40,0x60600000ee80)
allocated by thread T0 here:
    #0 0x7f79ab4c4961 in realloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x406142 in tcc_realloc /home/prakti/Downloads/tcc-0.9.27/libtcc.c:224
    #2 0x4313b0 in section_realloc 
/home/prakti/Downloads/tcc-0.9.27/tccelf.c:267
    #3 0x4314a2 in section_add /home/prakti/Downloads/tcc-0.9.27/tccelf.c:282
    #4 0x431511 in section_ptr_add 
/home/prakti/Downloads/tcc-0.9.27/tccelf.c:293
    #5 0x43bb3f in tcc_load_object_file 
/home/prakti/Downloads/tcc-0.9.27/tccelf.c:2432
    #6 0x4077e6 in tcc_add_file_internal 
/home/prakti/Downloads/tcc-0.9.27/libtcc.c:1028
    #7 0x407a43 in tcc_add_library_internal 
/home/prakti/Downloads/tcc-0.9.27/libtcc.c:1109
    #8 0x407dd5 in tcc_add_crt /home/prakti/Downloads/tcc-0.9.27/libtcc.c:1125
    #9 0x407fb7 in tcc_set_output_type 
/home/prakti/Downloads/tcc-0.9.27/libtcc.c:978
    #10 0x4045a9 in main /home/prakti/Downloads/tcc-0.9.27/tcc.c:312
    #11 0x7f79aab7582f in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memset
==8500==ABORTING

_______________________________________________
Tinycc-devel mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/tinycc-devel














    











					Reply via email to