View Issue Details

IDProjectCategoryView StatusLast Update
0005640unrealircdpublic2020-04-25 09:34
Reporterk4be Assigned Tosyzop  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
Fixed in Version5.0.5 
Summary0005640: read_int64() may write OOB
Description=================================================================
==6366==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3f05334 at pc 0xb6a1bf9c bp 0xbeddeb74 sp 0xbedde730
WRITE of size 8 at 0xb3f05334 thread T0
    #0 0xb6a1bf98 (/usr/lib/gcc/armv7a-hardfloat-linux-gnueabi/9.2.0/libasan.so.5+0x6bf98)
    #1 0x591fb4 in fread /usr/include/bits/stdio2.h:297
    #2 0x591fb4 in read_int64 /home/k4be/unrealircd-git/src/misc.c:1654
    #3 0xb34bc4a4 in read_tkldb /home/k4be/unrealircd-git/src/modules/tkldb.c:648
    #4 0xb34bec68 in Mod_Init /home/k4be/unrealircd-git/src/modules/tkldb.c:127
    #5 0x51dbe0 in Init_all_testing_modules /home/k4be/unrealircd-git/src/modules.c:503
    #6 0x585c44 in init_conf /home/k4be/unrealircd-git/src/conf.c:2092
    #7 0x50d6a4 in main /home/k4be/unrealircd-git/src/ircd.c:1257
    0000008 0xb651a678 in __libc_start_main (/lib/libc.so.6+0x17678)

0xb3f05334 is located 0 bytes to the right of 20-byte region [0xb3f05320,0xb3f05334)
allocated by thread T0 here:
    #0 0xb6abec70 in calloc (/usr/lib/gcc/armv7a-hardfloat-linux-gnueabi/9.2.0/libasan.so.5+0x10ec70)
    #1 0x5beba0 in safe_alloc /home/k4be/unrealircd-git/src/support.c:687
    #2 0xb34bbed8 in read_tkldb /home/k4be/unrealircd-git/src/modules/tkldb.c:604
    #3 0xb34bec68 in Mod_Init /home/k4be/unrealircd-git/src/modules/tkldb.c:127
    #4 0x51dbe0 in Init_all_testing_modules /home/k4be/unrealircd-git/src/modules.c:503
    #5 0x585c44 in init_conf /home/k4be/unrealircd-git/src/conf.c:2092
    #6 0x50d6a4 in main /home/k4be/unrealircd-git/src/ircd.c:1257
    #7 0xb651a678 in __libc_start_main (/lib/libc.so.6+0x17678)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/gcc/armv7a-hardfloat-linux-gnueabi/9.2.0/libasan.so.5+0x6bf98)
Shadow bytes around the buggy address:
  0x367e0a10: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x367e0a20: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fa fa
  0x367e0a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367e0a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x367e0a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x367e0a60: fa fa fa fa 00 00[04]fa fa fa 00 00 00 05 fa fa
  0x367e0a70: 00 00 00 00 fa fa 00 00 02 fa fa fa 00 00 00 fa
  0x367e0a80: fa fa 00 00 00 03 fa fa 00 00 00 fa fa fa 00 00
  0x367e0a90: 00 fa fa fa 00 00 00 fa fa fa 00 00 01 fa fa fa
  0x367e0aa0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x367e0ab0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  Shadow gap: cc
==6366==ABORTING
TagsNo tags attached.
3rd party modules

Activities

syzop

2020-04-19 20:04

administrator   ~0021515

It will write out of bounds on archs where time_t is 32-bits. This is due to the read_int64 blindly assuming it can write 64 bits to a time_t field.

This can be changed with some minor work, so let's fix that (... but some other day).

syzop

2020-04-24 19:05

administrator   ~0021523

Note to self: add a 32 bit Linux to buildbot :)

syzop

2020-04-25 09:34

administrator   ~0021525

Fixed now in https://github.com/unrealircd/unrealircd/commit/0c080b3982fbfd89db3cbc72a7fba0ffa9899f24

commit 0c080b3982fbfd89db3cbc72a7fba0ffa9899f24 (HEAD -> unreal50, origin/unreal50)
Author: Bram Matthys <syzop@vulnscan.org>
Date: Sat Apr 25 09:26:56 2020 +0200

    Fix crash in tkldb on 32 bit systems. Reported by k4be.
    Also, get rid of compiler warnings (we can use C99 types now).

We also have a 32 bit now in buildbot. And I am setting this bug private -> public.

Issue History

Date Modified Username Field Change
2020-04-19 20:03 syzop New Issue
2020-04-19 20:04 syzop Reporter syzop => k4be
2020-04-19 20:04 syzop Note Added: 0021515
2020-04-19 20:04 syzop Assigned To => syzop
2020-04-19 20:04 syzop Status new => acknowledged
2020-04-24 19:05 syzop Note Added: 0021523
2020-04-25 09:32 syzop Severity minor => crash
2020-04-25 09:32 syzop View Status private => public
2020-04-25 09:34 syzop Status acknowledged => resolved
2020-04-25 09:34 syzop Resolution open => fixed
2020-04-25 09:34 syzop Fixed in Version => 5.0.5
2020-04-25 09:34 syzop Note Added: 0021525