View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0005640 | unreal | ircd | public | 2020-04-19 20:03 | 2020-04-25 09:34 |
Reporter | k4be | Assigned To | syzop | ||
Priority | normal | Severity | crash | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Fixed in Version | 5.0.5 | ||||
Summary | 0005640: read_int64() may write OOB | ||||
Description | ================================================================= ==6366==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3f05334 at pc 0xb6a1bf9c bp 0xbeddeb74 sp 0xbedde730 WRITE of size 8 at 0xb3f05334 thread T0 #0 0xb6a1bf98 (/usr/lib/gcc/armv7a-hardfloat-linux-gnueabi/9.2.0/libasan.so.5+0x6bf98) #1 0x591fb4 in fread /usr/include/bits/stdio2.h:297 #2 0x591fb4 in read_int64 /home/k4be/unrealircd-git/src/misc.c:1654 #3 0xb34bc4a4 in read_tkldb /home/k4be/unrealircd-git/src/modules/tkldb.c:648 #4 0xb34bec68 in Mod_Init /home/k4be/unrealircd-git/src/modules/tkldb.c:127 #5 0x51dbe0 in Init_all_testing_modules /home/k4be/unrealircd-git/src/modules.c:503 #6 0x585c44 in init_conf /home/k4be/unrealircd-git/src/conf.c:2092 #7 0x50d6a4 in main /home/k4be/unrealircd-git/src/ircd.c:1257 0000008 0xb651a678 in __libc_start_main (/lib/libc.so.6+0x17678) 0xb3f05334 is located 0 bytes to the right of 20-byte region [0xb3f05320,0xb3f05334) allocated by thread T0 here: #0 0xb6abec70 in calloc (/usr/lib/gcc/armv7a-hardfloat-linux-gnueabi/9.2.0/libasan.so.5+0x10ec70) #1 0x5beba0 in safe_alloc /home/k4be/unrealircd-git/src/support.c:687 #2 0xb34bbed8 in read_tkldb /home/k4be/unrealircd-git/src/modules/tkldb.c:604 #3 0xb34bec68 in Mod_Init /home/k4be/unrealircd-git/src/modules/tkldb.c:127 #4 0x51dbe0 in Init_all_testing_modules /home/k4be/unrealircd-git/src/modules.c:503 #5 0x585c44 in init_conf /home/k4be/unrealircd-git/src/conf.c:2092 #6 0x50d6a4 in main /home/k4be/unrealircd-git/src/ircd.c:1257 #7 0xb651a678 in __libc_start_main (/lib/libc.so.6+0x17678) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/gcc/armv7a-hardfloat-linux-gnueabi/9.2.0/libasan.so.5+0x6bf98) Shadow bytes around the buggy address: 0x367e0a10: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa 0x367e0a20: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fa fa 0x367e0a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x367e0a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x367e0a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x367e0a60: fa fa fa fa 00 00[04]fa fa fa 00 00 00 05 fa fa 0x367e0a70: 00 00 00 00 fa fa 00 00 02 fa fa fa 00 00 00 fa 0x367e0a80: fa fa 00 00 00 03 fa fa 00 00 00 fa fa fa 00 00 0x367e0a90: 00 fa fa fa 00 00 00 fa fa fa 00 00 01 fa fa fa 0x367e0aa0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa 0x367e0ab0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==6366==ABORTING | ||||
Tags | No tags attached. | ||||
3rd party modules | |||||
|
It will write out of bounds on archs where time_t is 32-bits. This is due to the read_int64 blindly assuming it can write 64 bits to a time_t field. This can be changed with some minor work, so let's fix that (... but some other day). |
|
Note to self: add a 32 bit Linux to buildbot :) |
|
Fixed now in https://github.com/unrealircd/unrealircd/commit/0c080b3982fbfd89db3cbc72a7fba0ffa9899f24 commit 0c080b3982fbfd89db3cbc72a7fba0ffa9899f24 (HEAD -> unreal50, origin/unreal50) Author: Bram Matthys <[email protected]> Date: Sat Apr 25 09:26:56 2020 +0200 Fix crash in tkldb on 32 bit systems. Reported by k4be. Also, get rid of compiler warnings (we can use C99 types now). We also have a 32 bit now in buildbot. And I am setting this bug private -> public. |
Date Modified | Username | Field | Change |
---|---|---|---|
2020-04-19 20:03 | syzop | New Issue | |
2020-04-19 20:04 | syzop | Reporter | syzop => k4be |
2020-04-19 20:04 | syzop | Note Added: 0021515 | |
2020-04-19 20:04 | syzop | Assigned To | => syzop |
2020-04-19 20:04 | syzop | Status | new => acknowledged |
2020-04-24 19:05 | syzop | Note Added: 0021523 | |
2020-04-25 09:32 | syzop | Severity | minor => crash |
2020-04-25 09:32 | syzop | View Status | private => public |
2020-04-25 09:34 | syzop | Status | acknowledged => resolved |
2020-04-25 09:34 | syzop | Resolution | open => fixed |
2020-04-25 09:34 | syzop | Fixed in Version | => 5.0.5 |
2020-04-25 09:34 | syzop | Note Added: 0021525 |