[PROTON-1414] heap-buffer-overflow in pni_decoder_decode_value when invoking pn_message_decode - ASF JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: proton-c-0.18.0
Fix Version/s: proton-c-0.22.0
Component/s: proton-c
Labels:
- codec

Description

[jdanek@e530 fuzz]$ ./fuzz-message-decode minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba 
INFO: Seed: 3671742454
INFO: Loaded 2 modules (7259 guards): [0x7f20793b8c80, 0x7f20793bfdd4), [0x74ad60, 0x74ad78), 
./fuzz-message-decode: Running 1 inputs 1 time(s) each.
Running: minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba
=================================================================
==29686==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000033 at pc 0x7f20790bf3de bp 0x7ffc0d69a970 sp 0x7ffc0d69a968
READ of size 1 at 0x602000000033 thread T0
    #0 0x7f20790bf3dd in pni_decoder_decode_value /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:389:24
    #1 0x7f20790bcfa4 in pni_decoder_single /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:477:9
    #2 0x7f20790bccc1 in pn_decoder_decode /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:491:13
    #3 0x7f20790b84c5 in pn_data_decode /home/jdanek/Work/qpid-proton/proton-c/src/core/codec.c:1437:10
    #4 0x7f207911160b in pn_message_decode /home/jdanek/Work/qpid-proton/proton-c/src/core/message.c:635:20
    #5 0x4f90c1 in LLVMFuzzerTestOneInput /home/jdanek/Work/qpid-proton/proton-c/src/tests/fuzz/fuzz-message-decode.c:12:15
    #6 0x501427 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:515:13
    #7 0x501615 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3
    #8 0x4f930c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6
    #9 0x4fb0ac in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9
    #10 0x4f9200 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10
    #11 0x7f20772d2290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
    #12 0x423889 in _start (/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz/fuzz-message-decode+0x423889)

0x602000000033 is located 0 bytes to the right of 3-byte region [0x602000000030,0x602000000033)
allocated by thread T0 here:
    #0 0x4f608b in operator new[](unsigned long) (/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz/fuzz-message-decode+0x4f608b)
    #1 0x50136a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:506:23
    #2 0x501615 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3
    #3 0x4f930c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6
    #4 0x4fb0ac in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9
    #5 0x4f9200 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10
    #6 0x7f20772d2290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:389:24 in pni_decoder_decode_value
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 03 fa fa fa[03]fa fa fa 00 00 fa fa 00 00
  0x0c047fff8010: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8020: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8030: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8040: fa fa 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29686==ABORTING

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba
21/Feb/17 21:55
0.0 kB
Jiri Daněk

Issue Links

relates to

PROTON-1359 heap-buffer-overflow in pn_decoder_readf32 when invoking pn_message_decode

Closed

heap-buffer-overflow in pni_decoder_decode_value when invoking pn_message_decode

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates