You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Jiri Danek (JIRA)" <ji...@apache.org> on 2017/02/21 22:01:44 UTC
[jira] [Updated] (PROTON-1414) heap-buffer-overflow in
pni_decoder_decode_value when invoking pn_message_decode
[ https://issues.apache.org/jira/browse/PROTON-1414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jiri Danek updated PROTON-1414:
-------------------------------
Summary: heap-buffer-overflow in pni_decoder_decode_value when invoking pn_message_decode (was: heap-buffer-overflow in pni_decoder_decode_value)
> heap-buffer-overflow in pni_decoder_decode_value when invoking pn_message_decode
> --------------------------------------------------------------------------------
>
> Key: PROTON-1414
> URL: https://issues.apache.org/jira/browse/PROTON-1414
> Project: Qpid Proton
> Issue Type: Bug
> Components: proton-c
> Affects Versions: 0.18.0
> Reporter: Jiri Danek
> Attachments: minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba
>
>
> {noformat}
> [jdanek@e530 fuzz]$ ./fuzz-message-decode minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba
> INFO: Seed: 3671742454
> INFO: Loaded 2 modules (7259 guards): [0x7f20793b8c80, 0x7f20793bfdd4), [0x74ad60, 0x74ad78),
> ./fuzz-message-decode: Running 1 inputs 1 time(s) each.
> Running: minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba
> =================================================================
> ==29686==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000033 at pc 0x7f20790bf3de bp 0x7ffc0d69a970 sp 0x7ffc0d69a968
> READ of size 1 at 0x602000000033 thread T0
> #0 0x7f20790bf3dd in pni_decoder_decode_value /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:389:24
> #1 0x7f20790bcfa4 in pni_decoder_single /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:477:9
> #2 0x7f20790bccc1 in pn_decoder_decode /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:491:13
> #3 0x7f20790b84c5 in pn_data_decode /home/jdanek/Work/qpid-proton/proton-c/src/core/codec.c:1437:10
> #4 0x7f207911160b in pn_message_decode /home/jdanek/Work/qpid-proton/proton-c/src/core/message.c:635:20
> #5 0x4f90c1 in LLVMFuzzerTestOneInput /home/jdanek/Work/qpid-proton/proton-c/src/tests/fuzz/fuzz-message-decode.c:12:15
> #6 0x501427 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:515:13
> #7 0x501615 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3
> #8 0x4f930c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6
> #9 0x4fb0ac in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9
> #10 0x4f9200 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10
> #11 0x7f20772d2290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
> #12 0x423889 in _start (/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz/fuzz-message-decode+0x423889)
> 0x602000000033 is located 0 bytes to the right of 3-byte region [0x602000000030,0x602000000033)
> allocated by thread T0 here:
> #0 0x4f608b in operator new[](unsigned long) (/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz/fuzz-message-decode+0x4f608b)
> #1 0x50136a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:506:23
> #2 0x501615 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3
> #3 0x4f930c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6
> #4 0x4fb0ac in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9
> #5 0x4f9200 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10
> #6 0x7f20772d2290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
> SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:389:24 in pni_decoder_decode_value
> Shadow bytes around the buggy address:
> 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c047fff8000: fa fa 03 fa fa fa[03]fa fa fa 00 00 fa fa 00 00
> 0x0c047fff8010: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
> 0x0c047fff8020: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
> 0x0c047fff8030: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
> 0x0c047fff8040: fa fa 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==29686==ABORTING
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org