You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2017/02/16 09:54:42 UTC
[jira] [Commented] (PROTON-1359) heap-buffer-overflow in
pn_decoder_readf32 when invoking pn_message_decode
[ https://issues.apache.org/jira/browse/PROTON-1359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15869654#comment-15869654 ]
ASF subversion and git services commented on PROTON-1359:
---------------------------------------------------------
Commit cd612ffecc0b41a0765ffbb48dd6bd4467ff4879 in qpid-proton's branch refs/heads/master from [~astitcher]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=cd612ff ]
PROTON-1359: Make sure we don't try and read past the end of buffer
- For ARRAY32, LIST32 & MAP32 types
> heap-buffer-overflow in pn_decoder_readf32 when invoking pn_message_decode
> --------------------------------------------------------------------------
>
> Key: PROTON-1359
> URL: https://issues.apache.org/jira/browse/PROTON-1359
> Project: Qpid Proton
> Issue Type: Bug
> Components: proton-c
> Affects Versions: 0.16.0
> Reporter: Jiri Danek
> Assignee: Andrew Stitcher
> Fix For: 0.18.0
>
> Attachments: core.322, crafted_from_minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43, minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43
>
>
> {noformat}
> $ nc -l 5672 < crafted_from_minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43
> $ ./libuv_receive -a 127.0.0.1:5672/jms.queue.example
> Segmentation fault (core dumped)
> (gdb) thread apply all bt
> <snip>
> #5209 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5210 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972817 "")
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5211 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5212 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972897 "")
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5213 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5214 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972917 "")
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5215 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5216 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972997 "")
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5217 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5218 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972a17 "")
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5219 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5220 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972a97 "")
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5221 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5222 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972b17 "\377\200\304\t\002")
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5223 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5224 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972b97 "")
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5225 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5226 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972c17 "")
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5227 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5228 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972c97 "")
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5229 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5230 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972e0d "")
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5231 0x00007f36d947b2ac in pni_decoder_decode_value (decoder=0x209c970, data=0x209c480, code=240 '\360') at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:395
> #5232 0x00007f36d947a67a in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:476
> #5233 0x00007f36d947a5b8 in pn_decoder_decode (decoder=0x209c970, src=0x6095c0 <decode_message.buffer> "\360\001", size=2, dst=0x209c480)
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:490
> #5234 0x00007f36d947956d in pn_data_decode (data=0x209c480, bytes=0x6095c0 <decode_message.buffer> "\360\001", size=2)
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/codec.c:1437
> #5235 0x00007f36d94925fb in pn_message_decode (msg=0x209bc80, bytes=0x6095c0 <decode_message.buffer> "\360\001", size=2)
> at /home/jdanek/Bin/qpid-proton/proton-c/src/core/message.c:635
> #5236 0x0000000000404742 in decode_message (dlv=0x208a9b0) at /home/jdanek/Bin/qpid-proton/examples/c/proactor/receive.c:73
> #5237 0x00000000004044c6 in handle (app=0x7ffd99973288, event=0x20968e0) at /home/jdanek/Bin/qpid-proton/examples/c/proactor/receive.c:106
> #5238 0x00000000004042e3 in main (argc=3, argv=0x7ffd99973ba8) at /home/jdanek/Bin/qpid-proton/examples/c/proactor/receive.c:197
> {noformat}
> I created the input file used in Steps to Reproduce by first finding an input that causes memory error when given to {{pn_message_decode}} and then putting it as a payload of AMQP frame. The memory issue in {{pn_message decode}} when decoding data in {{minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43}} is
> {noformat}
> ==31043==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000035 at pc 0x7ff26f426ba1 bp 0x7fff7d5fcf30 sp 0x7fff7d5fcf28
> READ of size 1 at 0x602000000035 thread T0
> #0 0x7ff26f426ba0 in pn_decoder_readf32 /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:80:26
> #1 0x7ff26f426ba0 in pni_decoder_decode_value /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:377
> #2 0x7ff26f423369 in pni_decoder_single /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:476:9
> #3 0x7ff26f423369 in pn_decoder_decode /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:490
> #4 0x7ff26f41fde2 in pn_data_decode /home/jdanek/Work/qpid-proton/proton-c/src/core/codec.c:1437:10
> #5 0x7ff26f468f3c in pn_message_decode /home/jdanek/Work/qpid-proton/proton-c/src/core/message.c:635:20
> #6 0x4f5abf in LLVMFuzzerTestOneInput /home/jdanek/Work/qpid-proton/proton-c/src/tests/fuzz_message_decode.c:8:15
> #7 0x4fdd97 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:515:13
> #8 0x4fdf85 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3
> #9 0x4f5c7c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6
> #10 0x4f7a1c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9
> #11 0x4f5b70 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10
> #12 0x7ff26d875290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
> #13 0x4234a9 in _start (/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz_message_decode+0x4234a9)
> 0x602000000035 is located 3 bytes to the right of 2-byte region [0x602000000030,0x602000000032)
> allocated by thread T0 here:
> #0 0x4c9cac in __interceptor_malloc (/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz_message_decode+0x4c9cac)
> #1 0x7ff26edc8a47 in operator new(unsigned long) /build/gcc/src/gcc/libstdc++-v3/libsupc++/new_op.cc:50
> #2 0x4fdf85 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3
> #3 0x4f5c7c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6
> #4 0x4f7a1c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9
> #5 0x4f5b70 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10
> #6 0x7ff26d875290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
> SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:80:26 in pn_decoder_readf32
> Shadow bytes around the buggy address:
> 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c047fff8000: fa fa 02 fa fa fa[02]fa fa fa 00 00 fa fa 00 00
> 0x0c047fff8010: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
> 0x0c047fff8020: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
> 0x0c047fff8030: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
> 0x0c047fff8040: fa fa 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==31043==ABORTING
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org