You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2017/02/16 09:54:42 UTC

[jira] [Commented] (PROTON-1359) heap-buffer-overflow in pn_decoder_readf32 when invoking pn_message_decode

    [ https://issues.apache.org/jira/browse/PROTON-1359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15869654#comment-15869654 ] 

ASF subversion and git services commented on PROTON-1359:
---------------------------------------------------------

Commit cd612ffecc0b41a0765ffbb48dd6bd4467ff4879 in qpid-proton's branch refs/heads/master from [~astitcher]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=cd612ff ]

PROTON-1359: Make sure we don't try and read past the end of buffer
- For ARRAY32, LIST32 & MAP32 types


> heap-buffer-overflow in pn_decoder_readf32 when invoking pn_message_decode
> --------------------------------------------------------------------------
>
>                 Key: PROTON-1359
>                 URL: https://issues.apache.org/jira/browse/PROTON-1359
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-c
>    Affects Versions: 0.16.0
>            Reporter: Jiri Danek
>            Assignee: Andrew Stitcher
>             Fix For: 0.18.0
>
>         Attachments: core.322, crafted_from_minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43, minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43
>
>
> {noformat}
> $ nc -l 5672 < crafted_from_minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43
> $ ./libuv_receive -a 127.0.0.1:5672/jms.queue.example 
> Segmentation fault (core dumped)
> (gdb) thread apply all bt
> <snip>
> #5209 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5210 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972817 "")
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5211 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5212 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972897 "")
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5213 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5214 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972917 "")
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5215 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5216 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972997 "")
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5217 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5218 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972a17 "")
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5219 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5220 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972a97 "")
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5221 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5222 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972b17 "\377\200\304\t\002")
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5223 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5224 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972b97 "")
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5225 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5226 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972c17 "")
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5227 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5228 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972c97 "")
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5229 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474
> #5230 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, data=0x209c480, code=0x7ffd99972e0d "")
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458
> #5231 0x00007f36d947b2ac in pni_decoder_decode_value (decoder=0x209c970, data=0x209c480, code=240 '\360') at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:395
> #5232 0x00007f36d947a67a in pni_decoder_single (decoder=0x209c970, data=0x209c480) at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:476
> #5233 0x00007f36d947a5b8 in pn_decoder_decode (decoder=0x209c970, src=0x6095c0 <decode_message.buffer> "\360\001", size=2, dst=0x209c480)
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:490
> #5234 0x00007f36d947956d in pn_data_decode (data=0x209c480, bytes=0x6095c0 <decode_message.buffer> "\360\001", size=2)
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/codec.c:1437
> #5235 0x00007f36d94925fb in pn_message_decode (msg=0x209bc80, bytes=0x6095c0 <decode_message.buffer> "\360\001", size=2)
> 	at /home/jdanek/Bin/qpid-proton/proton-c/src/core/message.c:635
> #5236 0x0000000000404742 in decode_message (dlv=0x208a9b0) at /home/jdanek/Bin/qpid-proton/examples/c/proactor/receive.c:73
> #5237 0x00000000004044c6 in handle (app=0x7ffd99973288, event=0x20968e0) at /home/jdanek/Bin/qpid-proton/examples/c/proactor/receive.c:106
> #5238 0x00000000004042e3 in main (argc=3, argv=0x7ffd99973ba8) at /home/jdanek/Bin/qpid-proton/examples/c/proactor/receive.c:197
> {noformat}
> I created the input file used in Steps to Reproduce by first finding an input that causes memory error when given to {{pn_message_decode}} and then putting it as a payload of AMQP frame. The memory issue in {{pn_message decode}} when decoding data in {{minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43}} is
> {noformat}
> ==31043==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000035 at pc 0x7ff26f426ba1 bp 0x7fff7d5fcf30 sp 0x7fff7d5fcf28
> READ of size 1 at 0x602000000035 thread T0
> 	#0 0x7ff26f426ba0 in pn_decoder_readf32 /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:80:26
> 	#1 0x7ff26f426ba0 in pni_decoder_decode_value /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:377
> 	#2 0x7ff26f423369 in pni_decoder_single /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:476:9
> 	#3 0x7ff26f423369 in pn_decoder_decode /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:490
> 	#4 0x7ff26f41fde2 in pn_data_decode /home/jdanek/Work/qpid-proton/proton-c/src/core/codec.c:1437:10
> 	#5 0x7ff26f468f3c in pn_message_decode /home/jdanek/Work/qpid-proton/proton-c/src/core/message.c:635:20
> 	#6 0x4f5abf in LLVMFuzzerTestOneInput /home/jdanek/Work/qpid-proton/proton-c/src/tests/fuzz_message_decode.c:8:15
> 	#7 0x4fdd97 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:515:13
> 	#8 0x4fdf85 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3
> 	#9 0x4f5c7c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6
> 	#10 0x4f7a1c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9
> 	#11 0x4f5b70 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10
> 	#12 0x7ff26d875290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
> 	#13 0x4234a9 in _start (/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz_message_decode+0x4234a9)
> 0x602000000035 is located 3 bytes to the right of 2-byte region [0x602000000030,0x602000000032)
> allocated by thread T0 here:
> 	#0 0x4c9cac in __interceptor_malloc (/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz_message_decode+0x4c9cac)
> 	#1 0x7ff26edc8a47 in operator new(unsigned long) /build/gcc/src/gcc/libstdc++-v3/libsupc++/new_op.cc:50
> 	#2 0x4fdf85 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3
> 	#3 0x4f5c7c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6
> 	#4 0x4f7a1c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9
> 	#5 0x4f5b70 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10
> 	#6 0x7ff26d875290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
> SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:80:26 in pn_decoder_readf32
> Shadow bytes around the buggy address:
>   0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c047fff8000: fa fa 02 fa fa fa[02]fa fa fa 00 00 fa fa 00 00
>   0x0c047fff8010: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
>   0x0c047fff8020: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
>   0x0c047fff8030: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
>   0x0c047fff8040: fa fa 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==31043==ABORTING
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org