[ https://issues.apache.org/jira/browse/PROTON-1359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jiri Danek updated PROTON-1359: ------------------------------- Attachment: core.322 crafted_from_minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43 minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43 > heap-buffer-overflow in pn_decoder_readf32 when invoking pn_message_decode > -------------------------------------------------------------------------- > > Key: PROTON-1359 > URL: https://issues.apache.org/jira/browse/PROTON-1359 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c > Affects Versions: 0.16.0 > Reporter: Jiri Danek > Attachments: core.322, > crafted_from_minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43, > minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43 > > > {noformat} > $ nc -l 5672 < > crafted_from_minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43 > $ ./libuv_receive -a 127.0.0.1:5672/jms.queue.example > Segmentation fault (core dumped) > (gdb) thread apply all bt > <snip> > #5209 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, > data=0x209c480) at > /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474 > #5210 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, > data=0x209c480, code=0x7ffd99972817 "") > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458 > #5211 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, > data=0x209c480) at > /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474 > #5212 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, > data=0x209c480, code=0x7ffd99972897 "") > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458 > #5213 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, > data=0x209c480) at > /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474 > #5214 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, > data=0x209c480, code=0x7ffd99972917 "") > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458 > #5215 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, > data=0x209c480) at > /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474 > #5216 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, > data=0x209c480, code=0x7ffd99972997 "") > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458 > #5217 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, > data=0x209c480) at > /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474 > #5218 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, > data=0x209c480, code=0x7ffd99972a17 "") > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458 > #5219 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, > data=0x209c480) at > /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474 > #5220 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, > data=0x209c480, code=0x7ffd99972a97 "") > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458 > #5221 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, > data=0x209c480) at > /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474 > #5222 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, > data=0x209c480, code=0x7ffd99972b17 "\377\200\304\t\002") > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458 > #5223 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, > data=0x209c480) at > /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474 > #5224 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, > data=0x209c480, code=0x7ffd99972b97 "") > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458 > #5225 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, > data=0x209c480) at > /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474 > #5226 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, > data=0x209c480, code=0x7ffd99972c17 "") > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458 > #5227 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, > data=0x209c480) at > /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474 > #5228 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, > data=0x209c480, code=0x7ffd99972c97 "") > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458 > #5229 0x00007f36d947a651 in pni_decoder_single (decoder=0x209c970, > data=0x209c480) at > /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:474 > #5230 0x00007f36d947a786 in pni_decoder_decode_type (decoder=0x209c970, > data=0x209c480, code=0x7ffd99972e0d "") > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:458 > #5231 0x00007f36d947b2ac in pni_decoder_decode_value (decoder=0x209c970, > data=0x209c480, code=240 '\360') at > /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:395 > #5232 0x00007f36d947a67a in pni_decoder_single (decoder=0x209c970, > data=0x209c480) at > /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:476 > #5233 0x00007f36d947a5b8 in pn_decoder_decode (decoder=0x209c970, > src=0x6095c0 <decode_message.buffer> "\360\001", size=2, dst=0x209c480) > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/decoder.c:490 > #5234 0x00007f36d947956d in pn_data_decode (data=0x209c480, bytes=0x6095c0 > <decode_message.buffer> "\360\001", size=2) > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/codec.c:1437 > #5235 0x00007f36d94925fb in pn_message_decode (msg=0x209bc80, bytes=0x6095c0 > <decode_message.buffer> "\360\001", size=2) > at /home/jdanek/Bin/qpid-proton/proton-c/src/core/message.c:635 > #5236 0x0000000000404742 in decode_message (dlv=0x208a9b0) at > /home/jdanek/Bin/qpid-proton/examples/c/proactor/receive.c:73 > #5237 0x00000000004044c6 in handle (app=0x7ffd99973288, event=0x20968e0) at > /home/jdanek/Bin/qpid-proton/examples/c/proactor/receive.c:106 > #5238 0x00000000004042e3 in main (argc=3, argv=0x7ffd99973ba8) at > /home/jdanek/Bin/qpid-proton/examples/c/proactor/receive.c:197 > {noformat} > I created the input file used in Steps to Reproduce by first finding an input > that causes memory error when given to {{pn_message_decode}} and then putting > it as a payload of AMQP frame. The memory issue in {{pn_message decode}} when > decoding data in {{minimized-from-ac1dd1edf2357b0e4782088fa2bf80fdde832a43}} > is > {noformat} > ==31043==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x602000000035 at pc 0x7ff26f426ba1 bp 0x7fff7d5fcf30 sp 0x7fff7d5fcf28 > READ of size 1 at 0x602000000035 thread T0 > #0 0x7ff26f426ba0 in pn_decoder_readf32 > /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:80:26 > #1 0x7ff26f426ba0 in pni_decoder_decode_value > /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:377 > #2 0x7ff26f423369 in pni_decoder_single > /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:476:9 > #3 0x7ff26f423369 in pn_decoder_decode > /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:490 > #4 0x7ff26f41fde2 in pn_data_decode > /home/jdanek/Work/qpid-proton/proton-c/src/core/codec.c:1437:10 > #5 0x7ff26f468f3c in pn_message_decode > /home/jdanek/Work/qpid-proton/proton-c/src/core/message.c:635:20 > #6 0x4f5abf in LLVMFuzzerTestOneInput > /home/jdanek/Work/qpid-proton/proton-c/src/tests/fuzz_message_decode.c:8:15 > #7 0x4fdd97 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, > unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:515:13 > #8 0x4fdf85 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned > long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3 > #9 0x4f5c7c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, > unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6 > #10 0x4f7a1c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned > char const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9 > #11 0x4f5b70 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10 > #12 0x7ff26d875290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) > #13 0x4234a9 in _start > (/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz_message_decode+0x4234a9) > 0x602000000035 is located 3 bytes to the right of 2-byte region > [0x602000000030,0x602000000032) > allocated by thread T0 here: > #0 0x4c9cac in __interceptor_malloc > (/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz_message_decode+0x4c9cac) > #1 0x7ff26edc8a47 in operator new(unsigned long) > /build/gcc/src/gcc/libstdc++-v3/libsupc++/new_op.cc:50 > #2 0x4fdf85 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned > long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3 > #3 0x4f5c7c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, > unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6 > #4 0x4f7a1c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned > char const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9 > #5 0x4f5b70 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10 > #6 0x7ff26d875290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) > SUMMARY: AddressSanitizer: heap-buffer-overflow > /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:80:26 in > pn_decoder_readf32 > Shadow bytes around the buggy address: > 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0c047fff8000: fa fa 02 fa fa fa[02]fa fa fa 00 00 fa fa 00 00 > 0x0c047fff8010: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 > 0x0c047fff8020: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 > 0x0c047fff8030: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 > 0x0c047fff8040: fa fa 00 00 fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==31043==ABORTING > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org