Re: [OpenSIPS-Devel] Buffer overflow

Liviu Chircu Wed, 01 May 2019 08:44:10 -0700

Hi Dan,

Thanks for the hint -- just pushed a fix.  Also, thanks for the ASAN tip :)


On 4/30/19 7:15 PM, Dan Pascu wrote:

There seems to be some buffer overflow in the code that flattens the 
configuration:

Apr 30 18:00:55 node15 opensips: ==7892==ERROR: AddressSanitizer: 
heap-buffer-overflow on address 0x633000018800 at pc 0x7f7c1bf946aa bp 
0x7ffc90558800 sp 0x7ffc90557fb0
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: WRITE of size 54 at 0x633000018800 thread T0
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #0 0x7f7c1bf946a9 in vsprintf 
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #1 0x7f7c1bf949f6 in __interceptor_sprintf 
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x549f6)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #2 0x5649c1d07761 in 
__flatten_opensips_cfg cfg_pp.c:280
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #3 0x5649c1d094fc in flatten_opensips_cfg 
cfg_pp.c:318
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #4 0x5649c1d094fc in parse_opensips_cfg 
cfg_pp.c:77
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #5 0x5649c1c39cf9 in main main.c:1205
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #6 0x7f7c1bd7409a in __libc_start_main 
../csu/libc-start.c:308
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #7 0x5649c1c41bc9 in _start 
(/home/dan/work/opensips/build/opensips-xs/opensips+0xe5bc9)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: 0x633000018800 is located 0 bytes to the right 
of 98304-byte region [0x633000000800,0x633000018800)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: allocated by thread T0 here:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #0 0x7f7c1c029740 in __interceptor_realloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9740)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #1 0x5649c1d069fb in extend_cfg_buf 
cfg_pp.c:117
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #2 0x5649c1d076bb in 
__flatten_opensips_cfg cfg_pp.c:274
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #3 0x5649c1d094fc in flatten_opensips_cfg 
cfg_pp.c:318
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #4 0x5649c1d094fc in parse_opensips_cfg 
cfg_pp.c:77
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #5 0x5649c1c39cf9 in main main.c:1205
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #6 0x7f7c1bd7409a in __libc_start_main 
../csu/libc-start.c:308
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: SUMMARY: AddressSanitizer: 
heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9) in 
vsprintf
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: Shadow bytes around the buggy address:
Apr 30 18:00:55 node15 opensips:   0x0c667fffb0b0: 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips:   0x0c667fffb0c0: 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips:   0x0c667fffb0d0: 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips:   0x0c667fffb0e0: 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips:   0x0c667fffb0f0: 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips: =>0x0c667fffb100:[fa]fa fa fa fa fa fa fa fa 
fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips:   0x0c667fffb110: fa fa fa fa fa fa fa fa fa 
fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips:   0x0c667fffb120: fa fa fa fa fa fa fa fa fa 
fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips:   0x0c667fffb130: fa fa fa fa fa fa fa fa fa 
fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips:   0x0c667fffb140: fa fa fa fa fa fa fa fa fa 
fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips:   0x0c667fffb150: fa fa fa fa fa fa fa fa fa 
fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips: Shadow byte legend (one shadow byte represents 
8 application bytes):
Apr 30 18:00:55 node15 opensips:   Addressable:           00
Apr 30 18:00:55 node15 opensips:   Partially addressable: 01 02 03 04 05 06 07
Apr 30 18:00:55 node15 opensips:   Heap left redzone:       fa
Apr 30 18:00:55 node15 opensips:   Freed heap region:       fd
Apr 30 18:00:55 node15 opensips:   Stack left redzone:      f1
Apr 30 18:00:55 node15 opensips:   Stack mid redzone:       f2
Apr 30 18:00:55 node15 opensips:   Stack right redzone:     f3
Apr 30 18:00:55 node15 opensips:   Stack after return:      f5
Apr 30 18:00:55 node15 opensips:   Stack use after scope:   f8
Apr 30 18:00:55 node15 opensips:   Global redzone:          f9
Apr 30 18:00:55 node15 opensips:   Global init order:       f6
Apr 30 18:00:55 node15 opensips:   Poisoned by user:        f7
Apr 30 18:00:55 node15 opensips:   Container overflow:      fc
Apr 30 18:00:55 node15 opensips:   Array cookie:            ac
Apr 30 18:00:55 node15 opensips:   Intra object redzone:    bb
Apr 30 18:00:55 node15 opensips:   ASan internal:           fe
Apr 30 18:00:55 node15 opensips:   Left alloca redzone:     ca
Apr 30 18:00:55 node15 opensips:   Right alloca redzone:    cb
Apr 30 18:00:55 node15 opensips:

--
Dan





_______________________________________________
Devel mailing list
Devel@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/devel


_______________________________________________
Devel mailing list
Devel@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/devel

Re: [OpenSIPS-Devel] Buffer overflow

Reply via email to