Dear all,
While fuzzing tcc, an out of bounds write was found in the gsym_addr
function.
Attached are a file producing a crash when compiled, the output of the
clang address sanitizer and valgrind.
The asan report only shows an out of bounds read, valgrind also shows
the out of bounds write.
To reproduce, compile the attached input file with tcc
tcc gsym_addr.c
The latest git version of tcc (commit
1dd6842654c8f8f6bf1a94364f0fd23ed10cc7e1) and tcc 0.9.27 was tested.
Credits: SysSec chair of Ruhr University Bochum
=================================================================
==5395==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000003ba
at pc 0x56488734615c bp 0x7ffc070bcef0 sp 0x7ffc070bcee0
READ of size 1 at 0x6020000003ba thread T0
#0 0x56488734615b in read16le /home/user/tinycc/tcc.h:1513
#1 0x56488734615b in read32le /home/user/tinycc/tcc.h:1519
#2 0x56488734615b in gsym_addr /home/user/tinycc/x86_64-gen.c:208
#3 0x5648873462c1 in gsym /home/user/tinycc/x86_64-gen.c:216
#4 0x564887329a03 in block /home/user/tinycc/tccgen.c:6321
#5 0x56488732920c in block /home/user/tinycc/tccgen.c:6186
#6 0x56488732b113 in gen_function /home/user/tinycc/tccgen.c:7369
#7 0x564887327aef in decl0 /home/user/tinycc/tccgen.c:7602
#8 0x56488732b4eb in decl /home/user/tinycc/tccgen.c:7703
#9 0x56488732b4eb in tccgen_compile /home/user/tinycc/tccgen.c:298
#10 0x5648872f858a in tcc_compile /home/user/tinycc/libtcc.c:647
#11 0x5648872fad1d in tcc_add_file_internal /home/user/tinycc/libtcc.c:1063
#12 0x5648872fb03e in tcc_add_file /home/user/tinycc/libtcc.c:1089
#13 0x5648872f7ae2 in main /home/user/tinycc/tcc.c:338
#14 0x7f9b8a4d7b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#15 0x5648872f5279 in _start (/home/user/tinycc/tcc-asan+0x10279)
Address 0x6020000003ba is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/tinycc/tcc.h:1513 in
read16le
Shadow bytes around the buggy address:
0x0c047fff8020: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa fd fa
0x0c047fff8030: fa fa fd fd fa fa 00 05 fa fa fd fa fa fa 00 01
0x0c047fff8040: fa fa fd fd fa fa 05 fa fa fa 00 07 fa fa 00 fa
0x0c047fff8050: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa fd fd
0x0c047fff8060: fa fa 04 fa fa fa 00 fa fa fa fd fa fa fa 02 fa
=>0x0c047fff8070: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5395==ABORTING
ยก()
{
for(;"";)
asm(".section");
==5349== Memcheck, a memory error detector
==5349== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==5349== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==5349== Command: ./tcc-plain /tmp/gsym_addr.c
==5349==
==5349== Invalid read of size 1
==5349== at 0x12EAB6: read16le (tcc.h:1513)
==5349== by 0x12EAB6: read32le (tcc.h:1519)
==5349== by 0x12EAB6: gsym_addr (x86_64-gen.c:208)
==5349== by 0x1234A8: block (tccgen.c:6321)
==5349== by 0x122BFC: block (tccgen.c:6186)
==5349== by 0x1238E6: gen_function (tccgen.c:7369)
==5349== by 0x1225FD: decl0.isra.23 (tccgen.c:7602)
==5349== by 0x123BBB: decl (tccgen.c:7703)
==5349== by 0x123BBB: tccgen_compile (tccgen.c:298)
==5349== by 0x10B818: tcc_compile (libtcc.c:647)
==5349== by 0x10CE4A: tcc_add_file_internal (libtcc.c:1063)
==5349== by 0x10A16B: main (tcc.c:338)
==5349== Address 0x59a5e6d is 3 bytes before an unallocated block of size
2,265,456 in arena "client"
==5349==
==5349== Invalid read of size 1
==5349== at 0x12EABB: read16le (tcc.h:1513)
==5349== by 0x12EABB: read32le (tcc.h:1519)
==5349== by 0x12EABB: gsym_addr (x86_64-gen.c:208)
==5349== by 0x1234A8: block (tccgen.c:6321)
==5349== by 0x122BFC: block (tccgen.c:6186)
==5349== by 0x1238E6: gen_function (tccgen.c:7369)
==5349== by 0x1225FD: decl0.isra.23 (tccgen.c:7602)
==5349== by 0x123BBB: decl (tccgen.c:7703)
==5349== by 0x123BBB: tccgen_compile (tccgen.c:298)
==5349== by 0x10B818: tcc_compile (libtcc.c:647)
==5349== by 0x10CE4A: tcc_add_file_internal (libtcc.c:1063)
==5349== by 0x10A16B: main (tcc.c:338)
==5349== Address 0x59a5e6b is 5 bytes before an unallocated block of size
2,265,456 in arena "client"
==5349==
==5349== Invalid read of size 1
==5349== at 0x12EAC2: read16le (tcc.h:1513)
==5349== by 0x12EAC2: read32le (tcc.h:1519)
==5349== by 0x12EAC2: gsym_addr (x86_64-gen.c:208)
==5349== by 0x1234A8: block (tccgen.c:6321)
==5349== by 0x122BFC: block (tccgen.c:6186)
==5349== by 0x1238E6: gen_function (tccgen.c:7369)
==5349== by 0x1225FD: decl0.isra.23 (tccgen.c:7602)
==5349== by 0x123BBB: decl (tccgen.c:7703)
==5349== by 0x123BBB: tccgen_compile (tccgen.c:298)
==5349== by 0x10B818: tcc_compile (libtcc.c:647)
==5349== by 0x10CE4A: tcc_add_file_internal (libtcc.c:1063)
==5349== by 0x10A16B: main (tcc.c:338)
==5349== Address 0x59a5e6c is 4 bytes before an unallocated block of size
2,265,456 in arena "client"
==5349==
==5349== Invalid read of size 1
==5349== at 0x12EAD2: read16le (tcc.h:1513)
==5349== by 0x12EAD2: read32le (tcc.h:1519)
==5349== by 0x12EAD2: gsym_addr (x86_64-gen.c:208)
==5349== by 0x1234A8: block (tccgen.c:6321)
==5349== by 0x122BFC: block (tccgen.c:6186)
==5349== by 0x1238E6: gen_function (tccgen.c:7369)
==5349== by 0x1225FD: decl0.isra.23 (tccgen.c:7602)
==5349== by 0x123BBB: decl (tccgen.c:7703)
==5349== by 0x123BBB: tccgen_compile (tccgen.c:298)
==5349== by 0x10B818: tcc_compile (libtcc.c:647)
==5349== by 0x10CE4A: tcc_add_file_internal (libtcc.c:1063)
==5349== by 0x10A16B: main (tcc.c:338)
==5349== Address 0x59a5e6a is 6 bytes before an unallocated block of size
2,265,456 in arena "client"
==5349==
==5349== Invalid write of size 1
==5349== at 0x12EAE8: write16le (tcc.h:1516)
==5349== by 0x12EAE8: write32le (tcc.h:1522)
==5349== by 0x12EAE8: gsym_addr (x86_64-gen.c:209)
==5349== by 0x1234A8: block (tccgen.c:6321)
==5349== by 0x122BFC: block (tccgen.c:6186)
==5349== by 0x1238E6: gen_function (tccgen.c:7369)
==5349== by 0x1225FD: decl0.isra.23 (tccgen.c:7602)
==5349== by 0x123BBB: decl (tccgen.c:7703)
==5349== by 0x123BBB: tccgen_compile (tccgen.c:298)
==5349== by 0x10B818: tcc_compile (libtcc.c:647)
==5349== by 0x10CE4A: tcc_add_file_internal (libtcc.c:1063)
==5349== by 0x10A16B: main (tcc.c:338)
==5349== Address 0x59a5e6a is 6 bytes before an unallocated block of size
2,265,456 in arena "client"
==5349==
==5349== Invalid write of size 1
==5349== at 0x12EAEA: write16le (tcc.h:1516)
==5349== by 0x12EAEA: write32le (tcc.h:1522)
==5349== by 0x12EAEA: gsym_addr (x86_64-gen.c:209)
==5349== by 0x1234A8: block (tccgen.c:6321)
==5349== by 0x122BFC: block (tccgen.c:6186)
==5349== by 0x1238E6: gen_function (tccgen.c:7369)
==5349== by 0x1225FD: decl0.isra.23 (tccgen.c:7602)
==5349== by 0x123BBB: decl (tccgen.c:7703)
==5349== by 0x123BBB: tccgen_compile (tccgen.c:298)
==5349== by 0x10B818: tcc_compile (libtcc.c:647)
==5349== by 0x10CE4A: tcc_add_file_internal (libtcc.c:1063)
==5349== by 0x10A16B: main (tcc.c:338)
==5349== Address 0x59a5e6b is 5 bytes before an unallocated block of size
2,265,456 in arena "client"
==5349==
==5349== Invalid write of size 1
==5349== at 0x12EAF2: write16le (tcc.h:1516)
==5349== by 0x12EAF2: write32le (tcc.h:1522)
==5349== by 0x12EAF2: gsym_addr (x86_64-gen.c:209)
==5349== by 0x1234A8: block (tccgen.c:6321)
==5349== by 0x122BFC: block (tccgen.c:6186)
==5349== by 0x1238E6: gen_function (tccgen.c:7369)
==5349== by 0x1225FD: decl0.isra.23 (tccgen.c:7602)
==5349== by 0x123BBB: decl (tccgen.c:7703)
==5349== by 0x123BBB: tccgen_compile (tccgen.c:298)
==5349== by 0x10B818: tcc_compile (libtcc.c:647)
==5349== by 0x10CE4A: tcc_add_file_internal (libtcc.c:1063)
==5349== by 0x10A16B: main (tcc.c:338)
==5349== Address 0x59a5e6c is 4 bytes before an unallocated block of size
2,265,456 in arena "client"
==5349==
==5349== Invalid write of size 1
==5349== at 0x12EAF5: write16le (tcc.h:1516)
==5349== by 0x12EAF5: write32le (tcc.h:1522)
==5349== by 0x12EAF5: gsym_addr (x86_64-gen.c:209)
==5349== by 0x1234A8: block (tccgen.c:6321)
==5349== by 0x122BFC: block (tccgen.c:6186)
==5349== by 0x1238E6: gen_function (tccgen.c:7369)
==5349== by 0x1225FD: decl0.isra.23 (tccgen.c:7602)
==5349== by 0x123BBB: decl (tccgen.c:7703)
==5349== by 0x123BBB: tccgen_compile (tccgen.c:298)
==5349== by 0x10B818: tcc_compile (libtcc.c:647)
==5349== by 0x10CE4A: tcc_add_file_internal (libtcc.c:1063)
==5349== by 0x10A16B: main (tcc.c:338)
==5349== Address 0x59a5e6d is 3 bytes before an unallocated block of size
2,265,456 in arena "client"
==5349==
/tmp/gsym_addr.c:1: error: identifier expected
==5349==
==5349== HEAP SUMMARY:
==5349== in use at exit: 0 bytes in 0 blocks
==5349== total heap usage: 139 allocs, 139 frees, 1,919,286 bytes allocated
==5349==
==5349== All heap blocks were freed -- no leaks are possible
==5349==
==5349== For counts of detected and suppressed errors, rerun with: -v
==5349== ERROR SUMMARY: 8 errors from 8 contexts (suppressed: 0 from 0)
_______________________________________________
Tinycc-devel mailing list
Tinycc-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/tinycc-devel
