0000064: ASAN: memcpy-param-overlap - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0000064	file	General	public	2019-02-18 08:50	2019-02-19 13:21

Reporter	spinpx	Assigned To	christos
Priority	urgent	Severity	major	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	x86_64	OS	Debian	OS Version	10
Product Version	5.35
Fixed in Version	5.36

Summary	0000064: ASAN: memcpy-param-overlap
Description	描述 We build file with `--disable-libseccomp` by clang 4.0.0 and ASAN. We ran the program with the input we provide without any other arguments. The bugs exists in file 5.35. ASAN report: ==1129930==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7ffcc4a0f360,0x7ffcc4a10861) and [0x7ffcc4a104f8, 0x7ffcc4a119f9) overlap #0 0x4add33 in __asan_memcpy /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3 0000001 0x54f86c in do_core_note /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/readelf.c:755:4 0000002 0x54d323 in donote /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/readelf.c:1194:7 0000003 0x54792a in dophn_core /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/readelf.c:398:13 0000004 0x5451b4 in file_tryelf /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/elfclass.h:43:7 0000005 0x51f29b in file_buffer /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/funcs.c:305:8 0000006 0x4f5b5d in file_or_fd /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/magic.c:508:6 0000007 0x4f5cd6 in magic_file /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/magic.c:397:9 0000008 0x4f3fd5 in process /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/file.c:546:9 #9 0x4f1c4b in main /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/file.c:416:9 0000010 0x7fbb0e64b09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) 0000011 0x41d689 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/file+0x41d689) Address 0x7ffcc4a0f360 is located in stack of thread T0 at offset 608 in frame #0 0x54f33f in do_core_note /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/readelf.c:710 This frame has 2 object(s): [32, 544) 'sbuf' [608, 768) 'pi' <== Memory access at offset 608 partially overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions are supported) Address 0x7ffcc4a104f8 is located in stack of thread T0 at offset 1592 in frame #0 0x546f7f in dophn_core /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/readelf.c:346 This frame has 3 object(s): [32, 64) 'ph32' [96, 152) 'ph64' [192, 8384) 'nbuf' <== Memory access at offset 1592 is inside this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions are supported) SUMMARY: AddressSanitizer: memcpy-param-overlap /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3 in __asan_memcpy
Steps To Reproduce	run: # file sbo3
Tags	No tags attached.

spinpx 2019-02-18 08:50 reporter	sbo3 (9,351 bytes) ELFHi World ��4�� (!��d�� nŇ�c ��Pw.��4��O��4��ʢ��$뗅[3 ̜eaϟ�V9 �]��+��7��xq��CORE �� nŇ��P}� ��.��d �� X (!d��$��d��NetBSD-CGRE�ʢ��$뗅[3 ��+��7��xqhnŇ�c ��P}� ��.��4��ONetBSDCORE�ʢ��$뗅[3 ��4��X (��$��d��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d�� nŇ�c ��.�� 4��ONetBSD-CORE�ʢ��X (��X (!��$��d��d �� nŇ�c ��.�� 4��O��X (!��$��d�� +��7��xqhnŇ�c ��P}� ��.�� nŇ�c ��.�� 4��ONetBSD-CORE�ʢ��X (!��$��d��d ��ONetBSD-CGRE�ʢ��$뗅[3 ��+��7��xqhnŇ�c ��P}� ��.��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d�� nŇ�c ��.��ONetBSD-C�RE�ʢ��X (!��d �� X (!��^��}�==�}��@��$��d��d'��4��X (��$��d��4��O�NetBSD-CORE�ʢ��$뗅[3��4��X (��$��d�� nŇ�c ��.��& 4��ONetBSD-CORE�ʢ��X ��d �� nŇ�c ��.�� 4��O��X (!��$��d�� +��7��xqhnŇ�c ��P}� ��.��^��}�==�}��@��}��=�}�@�� d�xqhnŇ�c ��P}� ��.��d �� X (!��$��d��dd��ONetBSD-CGRE�ʢ��$뗅[3 ��+��7��xqhnŇ�c ��P}� ��.��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d��4��O�NetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d�� nŇ�c ��.��& 4��ON�� (!��d�� nŇ�c ��Pw.��4��O��4��ʢ��$뗅[3 ̜eaϟ�V9 �]��+��7��xq��CORE �� nŇ��P}� ��.��d �� X (!��$��d��NetBSD-CGRE�ʢ��$뗅[3 ��+��7��xqhnŇ�c ��P}� ��.��4��ONetBSDCORE�ʢ��$뗅[3 ��4��X (��$��d��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d�� nŇ�c ��.�� 4��ONetBSD-CORE�ʢ��X (��X (!��夐$��d��d �� nŇ�c ��.�� 4��O��X (!��$��d�� +��7��xqhnŇ�c ��P}� ��.�� nŇ�c ��.�� 4��ONetBSD-CORE�ʢ��X (!��$��d��d ��ONetBSD-CGRE�ʢ��.��}�@�O^��}�=�}��z� @��}��=�}�D��}�==�}�}�� @��d��}�==�}@�� @� RE�ʢ��X (��X (�!��$��d��d �� nŇ�c ��.�� 4��O��X (!��$��d�� +��7��xqhnŇ�c ��P}� ��.��d �� nŇ�c ��.�� 4��ONetBSD-CORE�ʢ��X (!��$��d��d ��ONetBSD-CGRE�ʢ��$뗅[3 ��+��7��xqhnŇ�c ��P}� ��.��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d��4��ONetBSD-CORE�ʢ��$뗅[3 ��4��X (��$��d�� nŇ�c ��.��ONetBSD-CORE�ʢ��X (!��d �� X (�!��$��d��d� ��4��X (��$��d��4��O�NetBSD-CORE�ʢ��$뗅[3 ��4��GGGGGGGGGGGGG��}��=��}�==�}@�#�� P}� ��.��E��}�@�^��}�=�}��d� @��>:��}��=�}�GGGGGGGGGGGGG sbo3 (9,351 bytes)

christos 2019-02-18 18:00 manager ~0003213	I think this is the same as PR/63

spinpx 2019-02-19 08:12 reporter ~0003217	CVE-2019-8906

christos 2019-02-19 13:20 manager ~0003219	The comment in the CVE is not correct though, it is not memcpy() that causes the overflow; it is the file_printable() that does not work with a non-NUL-terminated string.

Date Modified	Username	Field	Change
2019-02-18 08:50	spinpx	New Issue
2019-02-18 08:50	spinpx	File Added: sbo3
2019-02-18 17:59	christos	Assigned To	=> christos
2019-02-18 17:59	christos	Status	new => assigned
2019-02-18 18:00	christos	Status	assigned => feedback
2019-02-18 18:00	christos	Note Added: 0003213
2019-02-19 08:12	spinpx	Note Added: 0003217
2019-02-19 08:12	spinpx	Status	feedback => assigned
2019-02-19 13:20	christos	Note Added: 0003219
2019-02-19 13:21	christos	Status	assigned => resolved
2019-02-19 13:21	christos	Resolution	open => fixed
2019-02-19 13:21	christos	Fixed in Version	=> 5.36