View Issue Details

IDProjectCategoryView StatusLast Update
0000064file[All Projects] Generalpublic2019-02-19 13:21
ReporterspinpxAssigned Tochristos 
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Platformx86_64OSDebianOS Version10
Product Version5.35 
Target VersionFixed in Version5.36 
Summary0000064: ASAN: memcpy-param-overlap
Description描述 We build file with `--disable-libseccomp` by clang 4.0.0 and ASAN.
We ran the program with the input we provide without any other arguments.

The bugs exists in file 5.35.

ASAN report:
==1129930==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7ffcc4a0f360,0x7ffcc4a10861) and [0x7ffcc4a104f8, 0x7ffcc4a119f9) overlap
    #0 0x4add33 in __asan_memcpy /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3
    0000001 0x54f86c in do_core_note /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/readelf.c:755:4
    0000002 0x54d323 in donote /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/readelf.c:1194:7
    0000003 0x54792a in dophn_core /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/readelf.c:398:13
    0000004 0x5451b4 in file_tryelf /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/elfclass.h:43:7
    0000005 0x51f29b in file_buffer /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/funcs.c:305:8
    0000006 0x4f5b5d in file_or_fd /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/magic.c:508:6
    0000007 0x4f5cd6 in magic_file /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/magic.c:397:9
    0000008 0x4f3fd5 in process /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/file.c:546:9
    #9 0x4f1c4b in main /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/file.c:416:9
    0000010 0x7fbb0e64b09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    0000011 0x41d689 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/file+0x41d689)

Address 0x7ffcc4a0f360 is located in stack of thread T0 at offset 608 in frame
    #0 0x54f33f in do_core_note /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/readelf.c:710

  This frame has 2 object(s):
    [32, 544) 'sbuf'
    [608, 768) 'pi' <== Memory access at offset 608 partially overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Address 0x7ffcc4a104f8 is located in stack of thread T0 at offset 1592 in frame
    #0 0x546f7f in dophn_core /mnt/raid/user/chenpeng/FuzzingBench/file/file/src/readelf.c:346

  This frame has 3 object(s):
    [32, 64) 'ph32'
    [96, 152) 'ph64'
    [192, 8384) 'nbuf' <== Memory access at offset 1592 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: memcpy-param-overlap /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3 in __asan_memcpy
Steps To Reproducerun:
# file sbo3
TagsNo tags attached.

Activities

spinpx

2019-02-18 08:50

reporter  

sbo3 (9,351 bytes)
sbo3 (9,351 bytes)

christos

2019-02-18 18:00

manager   ~0003213

I think this is the same as PR/63

spinpx

2019-02-19 08:12

reporter   ~0003217

CVE-2019-8906

christos

2019-02-19 13:20

manager   ~0003219

The comment in the CVE is not correct though, it is not memcpy() that causes the overflow; it is the file_printable() that does not work with a non-NUL-terminated string.

Issue History

Date Modified Username Field Change
2019-02-18 08:50 spinpx New Issue
2019-02-18 08:50 spinpx File Added: sbo3
2019-02-18 17:59 christos Assigned To => christos
2019-02-18 17:59 christos Status new => assigned
2019-02-18 18:00 christos Status assigned => feedback
2019-02-18 18:00 christos Note Added: 0003213
2019-02-19 08:12 spinpx Note Added: 0003217
2019-02-19 08:12 spinpx Status feedback => assigned
2019-02-19 13:20 christos Note Added: 0003219
2019-02-19 13:21 christos Status assigned => resolved
2019-02-19 13:21 christos Resolution open => fixed
2019-02-19 13:21 christos Fixed in Version => 5.36