https://bugs.exim.org/show_bug.cgi?id=2820
Bug ID: 2820
Summary: out-of-bounds read
Product: Exim
Version: 4.96
Hardware: x86-64
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Logging
Assignee: unallocated@???
Reporter: z11pany@???
CC: exim-dev@???
I have discovered an out-of-bounds read at log.c:1006, found when fuzzing.
When we run it with the command "exim -bd -d -oX 25", the variable
"string_datestamp_offset" is initialized to "-1", resulting the bug.
The full ASAN report is shown below:
==82433==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000012e905f at pc 0x0000004308a9 bp 0x7ffdc5130c10 sp 0x7ffdc51303b0
READ of size 1 at 0x0000012e905f thread T0
#0 0x4308a8 in strncmp
/local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:471:3
#1 0x59fb28 in log_write
/home/pany/test/exim-aflnet/src/build-Linux-x86_64/log.c:1006:11
#2 0x4e0e4c in daemon_go
/home/pany/test/exim-aflnet/src/build-Linux-x86_64/daemon.c:1702:3
#3 0x531e7f in main
/home/pany/test/exim-aflnet/src/build-Linux-x86_64/exim.c:4811:3
#4 0x7fe47774483f in __libc_start_main
/build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#5 0x41cab8 in _start
(/home/pany/test/exim-aflnet/src/build-Linux-x86_64/exim+0x41cab8)
0x0000012e905f is located 1 bytes to the left of global variable 'mainlog_name'
defined in 'log.c:30:15' (0x12e9060) of size 256
0x0000012e905f is located 55 bytes to the right of global variable
'mainlog_datestamp' defined in 'log.c:34:16' (0x12e9020) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow
/local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:471:3
in strncmp
Shadow bytes around the buggy address:
0x0000802551b0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000802551c0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000802551d0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000802551e0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
0x0000802551f0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
=>0x000080255200: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
0x000080255210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080255220: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x000080255230: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x000080255240: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x000080255250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==82433==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
