[exim-dev] [Bug 2820] New: out-of-bounds read

トップ ページ
このメッセージを削除
このメッセージに返信
著者: admin
日付:  
To: exim-dev
題目: [exim-dev] [Bug 2820] New: out-of-bounds read
https://bugs.exim.org/show_bug.cgi?id=2820

            Bug ID: 2820
           Summary: out-of-bounds read
           Product: Exim
           Version: 4.96
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Logging
          Assignee: unallocated@???
          Reporter: z11pany@???
                CC: exim-dev@???


I have discovered an out-of-bounds read at log.c:1006, found when fuzzing.

When we run it with the command "exim -bd -d -oX 25", the variable
"string_datestamp_offset" is initialized to "-1", resulting the bug.
The full ASAN report is shown below:
==82433==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000012e905f at pc 0x0000004308a9 bp 0x7ffdc5130c10 sp 0x7ffdc51303b0
READ of size 1 at 0x0000012e905f thread T0
    #0 0x4308a8 in strncmp
/local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:471:3
    #1 0x59fb28 in log_write
/home/pany/test/exim-aflnet/src/build-Linux-x86_64/log.c:1006:11
    #2 0x4e0e4c in daemon_go
/home/pany/test/exim-aflnet/src/build-Linux-x86_64/daemon.c:1702:3
    #3 0x531e7f in main
/home/pany/test/exim-aflnet/src/build-Linux-x86_64/exim.c:4811:3
    #4 0x7fe47774483f in __libc_start_main
/build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x41cab8 in _start
(/home/pany/test/exim-aflnet/src/build-Linux-x86_64/exim+0x41cab8)


0x0000012e905f is located 1 bytes to the left of global variable 'mainlog_name'
defined in 'log.c:30:15' (0x12e9060) of size 256
0x0000012e905f is located 55 bytes to the right of global variable
'mainlog_datestamp' defined in 'log.c:34:16' (0x12e9020) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow
/local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:471:3
in strncmp
Shadow bytes around the buggy address:
  0x0000802551b0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000802551c0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000802551d0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000802551e0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
  0x0000802551f0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
=>0x000080255200: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
  0x000080255210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080255220: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x000080255230: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x000080255240: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080255250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==82433==ABORTING


--
You are receiving this mail because:
You are on the CC list for the bug.