[OpenSIPS-Devel] Buffer overflow

Liviu Chircu liviu at opensips.org
Wed May 1 11:42:29 EDT 2019 

Hi Dan,

Thanks for the hint -- just pushed a fix.  Also, thanks for the ASAN tip :)

On 4/30/19 7:15 PM, Dan Pascu wrote:
> There seems to be some buffer overflow in the code that flattens the configuration:
>
> Apr 30 18:00:55 node15 opensips: ==7892==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000018800 at pc 0x7f7c1bf946aa bp 0x7ffc90558800 sp 0x7ffc90557fb0
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: WRITE of size 54 at 0x633000018800 thread T0
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #0 0x7f7c1bf946a9 in vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9)
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #1 0x7f7c1bf949f6 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x549f6)
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #2 0x5649c1d07761 in __flatten_opensips_cfg cfg_pp.c:280
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #3 0x5649c1d094fc in flatten_opensips_cfg cfg_pp.c:318
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #4 0x5649c1d094fc in parse_opensips_cfg cfg_pp.c:77
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #5 0x5649c1c39cf9 in main main.c:1205
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #6 0x7f7c1bd7409a in __libc_start_main ../csu/libc-start.c:308
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #7 0x5649c1c41bc9 in _start (/home/dan/work/opensips/build/opensips-xs/opensips+0xe5bc9)
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: 0x633000018800 is located 0 bytes to the right of 98304-byte region [0x633000000800,0x633000018800)
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: allocated by thread T0 here:
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #0 0x7f7c1c029740 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9740)
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #1 0x5649c1d069fb in extend_cfg_buf cfg_pp.c:117
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #2 0x5649c1d076bb in __flatten_opensips_cfg cfg_pp.c:274
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #3 0x5649c1d094fc in flatten_opensips_cfg cfg_pp.c:318
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #4 0x5649c1d094fc in parse_opensips_cfg cfg_pp.c:77
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #5 0x5649c1c39cf9 in main main.c:1205
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:     #6 0x7f7c1bd7409a in __libc_start_main ../csu/libc-start.c:308
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9) in vsprintf
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: Shadow bytes around the buggy address:
> Apr 30 18:00:55 node15 opensips:   0x0c667fffb0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Apr 30 18:00:55 node15 opensips:   0x0c667fffb0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Apr 30 18:00:55 node15 opensips:   0x0c667fffb0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Apr 30 18:00:55 node15 opensips:   0x0c667fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Apr 30 18:00:55 node15 opensips:   0x0c667fffb0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Apr 30 18:00:55 node15 opensips: =>0x0c667fffb100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 30 18:00:55 node15 opensips:   0x0c667fffb110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 30 18:00:55 node15 opensips:   0x0c667fffb120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 30 18:00:55 node15 opensips:   0x0c667fffb130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 30 18:00:55 node15 opensips:   0x0c667fffb140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 30 18:00:55 node15 opensips:   0x0c667fffb150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 30 18:00:55 node15 opensips: Shadow byte legend (one shadow byte represents 8 application bytes):
> Apr 30 18:00:55 node15 opensips:   Addressable:           00
> Apr 30 18:00:55 node15 opensips:   Partially addressable: 01 02 03 04 05 06 07
> Apr 30 18:00:55 node15 opensips:   Heap left redzone:       fa
> Apr 30 18:00:55 node15 opensips:   Freed heap region:       fd
> Apr 30 18:00:55 node15 opensips:   Stack left redzone:      f1
> Apr 30 18:00:55 node15 opensips:   Stack mid redzone:       f2
> Apr 30 18:00:55 node15 opensips:   Stack right redzone:     f3
> Apr 30 18:00:55 node15 opensips:   Stack after return:      f5
> Apr 30 18:00:55 node15 opensips:   Stack use after scope:   f8
> Apr 30 18:00:55 node15 opensips:   Global redzone:          f9
> Apr 30 18:00:55 node15 opensips:   Global init order:       f6
> Apr 30 18:00:55 node15 opensips:   Poisoned by user:        f7
> Apr 30 18:00:55 node15 opensips:   Container overflow:      fc
> Apr 30 18:00:55 node15 opensips:   Array cookie:            ac
> Apr 30 18:00:55 node15 opensips:   Intra object redzone:    bb
> Apr 30 18:00:55 node15 opensips:   ASan internal:           fe
> Apr 30 18:00:55 node15 opensips:   Left alloca redzone:     ca
> Apr 30 18:00:55 node15 opensips:   Right alloca redzone:    cb
> Apr 30 18:00:55 node15 opensips:
>
> --
> Dan
>
>
>
>
>
> _______________________________________________
> Devel mailing list
> Devel at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/devel

More information about the Devel mailing list