[OpenSIPS-Devel] Buffer overflow
Liviu Chircu
liviu at opensips.org
Wed May 1 11:42:29 EDT 2019
Hi Dan,
Thanks for the hint -- just pushed a fix. Also, thanks for the ASAN tip :)
On 4/30/19 7:15 PM, Dan Pascu wrote:
> There seems to be some buffer overflow in the code that flattens the configuration:
>
> Apr 30 18:00:55 node15 opensips: ==7892==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000018800 at pc 0x7f7c1bf946aa bp 0x7ffc90558800 sp 0x7ffc90557fb0
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: WRITE of size 54 at 0x633000018800 thread T0
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #0 0x7f7c1bf946a9 in vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9)
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #1 0x7f7c1bf949f6 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x549f6)
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #2 0x5649c1d07761 in __flatten_opensips_cfg cfg_pp.c:280
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #3 0x5649c1d094fc in flatten_opensips_cfg cfg_pp.c:318
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #4 0x5649c1d094fc in parse_opensips_cfg cfg_pp.c:77
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #5 0x5649c1c39cf9 in main main.c:1205
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #6 0x7f7c1bd7409a in __libc_start_main ../csu/libc-start.c:308
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #7 0x5649c1c41bc9 in _start (/home/dan/work/opensips/build/opensips-xs/opensips+0xe5bc9)
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: 0x633000018800 is located 0 bytes to the right of 98304-byte region [0x633000000800,0x633000018800)
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: allocated by thread T0 here:
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #0 0x7f7c1c029740 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9740)
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #1 0x5649c1d069fb in extend_cfg_buf cfg_pp.c:117
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #2 0x5649c1d076bb in __flatten_opensips_cfg cfg_pp.c:274
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #3 0x5649c1d094fc in flatten_opensips_cfg cfg_pp.c:318
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #4 0x5649c1d094fc in parse_opensips_cfg cfg_pp.c:77
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #5 0x5649c1c39cf9 in main main.c:1205
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: #6 0x7f7c1bd7409a in __libc_start_main ../csu/libc-start.c:308
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9) in vsprintf
> Apr 30 18:00:55 node15 opensips:
> Apr 30 18:00:55 node15 opensips: Shadow bytes around the buggy address:
> Apr 30 18:00:55 node15 opensips: 0x0c667fffb0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Apr 30 18:00:55 node15 opensips: 0x0c667fffb0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Apr 30 18:00:55 node15 opensips: 0x0c667fffb0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Apr 30 18:00:55 node15 opensips: 0x0c667fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Apr 30 18:00:55 node15 opensips: 0x0c667fffb0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Apr 30 18:00:55 node15 opensips: =>0x0c667fffb100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 30 18:00:55 node15 opensips: 0x0c667fffb110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 30 18:00:55 node15 opensips: 0x0c667fffb120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 30 18:00:55 node15 opensips: 0x0c667fffb130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 30 18:00:55 node15 opensips: 0x0c667fffb140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 30 18:00:55 node15 opensips: 0x0c667fffb150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Apr 30 18:00:55 node15 opensips: Shadow byte legend (one shadow byte represents 8 application bytes):
> Apr 30 18:00:55 node15 opensips: Addressable: 00
> Apr 30 18:00:55 node15 opensips: Partially addressable: 01 02 03 04 05 06 07
> Apr 30 18:00:55 node15 opensips: Heap left redzone: fa
> Apr 30 18:00:55 node15 opensips: Freed heap region: fd
> Apr 30 18:00:55 node15 opensips: Stack left redzone: f1
> Apr 30 18:00:55 node15 opensips: Stack mid redzone: f2
> Apr 30 18:00:55 node15 opensips: Stack right redzone: f3
> Apr 30 18:00:55 node15 opensips: Stack after return: f5
> Apr 30 18:00:55 node15 opensips: Stack use after scope: f8
> Apr 30 18:00:55 node15 opensips: Global redzone: f9
> Apr 30 18:00:55 node15 opensips: Global init order: f6
> Apr 30 18:00:55 node15 opensips: Poisoned by user: f7
> Apr 30 18:00:55 node15 opensips: Container overflow: fc
> Apr 30 18:00:55 node15 opensips: Array cookie: ac
> Apr 30 18:00:55 node15 opensips: Intra object redzone: bb
> Apr 30 18:00:55 node15 opensips: ASan internal: fe
> Apr 30 18:00:55 node15 opensips: Left alloca redzone: ca
> Apr 30 18:00:55 node15 opensips: Right alloca redzone: cb
> Apr 30 18:00:55 node15 opensips:
>
> --
> Dan
>
>
>
>
>
> _______________________________________________
> Devel mailing list
> Devel at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
More information about the Devel
mailing list