[asterisk-bugs] [JIRA] (ASTERISK-24717) ASAN: global-buffer-overflow codec_{ilbc | gsm | adpcm | ipc10}
Badalian Vyacheslav (JIRA)
noreply at issues.asterisk.org
Fri Apr 3 04:18:33 CDT 2015
[ https://issues.asterisk.org/jira/browse/ASTERISK-24717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=225759#comment-225759 ]
Badalian Vyacheslav edited comment on ASTERISK-24717 at 4/3/15 4:16 AM:
------------------------------------------------------------------------
my analyse:
then you register codec:
{code}
memcpy(tmp->buf + pvt->samples, f->data.ptr, f->datalen);
{code}
{code}
(gdb) p f->datalen
$1 = 320
(gdb) p f->data.ptr
$2 = (void *) 0x7fffdaa554c0 <ex_slin8>
{code}
but ex_slin8 have size 160. You do buffer overflow!
maybe datalen must be 320 or you must use {{ex_slin16}}?
looks to mistake in
./include/asterisk/slin.h
{code}
- .datalen = sizeof(ex_slin8)*2,
+ .datalen = sizeof(ex_slin8),
{code}
was (Author: slavon):
my analyse:
then you register codec:
{code}
memcpy(tmp->buf + pvt->samples, f->data.ptr, f->datalen);
{code}
{code}
(gdb) p f->datalen
$1 = 320
(gdb) p f->data.ptr
$2 = (void *) 0x7fffdaa554c0 <ex_slin8>
{code}
but ex_slin8 have size 160. You do buffer overflow!
maybe datalen must be 320 or you must use {{ex_slin16}}?
> ASAN: global-buffer-overflow codec_{ilbc | gsm | adpcm | ipc10}
> ---------------------------------------------------------------
>
> Key: ASTERISK-24717
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-24717
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Codecs/codec_adpcm, Codecs/codec_gsm, Codecs/codec_ilbc, Codecs/codec_lpc10
> Affects Versions: 11.15.0, 11.16.0
> Reporter: Badalian Vyacheslav
>
> {code}
> =================================================================
> ==22341==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f02e83058a0 at pc 0x7f03017a7832 bp 0x7fffe8cb66d0 sp 0x7fffe8cb5e90
> READ of size 320 at 0x7f02e83058a0 thread T0
> #0 0x7f03017a7831 (/usr/lib64/libasan.so.1+0x2e831)
> #1 0x7f02e80e5684 in memcpy /usr/include/bits/string3.h:52
> #2 0x7f02e80e5684 in lintoilbc_framein /root/asterisk-11.15.0/codecs/codec_ilbc.c:144
> #3 0x73cca5 in framein /root/asterisk-11.15.0/main/translate.c:359
> #4 0x73cca5 in generate_computational_cost /root/asterisk-11.15.0/main/translate.c:609
> #5 0x743a6c in __ast_register_translator /root/asterisk-11.15.0/main/translate.c:1110
> #6 0x7f02e80e57c1 in load_module /root/asterisk-11.15.0/codecs/codec_ilbc.c:223
> #7 0x61c5c3 in start_resource /root/asterisk-11.15.0/main/loader.c:861
> #8 0x61e73f in start_resource /root/asterisk-11.15.0/main/loader.c:1053
> #9 0x61e73f in load_resource_list /root/asterisk-11.15.0/main/loader.c:1063
> #10 0x62142f in load_modules /root/asterisk-11.15.0/main/loader.c:1216
> #11 0x429cd3 in main /root/asterisk-11.15.0/main/asterisk.c:4337
> #12 0x7f0301200d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
> #13 0x42d394 (/usr/sbin/asterisk+0x42d394)
> 0x7f02e83058a0 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_ilbc.c' (0x7f02e8305800) of size 160
> 0x7f02e83058a0 is located 32 bytes to the left of global variable 'f' from 'codec_ilbc.c' (0x7f02e83058c0) of size 368
> 0x7f02e83058a0 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_ilbc.c' (0x7f02e8305800) of size 160
> 0x7f02e83058a0 is located 32 bytes to the left of global variable 'f' from 'codec_ilbc.c' (0x7f02e83058c0) of size 368
> 0x7f02e83058a0 is located 139650462144576 bytes insideASAN:SIGSEGV
> ==22341==AddressSanitizer: while reporting a bug found another one.Ignoring.
> {code}
> {code}
> =================================================================
> ==22382==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fc20ef2d520 at pc 0x7fc2274a7832 bp 0x7fff79735070 sp 0x7fff79734830
> READ of size 320 at 0x7fc20ef2d520 thread T0
> #0 0x7fc2274a7831 (/usr/lib64/libasan.so.1+0x2e831)
> #1 0x7fc20ed1a7a0 in memcpy /usr/include/bits/string3.h:52
> #2 0x7fc20ed1a7a0 in lintogsm_framein /root/asterisk-11.15.0/codecs/codec_gsm.c:133
> #3 0x73cca5 in framein /root/asterisk-11.15.0/main/translate.c:359
> #4 0x73cca5 in generate_computational_cost /root/asterisk-11.15.0/main/translate.c:609
> #5 0x743a6c in __ast_register_translator /root/asterisk-11.15.0/main/translate.c:1110
> #6 0x7fc20ed1a5b1 in load_module /root/asterisk-11.15.0/codecs/codec_gsm.c:221
> #7 0x61c5c3 in start_resource /root/asterisk-11.15.0/main/loader.c:861
> #8 0x61e73f in start_resource /root/asterisk-11.15.0/main/loader.c:1053
> #9 0x61e73f in load_resource_list /root/asterisk-11.15.0/main/loader.c:1063
> #10 0x62142f in load_modules /root/asterisk-11.15.0/main/loader.c:1216
> #11 0x429cd3 in main /root/asterisk-11.15.0/main/asterisk.c:4337
> #12 0x7fc226f00d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
> #13 0x42d394 (/usr/sbin/asterisk+0x42d394)
> 0x7fc20ef2d520 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_gsm.c' (0x7fc20ef2d480) of size 160
> 0x7fc20ef2d520 is located 32 bytes to the left of global variable 'f' from 'codec_gsm.c' (0x7fc20ef2d540) of size 368
> 0x7fc20ef2d520 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_gsm.c' (0x7fc20ef2d480) of size 160
> 0x7fc20ef2d520 is located 32 bytes to the left of global variable 'f' from 'codec_gsm.c' (0x7fc20ef2d540) of size 368
> 0x7fc20ef2d520 is located 140471451178176 bytes insideASAN:SIGSEGV
> ==22382==AddressSanitizer: while reporting a bug found another one.Ignoring.
> {code}
> {code}
> =================================================================
> ==22423==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fdbfe4293e0 at pc 0x7fdc13449832 bp 0x7fff496a7b10 sp 0x7fff496a72d0
> READ of size 320 at 0x7fdbfe4293e0 thread T0
> #0 0x7fdc13449831 (/usr/lib64/libasan.so.1+0x2e831)
> #1 0x7fdbfe227534 in memcpy /usr/include/bits/string3.h:52
> #2 0x7fdbfe227534 in lintoadpcm_framein /root/asterisk-11.15.0/codecs/codec_adpcm.c:252
> #3 0x73cca5 in framein /root/asterisk-11.15.0/main/translate.c:359
> #4 0x73cca5 in generate_computational_cost /root/asterisk-11.15.0/main/translate.c:609
> #5 0x743a6c in __ast_register_translator /root/asterisk-11.15.0/main/translate.c:1110
> #6 0x7fdbfe227631 in load_module /root/asterisk-11.15.0/codecs/codec_adpcm.c:338
> #7 0x61c5c3 in start_resource /root/asterisk-11.15.0/main/loader.c:861
> #8 0x61e73f in start_resource /root/asterisk-11.15.0/main/loader.c:1053
> #9 0x61e73f in load_resource_list /root/asterisk-11.15.0/main/loader.c:1063
> #10 0x62142f in load_modules /root/asterisk-11.15.0/main/loader.c:1216
> #11 0x429cd3 in main /root/asterisk-11.15.0/main/asterisk.c:4337
> #12 0x7fdc12ea2d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
> #13 0x42d394 (/usr/sbin/asterisk+0x42d394)
> 0x7fdbfe4293e0 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_adpcm.c' (0x7fdbfe429340) of size 160
> 0x7fdbfe4293e0 is located 32 bytes to the left of global variable 'f' from 'codec_adpcm.c' (0x7fdbfe429400) of size 368
> 0x7fdbfe4293e0 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_adpcm.c' (0x7fdbfe429340) of size 160
> 0x7fdbfe4293e0 is located 32 bytes to the left of global variable 'f' from 'codec_adpcm.c' (0x7fdbfe429400) of size 368
> 0x7fdbfe4293e0 is located 140582840341376 bytes insideASAN:SIGSEGV
> ==22423==AddressSanitizer: while reporting a bug found another one.Ignoring.
> {code}
> {code}
> =================================================================
> ==22502==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f68d9ab6960 at pc 0x7f68e7332832 bp 0x7fff4d2a6810 sp 0x7fff4d2a5fd0
> READ of size 320 at 0x7f68d9ab6960 thread T0
> #0 0x7f68e7332831 (/usr/lib64/libasan.so.1+0x2e831)
> #1 0x7f68d989e050 in memcpy /usr/include/bits/string3.h:52
> #2 0x7f68d989e050 in lintolpc10_framein /root/asterisk-11.15.0/codecs/codec_lpc10.c:155
> #3 0x73cca5 in framein /root/asterisk-11.15.0/main/translate.c:359
> #4 0x73cca5 in generate_computational_cost /root/asterisk-11.15.0/main/translate.c:609
> #5 0x743a6c in __ast_register_translator /root/asterisk-11.15.0/main/translate.c:1110
> #6 0x7f68d989de91 in load_module /root/asterisk-11.15.0/codecs/codec_lpc10.c:249
> #7 0x61c5c3 in start_resource /root/asterisk-11.15.0/main/loader.c:861
> #8 0x61e73f in start_resource /root/asterisk-11.15.0/main/loader.c:1053
> #9 0x61e73f in load_resource_list /root/asterisk-11.15.0/main/loader.c:1063
> #10 0x62142f in load_modules /root/asterisk-11.15.0/main/loader.c:1216
> #11 0x429cd3 in main /root/asterisk-11.15.0/main/asterisk.c:4337
> #12 0x7f68e6d8bd5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
> #13 0x42d394 (/usr/sbin/asterisk+0x42d394)
> 0x7f68d9ab6960 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_lpc10.c' (0x7f68d9ab68c0) of size 160
> 0x7f68d9ab6960 is located 32 bytes to the left of global variable 'f' from 'codec_lpc10.c' (0x7f68d9ab6980) of size 368
> 0x7f68d9ab6960 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_lpc10.c' (0x7f68d9ab68c0) of size 160
> 0x7f68d9ab6960 is located 32 bytes to the left of global variable 'f' from 'codec_lpc10.c' (0x7f68d9ab6980) of size 368
> 0x7f68d9ab6960 is located 140088305215744 bytes insideASAN:SIGSEGV
> ==22502==AddressSanitizer: while reporting a bug found another one.Ignoring.
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list