[asterisk-bugs] [JIRA] (ASTERISK-24801) ASAN: ast_el_read_char stack-buffer-overflow

Badalian Vyacheslav (JIRA) noreply at issues.asterisk.org
Tue Feb 17 11:49:35 CST 2015


     [ https://issues.asterisk.org/jira/browse/ASTERISK-24801?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Badalian Vyacheslav updated ASTERISK-24801:
-------------------------------------------

    Description: 
stack-buffer-overflow found by ASAN. 

It is difficult to replay. Clearly something with TAB in addition to CLI. I think if I type Russian characters and click TAB.

ASAN debug:
{code}
==30507==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5322d6ff at pc 0x476c64 bp 0x7fff5322d620 sp 0x7fff5322d618
READ of size 1 at 0x7fff5322d6ff thread T0
    #0 0x476c63 in ast_el_read_char /root/asterisk-11.15.0/main/asterisk.c:2588
    #1 0x7831b9 in el_getc /root/asterisk-11.15.0/main/editline/read.c:350
    #2 0x786e6f in read_getcmd /root/asterisk-11.15.0/main/editline/read.c:243
    #3 0x786e6f in el_gets /root/asterisk-11.15.0/main/editline/read.c:446
    #4 0x47c316 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3182
    #5 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029
    #6 0x7fd2ed7c3d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
    #7 0x42d304 (/usr/sbin/asterisk+0x42d304)

Address 0x7fff5322d6ff is located in stack of thread T0 at offset 95 in frame
    #0 0x47644f in ast_el_read_char /root/asterisk-11.15.0/main/asterisk.c:2513

  This frame has 2 object(s):
    [32, 48) 'fds'
    [96, 608) 'buf' <== Memory access at offset 95 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/asterisk-11.15.0/main/asterisk.c:2588 ast_el_read_char
Shadow bytes around the buggy address:
  0x10006a63da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63da90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63daa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63dac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006a63dad0: 00 00 00 00 f1 f1 f1 f1 00 00 f4 f4 f2 f2 f2[f2]
  0x10006a63dae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63daf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63db00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63db10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63db20: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==30507==ABORTING

{code}

  was:
It is difficult to replay. Clearly something with TAB in addition to CLI. I think if I type Russian characters and click TAB.

ASAN debug:
{code}
==30507==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5322d6ff at pc 0x476c64 bp 0x7fff5322d620 sp 0x7fff5322d618
READ of size 1 at 0x7fff5322d6ff thread T0
    #0 0x476c63 in ast_el_read_char /root/asterisk-11.15.0/main/asterisk.c:2588
    #1 0x7831b9 in el_getc /root/asterisk-11.15.0/main/editline/read.c:350
    #2 0x786e6f in read_getcmd /root/asterisk-11.15.0/main/editline/read.c:243
    #3 0x786e6f in el_gets /root/asterisk-11.15.0/main/editline/read.c:446
    #4 0x47c316 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3182
    #5 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029
    #6 0x7fd2ed7c3d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
    #7 0x42d304 (/usr/sbin/asterisk+0x42d304)

Address 0x7fff5322d6ff is located in stack of thread T0 at offset 95 in frame
    #0 0x47644f in ast_el_read_char /root/asterisk-11.15.0/main/asterisk.c:2513

  This frame has 2 object(s):
    [32, 48) 'fds'
    [96, 608) 'buf' <== Memory access at offset 95 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/asterisk-11.15.0/main/asterisk.c:2588 ast_el_read_char
Shadow bytes around the buggy address:
  0x10006a63da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63da90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63daa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63dac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006a63dad0: 00 00 00 00 f1 f1 f1 f1 00 00 f4 f4 f2 f2 f2[f2]
  0x10006a63dae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63daf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63db00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63db10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006a63db20: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==30507==ABORTING

{code}


> ASAN: ast_el_read_char stack-buffer-overflow
> --------------------------------------------
>
>                 Key: ASTERISK-24801
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24801
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>            Reporter: Badalian Vyacheslav
>
> stack-buffer-overflow found by ASAN. 
> It is difficult to replay. Clearly something with TAB in addition to CLI. I think if I type Russian characters and click TAB.
> ASAN debug:
> {code}
> ==30507==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5322d6ff at pc 0x476c64 bp 0x7fff5322d620 sp 0x7fff5322d618
> READ of size 1 at 0x7fff5322d6ff thread T0
>     #0 0x476c63 in ast_el_read_char /root/asterisk-11.15.0/main/asterisk.c:2588
>     #1 0x7831b9 in el_getc /root/asterisk-11.15.0/main/editline/read.c:350
>     #2 0x786e6f in read_getcmd /root/asterisk-11.15.0/main/editline/read.c:243
>     #3 0x786e6f in el_gets /root/asterisk-11.15.0/main/editline/read.c:446
>     #4 0x47c316 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3182
>     #5 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029
>     #6 0x7fd2ed7c3d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
>     #7 0x42d304 (/usr/sbin/asterisk+0x42d304)
> Address 0x7fff5322d6ff is located in stack of thread T0 at offset 95 in frame
>     #0 0x47644f in ast_el_read_char /root/asterisk-11.15.0/main/asterisk.c:2513
>   This frame has 2 object(s):
>     [32, 48) 'fds'
>     [96, 608) 'buf' <== Memory access at offset 95 underflows this variable
> HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
>       (longjmp and C++ exceptions *are* supported)
> SUMMARY: AddressSanitizer: stack-buffer-overflow /root/asterisk-11.15.0/main/asterisk.c:2588 ast_el_read_char
> Shadow bytes around the buggy address:
>   0x10006a63da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63da90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63daa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63dac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x10006a63dad0: 00 00 00 00 f1 f1 f1 f1 00 00 f4 f4 f2 f2 f2[f2]
>   0x10006a63dae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63daf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63db00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63db10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63db20: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Contiguous container OOB:fc
>   ASan internal:           fe
> ==30507==ABORTING
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list