[asterisk-bugs] [JIRA] (ASTERISK-24804) ASAN heap-buffer-overflow c_setpat

Badalian Vyacheslav (JIRA) noreply at issues.asterisk.org
Wed Feb 18 23:21:34 CST 2015 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-24804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=224997#comment-224997 ] 

Badalian Vyacheslav commented on ASTERISK-24804:
------------------------------------------------

Bad....

{code}
[root at vm-asterisk02t asterisk-11.15.0]# rpm -qa | grep libedit
libedit-devel-2.11-4.20080712cvs.1.el6.x86_64
libedit-2.11-4.20080712cvs.1.el6.x86_64
{code}

I was recompile asterisk and retry. Bug still here.

{code}
vm-asterisk02t*CLI> =================================================================
==25666==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001880 at pc 0x3b58231608 bp 0x7fffcc10eac0 sp 0x7fffcc10ea98
READ of size 1025 at 0x619000001880 thread T0
    #0 0x3b58231607 in strlen (/usr/lib64/libasan.so.1+0x3b58231607)
    #1 0x7fadea2d12d0 in c_setpat (/usr/lib64/libedit.so.0+0x132d0)
    #2 0x7fadea2ca9d7 in ed_search_prev_history (/usr/lib64/libedit.so.0+0xc9d7)
    #3 0x7fadea2cf48d in el_gets (/usr/lib64/libedit.so.0+0x1148d)
    #4 0x47c1a6 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3182
    #5 0x42a4e2 in main /root/asterisk-11.15.0/main/asterisk.c:4029
    #6 0x3b5521ed5c in __libc_start_main (/lib64/libc.so.6+0x3b5521ed5c)
    #7 0x42d194 (/usr/sbin/asterisk+0x42d194)

0x619000001880 is located 0 bytes to the right of 1024-byte region [0x619000001480,0x619000001880)
allocated by thread T0 here:
    #0 0x3b582547ef in malloc (/usr/lib64/libasan.so.1+0x3b582547ef)
    #1 0x7fadea2d1bfd in search_init (/usr/lib64/libedit.so.0+0x13bfd)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 strlen
Shadow bytes around the buggy address:
  0x0c327fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff82f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8310:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==25666==ABORTING

{code}

> ASAN heap-buffer-overflow c_setpat
> ----------------------------------
>
>                 Key: ASTERISK-24804
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24804
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/General
>    Affects Versions: 11.15.0
>            Reporter: Badalian Vyacheslav
>            Severity: Minor
>
> To reproduce 
> run {{asterisk -r}}
> and {{type 'з'}} (Add RU keyboard UTF8 and type 'p' key)
> {code}
> ==2802==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001d80 at pc 0x77585e bp 0x7fff723064e0 sp 0x7fff723064d8
> READ of size 1 at 0x619000001d80 thread T0
>     #0 0x77585d in c_setpat /root/asterisk-11.15.0/main/editline/search.c:184
>     #1 0x776b0e in ed_search_prev_history /root/asterisk-11.15.0/main/editline/common.c:756
>     #2 0x78707c in el_gets /root/asterisk-11.15.0/main/editline/read.c:475
>     #3 0x47c316 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3182
>     #4 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029
>     #5 0x7f5190f71d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
>     #6 0x42d304 (/usr/sbin/asterisk+0x42d304)
> 0x619000001d80 is located 0 bytes to the right of 1024-byte region [0x619000001980,0x619000001d80)
> allocated by thread T0 here:
>     #0 0x394ae547ef in malloc (/usr/lib64/libasan.so.1+0x394ae547ef)
>     #1 0x780b89 in search_init /root/asterisk-11.15.0/main/editline/search.c:73
>     #2 0x780b89 in el_init /root/asterisk-11.15.0/main/editline/el.c:92
>     #3 0x46d43b in ast_el_initialize /root/asterisk-11.15.0/main/asterisk.c:2988
>     #4 0x47c5a4 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3174
>     #5 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029
>     #6 0x7f5190f71d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
> SUMMARY: AddressSanitizer: heap-buffer-overflow /root/asterisk-11.15.0/main/editline/search.c:184 c_setpat
> Shadow bytes around the buggy address:
>   0x0c327fff8360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c327fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c327fff8380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c327fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c327fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c327fff83b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c327fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c327fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c327fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c327fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c327fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Contiguous container OOB:fc
>   ASan internal:           fe
> ==2802==ABORTING
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list