[asterisk-bugs] [JIRA] (ASTERISK-25714) ASAN:heap-buffer-overflow in logger.c

Richard Mudgett (JIRA) noreply at issues.asterisk.org
Fri Jan 22 11:57:33 CST 2016 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-25714?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Richard Mudgett reassigned ASTERISK-25714:
------------------------------------------

    Assignee: Richard Mudgett

> ASAN:heap-buffer-overflow in logger.c
> -------------------------------------
>
>                 Key: ASTERISK-25714
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25714
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>    Affects Versions: 13.7.0
>         Environment: centos 7 x64
>            Reporter: Badalian Vyacheslav
>            Assignee: Richard Mudgett
>
> 1. compile with ASAN. 
> 2. don't install any configs
> 3. run
> 3. 
> {code}
>   == Manager registered action ModuleCheck
>   == Manager registered action AOCMessage
>   == Manager registered action Filter
>   == Manager registered action BlindTransfer
>   == Registered custom function 'AMI_CLIENT'
> [Jan 22 20:00:11] NOTICE[23569]: manager.c:8693 __init_manager: Unable to open AMI configuration manager.conf, or configuration is invalid.
>   == Registered application 'CallCompletionRequest'
>   == Registered application 'CallCompletionCancel'
> =================================================================
> ==23569==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000010130 at pc 0x7fbbffe9bb30 bp 0x7ffe25dc2390 sp 0x7ffe25dc2360
> READ of size 1 at 0x621000010130 thread T0
>     #0 0x7fbbffe9bb2f in __interceptor_strlen (/lib64/libasan.so.1+0x33b2f)
>     #1 0x67f4e1 in make_components /root/asterisk-13.7.0/main/logger.c:249
>     #2 0x68bbbf in update_logchannels /root/asterisk-13.7.0/main/logger.c:2276
>     #3 0x68c036 in ast_logger_register_level /root/asterisk-13.7.0/main/logger.c:2321
>     #4 0x51e9f0 in ast_cc_init /root/asterisk-13.7.0/main/ccss.c:4681
>     #5 0x4965d8 in asterisk_daemon /root/asterisk-13.7.0/main/asterisk.c:4666
>     #6 0x4955f8 in main /root/asterisk-13.7.0/main/asterisk.c:4282
>     #7 0x7fbbfd586b14 in __libc_start_main (/lib64/libc.so.6+0x21b14)
>     #8 0x432778 (/usr/sbin/asterisk+0x432778)
> 0x621000010130 is located 0 bytes to the right of 4144-byte region [0x62100000f100,0x621000010130)
> allocated by thread T0 here:
>     #0 0x7fbbffebf9a5 in calloc (/lib64/libasan.so.1+0x579a5)
>     #1 0x7ff5b3 in _ast_calloc /root/asterisk-13.7.0/include/asterisk/utils.h:573
>     #2 0x6808c6 in init_logger_chain /root/asterisk-13.7.0/main/logger.c:467
>     #3 0x68762f in init_logger /root/asterisk-13.7.0/main/logger.c:1606
>     #4 0x496045 in asterisk_daemon /root/asterisk-13.7.0/main/asterisk.c:4509
>     #5 0x4955f8 in main /root/asterisk-13.7.0/main/asterisk.c:4282
>     #6 0x7fbbfd586b14 in __libc_start_main (/lib64/libc.so.6+0x21b14)
> SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_strlen
> Shadow bytes around the buggy address:
>   0x0c427fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c427fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c427fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c427fffa000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c427fffa010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c427fffa020: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
>   0x0c427fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fffa060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c427fffa070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Contiguous container OOB:fc
>   ASan internal:           fe
> ==23569==ABORTING
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list