[asterisk-bugs] [JIRA] (ASTERISK-24801) ASAN: ast_el_read_char stack-buffer-overflow

Tue Mar 22 15:43:02 CDT 2016

     [ https://issues.asterisk.org/jira/browse/ASTERISK-24801?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-24801:
-------------------------------------

    Target Release Version/s: 11.22.0

> ASAN: ast_el_read_char stack-buffer-overflow
> --------------------------------------------
>
>                 Key: ASTERISK-24801
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24801
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>    Affects Versions: 11.15.0
>            Reporter: Badalian Vyacheslav
>            Severity: Minor
>      Target Release: 11.22.0, 13.8.0
>
>
> stack-buffer-overflow found by ASAN. 
> It is difficult to replay. Clearly something with TAB in addition to CLI. I think if I type Russian characters and click TAB.
> ASAN debug:
> {code}
> ==30507==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5322d6ff at pc 0x476c64 bp 0x7fff5322d620 sp 0x7fff5322d618
> READ of size 1 at 0x7fff5322d6ff thread T0
>     #0 0x476c63 in ast_el_read_char /root/asterisk-11.15.0/main/asterisk.c:2588
>     #1 0x7831b9 in el_getc /root/asterisk-11.15.0/main/editline/read.c:350
>     #2 0x786e6f in read_getcmd /root/asterisk-11.15.0/main/editline/read.c:243
>     #3 0x786e6f in el_gets /root/asterisk-11.15.0/main/editline/read.c:446
>     #4 0x47c316 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3182
>     #5 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029
>     #6 0x7fd2ed7c3d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
>     #7 0x42d304 (/usr/sbin/asterisk+0x42d304)
> Address 0x7fff5322d6ff is located in stack of thread T0 at offset 95 in frame
>     #0 0x47644f in ast_el_read_char /root/asterisk-11.15.0/main/asterisk.c:2513
>   This frame has 2 object(s):
>     [32, 48) 'fds'
>     [96, 608) 'buf' <== Memory access at offset 95 underflows this variable
> HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
>       (longjmp and C++ exceptions *are* supported)
> SUMMARY: AddressSanitizer: stack-buffer-overflow /root/asterisk-11.15.0/main/asterisk.c:2588 ast_el_read_char
> Shadow bytes around the buggy address:
>   0x10006a63da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63da90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63daa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63dac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x10006a63dad0: 00 00 00 00 f1 f1 f1 f1 00 00 f4 f4 f2 f2 f2[f2]
>   0x10006a63dae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63daf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63db00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63db10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x10006a63db20: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Contiguous container OOB:fc
>   ASan internal:           fe
> ==30507==ABORTING
> {code}


--
This message was sent by Atlassian JIRA
(v6.2#6252)