[asterisk-bugs] [JIRA] (ASTERISK-24804) ASAN heap-buffer-overflow c_setpat
Corey Farrell (JIRA)
noreply at issues.asterisk.org
Mon Feb 12 12:17:13 CST 2018
[ https://issues.asterisk.org/jira/browse/ASTERISK-24804?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Corey Farrell closed ASTERISK-24804.
------------------------------------
Resolution: Won't Fix
We are removing the embedded libedit from Asterisk 16+ (as you pointed out it is ancient). Even libedit-2.11 is a decade old, Fedora 26 has libedit-3.1-17.20160618cvs.fc26.x86_64 so it's possible libedit has already fixed this bug.
I suggest pursuing this bug with Redhat or (if confirmed in latest version) libedit. Any fix would need to be from those sources.
> ASAN heap-buffer-overflow c_setpat
> ----------------------------------
>
> Key: ASTERISK-24804
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-24804
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Core/General
> Affects Versions: 11.15.0, 13.18.4
> Reporter: Badalian Vyacheslav
> Severity: Minor
>
> To reproduce
> run {{asterisk -r}}
> and {{type 'з'}} (Add RU keyboard UTF8 and type 'p' key)
> {code}
> ==2802==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001d80 at pc 0x77585e bp 0x7fff723064e0 sp 0x7fff723064d8
> READ of size 1 at 0x619000001d80 thread T0
> #0 0x77585d in c_setpat /root/asterisk-11.15.0/main/editline/search.c:184
> #1 0x776b0e in ed_search_prev_history /root/asterisk-11.15.0/main/editline/common.c:756
> #2 0x78707c in el_gets /root/asterisk-11.15.0/main/editline/read.c:475
> #3 0x47c316 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3182
> #4 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029
> #5 0x7f5190f71d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
> #6 0x42d304 (/usr/sbin/asterisk+0x42d304)
> 0x619000001d80 is located 0 bytes to the right of 1024-byte region [0x619000001980,0x619000001d80)
> allocated by thread T0 here:
> #0 0x394ae547ef in malloc (/usr/lib64/libasan.so.1+0x394ae547ef)
> #1 0x780b89 in search_init /root/asterisk-11.15.0/main/editline/search.c:73
> #2 0x780b89 in el_init /root/asterisk-11.15.0/main/editline/el.c:92
> #3 0x46d43b in ast_el_initialize /root/asterisk-11.15.0/main/asterisk.c:2988
> #4 0x47c5a4 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3174
> #5 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029
> #6 0x7f5190f71d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
> SUMMARY: AddressSanitizer: heap-buffer-overflow /root/asterisk-11.15.0/main/editline/search.c:184 c_setpat
> Shadow bytes around the buggy address:
> 0x0c327fff8360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff8380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c327fff83b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c327fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c327fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c327fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Contiguous container OOB:fc
> ASan internal: fe
> ==2802==ABORTING
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list