Created
November 25, 2021 16:02
-
-
Save bagder/6a94c8da801de23ad5d510eb57221be0 to your computer and use it in GitHub Desktop.
Issue 41390: curl:curl_fuzzer_sftp: Heap-buffer-overflow in junkscan
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Last Tested Stacktrace on revision a5f5687368a5f95415d58d37e8dfb10c6b6d44c5 (113 lines) | |
| [Environment] ASAN_OPTIONS=alloc_dealloc_mismatch=0:allocator_may_return_null=1:allocator_release_to_os_interval_ms=500:allow_user_segv_handler=0:check_malloc_usable_size=0:detect_leaks=1:detect_odr_violation=0:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_abort=2:handle_segv=2:handle_sigbus=2:handle_sigfpe=2:handle_sigill=2:max_uar_stack_size_log=16:print_scariness=1:print_summary=1:print_suppressions=0:quarantine_size_mb=64:redzone=64:strict_memcmp=1:strip_path_prefix=/workspace/:symbolize=0:use_sigaltstack=1 | |
| +----------------------------------------Release Build Stacktrace----------------------------------------+ | |
| Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash | |
| Time ran: 0.02743697166442871 | |
| ================================================================= | |
| ==198569==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000003e2 at pc 0x000000433826 bp 0x7ffd4d609fd0 sp 0x7ffd4d609790 | |
| READ of size 16 at 0x6070000003e2 thread T0 | |
| SCARINESS: 26 (multi-byte-read-heap-buffer-overflow) | |
| #0 0x433825 in strlen /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:389:5 | |
| #1 0x7db9c9 in junkscan curl/lib/urlapi.c:601:16 | |
| #2 0x7d6963 in seturl curl/lib/urlapi.c:993:6 | |
| #3 0x7cfcfa in parseurl curl/lib/urlapi.c:1120:22 | |
| #4 0x7c9006 in curl_url_set curl/lib/urlapi.c:1541:16 | |
| #5 0x78829d in parseurlandfillconn curl/lib/url.c:1964:10 | |
| #6 0x7790e9 in create_conn curl/lib/url.c:3607:12 | |
| #7 0x777e85 in Curl_connect curl/lib/url.c:4119:12 | |
| #8 0x5fa2eb in multi_runsingle curl/lib/multi.c:1815:16 | |
| #9 0x5ee39c in curl_multi_perform curl/lib/multi.c:2591:14 | |
| #10 0x4db7b9 in fuzz_handle_transfer(fuzz_data*) curl_fuzzer/curl_fuzzer.cc:305:3 | |
| #11 0x4d9d35 in LLVMFuzzerTestOneInput curl_fuzzer/curl_fuzzer.cc:93:3 | |
| #12 0x1d05c15 in ExecuteFilesOnyByOne aflplusplus/utils/aflpp_driver/aflpp_driver.c:191:7 | |
| #13 0x1d05a85 in main aflplusplus/utils/aflpp_driver/aflpp_driver.c:0 | |
| #14 0x7f25b8ad50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16 | |
| #15 0x41e74d in _start | |
| 0x6070000003e2 is located 0 bytes to the right of 34-byte region [0x6070000003c0,0x6070000003e2) | |
| allocated by thread T0 here: | |
| #0 0x49f9cd in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3 | |
| #1 0x55055f in curl_dbg_malloc curl/lib/memdebug.c:143:9 | |
| #2 0x7d47c5 in seturl curl/lib/urlapi.c:817:23 | |
| #3 0x7cfcfa in parseurl curl/lib/urlapi.c:1120:22 | |
| #4 0x7c9006 in curl_url_set curl/lib/urlapi.c:1541:16 | |
| #5 0x78829d in parseurlandfillconn curl/lib/url.c:1964:10 | |
| #6 0x7790e9 in create_conn curl/lib/url.c:3607:12 | |
| #7 0x777e85 in Curl_connect curl/lib/url.c:4119:12 | |
| #8 0x5fa2eb in multi_runsingle curl/lib/multi.c:1815:16 | |
| #9 0x5ee39c in curl_multi_perform curl/lib/multi.c:2591:14 | |
| #10 0x4db7b9 in fuzz_handle_transfer(fuzz_data*) curl_fuzzer/curl_fuzzer.cc:305:3 | |
| #11 0x4d9d35 in LLVMFuzzerTestOneInput curl_fuzzer/curl_fuzzer.cc:93:3 | |
| #12 0x1d05c15 in ExecuteFilesOnyByOne aflplusplus/utils/aflpp_driver/aflpp_driver.c:191:7 | |
| SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x433825) | |
| Shadow bytes around the buggy address: | |
| 0x0c0e7fff8020: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa | |
| 0x0c0e7fff8030: fa fa fd fd fd fd fd fa fa fa fa fa fa fa fa fa | |
| 0x0c0e7fff8040: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 | |
| 0x0c0e7fff8050: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 | |
| 0x0c0e7fff8060: 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 fa | |
| =>0x0c0e7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00[02]fa fa fa | |
| 0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| Shadow byte legend (one shadow byte represents 8 application bytes): | |
| Addressable: 00 | |
| Partially addressable: 01 02 03 04 05 06 07 | |
| Heap left redzone: fa | |
| Freed heap region: fd | |
| Stack left redzone: f1 | |
| Stack mid redzone: f2 | |
| Stack right redzone: f3 | |
| Stack after return: f5 | |
| Stack use after scope: f8 | |
| Global redzone: f9 | |
| Global init order: f6 | |
| Poisoned by user: f7 | |
| Container overflow: fc | |
| Array cookie: ac | |
| Intra object redzone: bb | |
| ASan internal: fe | |
| Left alloca redzone: ca | |
| Right alloca redzone: cb | |
| ==198569==ABORTING | |
| +----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+ | |
| READ of size 16 at 0x6070000003e2 thread T0 | |
| SCARINESS: 26 (multi-byte-read-heap-buffer-overflow) | |
| #0 0x433825 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x433825) | |
| #1 0x7db9c9 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x7db9c9) | |
| #2 0x7d6963 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x7d6963) | |
| #3 0x7cfcfa (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x7cfcfa) | |
| #4 0x7c9006 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x7c9006) | |
| #5 0x78829d (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x78829d) | |
| #6 0x7790e9 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x7790e9) | |
| #7 0x777e85 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x777e85) | |
| #8 0x5fa2eb (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x5fa2eb) | |
| #9 0x5ee39c (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x5ee39c) | |
| #10 0x4db7b9 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x4db7b9) | |
| #11 0x4d9d35 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x4d9d35) | |
| #12 0x1d05c15 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x1d05c15) | |
| #13 0x1d05a85 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x1d05a85) | |
| #14 0x7f25b8ad50b2 (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) | |
| #15 0x41e74d (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x41e74d) | |
| 0x6070000003e2 is located 0 bytes to the right of 34-byte region [0x6070000003c0,0x6070000003e2) | |
| allocated by thread T0 here: | |
| #0 0x49f9cd (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x49f9cd) | |
| #1 0x55055f (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x55055f) | |
| #2 0x7d47c5 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x7d47c5) | |
| #3 0x7cfcfa (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x7cfcfa) | |
| #4 0x7c9006 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x7c9006) | |
| #5 0x78829d (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x78829d) | |
| #6 0x7790e9 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x7790e9) | |
| #7 0x777e85 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x777e85) | |
| #8 0x5fa2eb (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x5fa2eb) | |
| #9 0x5ee39c (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x5ee39c) | |
| #10 0x4db7b9 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x4db7b9) | |
| #11 0x4d9d35 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x4d9d35) | |
| #12 0x1d05c15 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_sftp+0x1d05c15) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The fuzzer input is simply:
Ie it sets CURLOPT_URL to an 8 bytes long string:
fILE://%ff- the last byte value is decimal 255.