Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Find heap buffer overflow by running fuzz test #11786

Closed
zhuofeng6 opened this issue Apr 7, 2024 · 4 comments
Closed

Find heap buffer overflow by running fuzz test #11786

zhuofeng6 opened this issue Apr 7, 2024 · 4 comments

Comments

@zhuofeng6
Copy link

zhuofeng6 commented Apr 7, 2024
edited
Loading

libyaml is appeared the CVE-2024-3205, but now it seems to be a problem on the oss-fuzz side.( Uncertainty)
detail: yaml/libyaml#258 (comment)
@DavidKorczynski
Copy link
Collaborator

Can you confirm if it's this one? https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24869

@zhuofeng6
Copy link
Author

Can you confirm if it's this one? https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24869

no, it is the function of yaml_emitter_emit_flow_sequence_item, the following is the stack information.

=================================================================
==168==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000647c at pc 0x000000572a3e bp 0x7fff7a3c0f30 sp 0x7fff7a3c0f28
READ of size 4 at 0x61500000647c thread T0
SCARINESS: 17 (4-byte-read-heap-buffer-overflow)
    #0 0x572a3d in yaml_emitter_emit_flow_sequence_item /src/libyaml/src/emitter.c:761:27
    #1 0x56ff2e in yaml_emitter_emit /src/libyaml/src/emitter.c:291:14
    #2 0x56253a in yaml_emitter_close /src/libyaml/src/dumper.c:98:10
    #3 0x5551eb in LLVMFuzzerTestOneInput /src/libyaml_dumper_fuzzer.c:268:3
    #4 0x459cb1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #5 0x4593d5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #6 0x45b777 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #7 0x45c505 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5
    #8 0x44a688 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6
    #9 0x474702 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #10 0x7f418851982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x41dc88 in _start (/out/libyaml_dumper_fuzzer+0x41dc88)

0x61500000647c is located 4 bytes to the left of 512-byte region [0x615000006480,0x615000006680)
allocated by thread T0 here:
    #0 0x5217f9 in realloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
    #1 0x555c37 in yaml_stack_extend /src/libyaml/src/api.c:126:17
    #2 0x5790dc in yaml_emitter_increase_indent /src/libyaml/src/emitter.c:406:10
    #3 0x57257f in yaml_emitter_emit_flow_sequence_item /src/libyaml/src/emitter.c:753:14
    #4 0x56ff2e in yaml_emitter_emit /src/libyaml/src/emitter.c:291:14
    #5 0x5641d7 in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:351:10
    #6 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #7 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #8 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #9 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #10 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #11 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #12 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #13 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #14 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #15 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #16 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #17 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #18 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #19 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #20 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #21 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #22 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #23 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #24 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #25 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #26 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #27 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #28 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14
    #29 0x56424e in yaml_emitter_dump_sequence /src/libyaml/src/dumper.c:355:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libyaml/src/emitter.c:761:27 in yaml_emitter_emit_flow_sequence_item
Shadow bytes around the buggy address:
  0x0c2a7fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fff8c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fff8c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fff8c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c2a7fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c2a7fff8c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==168==ABORTING
MS: 2 CMP-ChangeBit- DE: "tag:yaml.org,2002:str"-; base unit: e1de61067390aba17003eeb463393c32cd934e27
artifact_prefix='./'; Test unit written to ./crash-14747698c48aafd1409a4589ae625b8244313868

@perlpunk
Copy link
Contributor

@zhuofeng6 Why did you open this issue? I was still investigating the source of the problem at the time it was opened and not sure if the problem was in the fuzzer or in libyaml. I have detailed information now and opened an issue myself: #11811

@DavidKorczynski , yes, that https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24869 about yaml_emitter_emit_flow_mapping_key is basically about the same issue, just in a different function doing the same as yaml_emitter_emit_flow_sequence_item.

@zhuofeng6
Copy link
Author

Okay, I'm gonna close this, track it on #11811

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DavidKorczynski @perlpunk @zhuofeng6