Skip to content

AddressSanitizerFoundBugs

Kostya Serebryany edited this page Oct 13, 2016 · 25 revisions

Chromium, WebKit Safari, iTunes

Chromium's asan bot: http://build.chromium.org/p/chromium.memory/console

Mozilla

See also http://blog.mozilla.com/decoder/2012/01/27/trying-new-code-analysis-techniques/#more-14

Opera

DNA-15927

vlc

https://trac.videolan.org/vlc/query?status=assigned&status=closed&status=new&status=reopened&reporter=mikispag&order=priority

ffmpeg

Some (but not all) bugs found in ffmpeg:

ffmpeg's asan bot: http://fate.libav.org/x86_64-linux-clang-asan

FreeType

bash

https://lists.gnu.org/archive/html/bug-bash/2015-06/msg00089.html

webrtc

perl

libcurl

php

libreoffice

MySQL

RocksDB

PostgreSQL

http://postgresql.1045698.n5.nabble.com/pgsql-Avoid-potential-buffer-overflow-crash-td5779963.html

Hypertable

https://github.com/hypertable/hypertable/commit/237f170de93ceda11560f87970c4494a8790e0d9

vim

http://www.mail-archive.com/[email protected]/msg15549.html

libpango

LLVM

GCC

Go

Tor

Impala

GNU Coreutils

Tizen

http://injoit.org/index.php/j1/article/viewFile/231/184

technology into large-scale software products: Tizen
distribution and Linux kernel. The tool has already found
around a hundred of serious memory bugs in various Tizen
applications and in mainline Linux kernel. ```

# Unsorted

  * http://hg.dovecot.org/dovecot-2.2/rev/740935acc0f8
  * http://core.tcl.tk/tk/tktview/b1534b438bc711e848ad7ade3642ce0a6323fe8e
  * http://core.tcl.tk/tk/tktview/9bad630c3163b4b2ef8781089ae27058c957a428
  * https://bugzilla.gnome.org/show_bug.cgi?id=751603
  * https://bugzilla.gnome.org/show_bug.cgi?id=751631
  * https://bugzilla.gnome.org/show_bug.cgi?id=751643
  * https://bugzilla.gnome.org/show_bug.cgi?id=752191
  * https://bugzilla.gnome.org/show_bug.cgi?id=751633
  * https://savannah.gnu.org/bugs/index.php?45391
  * https://github.com/radare/radare2/issues/2665
  * https://github.com/radare/radare2/issues/2683
  * https://github.com/radare/radare2/issues/2684
  * https://github.com/radare/radare2/issues/2705
  * https://github.com/radare/radare2/issues/2706
  * https://github.com/radare/radare2/issues/2736 (cmd\_zign, script)
  * https://github.com/radare/radare2/issues/2737 (script, r\_print\_fill)
  * https://github.com/radare/radare2/issues/2759 (r\_reg\_get\_name\_idx) (fixed)
  * https://github.com/radare/radare2/issues/2760 (r\_core\_syscmd\_ls) (fixed)
  * https://github.com/radare/radare2/issues/2764 (r\_num\_calc) (fixed)
  * https://github.com/radare/radare2/issues/2765 (r\_str\_escape_) (fixed)
  * https://github.com/radare/radare2/issues/2795 (cmd\_type) (fixed)
  * https://github.com/radare/radare2/issues/2796 (cmd\_write) (fixed)
  * https://github.com/radare/radare2/issues/2797 (cmd\_flag) (fixed)
  * https://github.com/radare/radare2/issues/2806 (r\_core\_yank\_hud\_file) (fixed)
  * https://github.com/radare/radare2/issues/2807 (cmd\_open) (fixed)
  * https://github.com/radare/radare2/issues/2808 (updateAddr) (fixed)
  * https://github.com/radare/radare2/issues/2809 (r\_core\_magic\_at, UAF) (fixed)
  * https://github.com/radare/radare2/issues/2832 (r\_mem\_copyendian)
  * https://github.com/radare/radare2/issues/2833 (r\_wstr\_clen) (fixed)
  * https://github.com/radare/radare2/issues/2836 (r\_str\_glob) (fixed)
  * https://github.com/radare/radare2/issues/2850 (cmd\_search, fixed)
  * https://github.com/radare/radare2/issues/2851 (core\_anal\_bytes, fixed)
  * https://github.com/radare/radare2/issues/2852 (pdi, fixed)
  * https://github.com/radare/radare2/issues/2853 (perform\_disassembly, fixed)
  * https://github.com/radare/radare2/issues/2854 (radare\_compare, fixed)
  * https://github.com/radare/radare2/issues/2855 (UAF, r\_num\_calc\_index, fixed)
  * https://github.com/radare/radare2/issues/2869 (heap overflow write, r\_rprint\_randomart, fixed)
  * https://github.com/radare/radare2/issues/2870 (UNFIXED, core\_anal\_bytes again)
  * https://github.com/radare/radare2/issues/2871 (pdi again, fixed)
  * https://github.com/radare/radare2/issues/2872 (perform\_disassebly again, fixed)
  * https://github.com/radare/radare2/issues/2889 (UAF r\_num\_calc\_index again, fixed)
  * https://github.com/radare/radare2/issues/2909 (fixed, cmd\_search again, fixed)
  * https://github.com/radare/radare2/issues/2910 (r\_core\_write\_op, fixed)
  * https://bugs.freedesktop.org/show_bug.cgi?id=90784_

# Spec CPU 2006
Use-after-free in 400.perlbench (a pointer is used after it is passed to `realloc`).

READ of size 1 at 0x00000000023b7413 thread T0 (bad: 0x00002000008edd04; shadow: 0x0000100000476e82) #0 0x66490a in Perl_sv_setpvn sv.c:4127 #1 0x45766c in Perl_magic_get mg.c:772 #2 0x453bcb in Perl_mg_get mg.c:169 #3 0x669fb8 in Perl_sv_setsv_flags sv.c:3796 #4 0x684c3f in Perl_sv_mortalcopy sv.c:6748 #5 0x56fedd in Perl_pp_leaveeval pp_ctl.c:3486 #6 0x635d44 in Perl_runops_standard run.c:37 #7 0x4d2ad6 in S_run_body perl.c:2017 #8 0x4f9077 in main perlmain.c:100 #9 0x7fa3900e2c4d in __libc_start_main ??:0 #10 0x403519 in _start ??:0 0x00000000023b7413 is located 3 bytes inside of 5-byte region [0x00000000023b7410,0x00000000023b7415) freed by thread T0 here: #0 0x7bc852 in realloc asan_rtl #1 0x733e2e in Perl_safesysrealloc util.c:132 #2 0x650a82 in Perl_sv_grow sv.c:1620 #3 0x66c3f5 in Perl_sv_setsv_flags sv.c:4012 #4 0x5735e8 in Perl_pp_sassign pp_hot.c:122 #5 0x635d44 in Perl_runops_standard run.c:37 #6 0x4d2ad6 in S_run_body perl.c:2017 #7 0x4f9077 in main perlmain.c:100 #8 0x7fa3900e2c4d in __libc_start_main ??:0 previously allocated by thread T0 here: #0 0x7bc852 in realloc asan_rtl #1 0x733e2e in Perl_safesysrealloc util.c:132 #2 0x650a82 in Perl_sv_grow sv.c:1620 #3 0x6745f5 in Perl_sv_catpvn_flags sv.c:4376 #4 0x675027 in Perl_sv_catsv_flags sv.c:4460 #5 0x5402a3 in Perl_pp_substcont pp_ctl.c:190 #6 0x635d44 in Perl_runops_standard run.c:37 #7 0x4d2ad6 in S_run_body perl.c:2017 #8 0x4f9077 in main perlmain.c:100 #9 0x7fa3900e2c4d in __libc_start_main ??:0


global-buffer-overflow in `memcmp("perlio", "unix", 6)`:

==17858== ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006af025 at pc 0x426478 bp 0x7fffb37ffe40 sp 0x7fffb37ffe18 READ of size 6 at 0x0000006af025 thread T0 #0 0x426477 in __interceptor_memcmp asan_rtl #1 0x4bf792 in PerlIO_find_layer perlio.c:751 #2 0x4c0ab2 in PerlIO_default_buffer perlio.c:1015 #3 0x4c1171 in PerlIO_default_layers perlio.c:1113 #4 0x4c255d in PerlIO_resolve_layers perlio.c:1433 #5 0x4c3289 in PerlIO_openn perlio.c:1519 #6 0x4c1410 in PerlIO_fdopen perlio.c:4745 #7 0x4cfca1 in Perl_PerlIO_stdin perlio.c:4686 #8 0x4b57df in S_open_script perl.c:3348 #9 0x4d13f7 in main perlmain.c:96 #10 0x7fcab450876c in __libc_start_main libc-start.c:226 #11 0x4359b4 in _start ??:0 0x0000006af025 is located 59 bytes to the left of global variable '.str39 (perlio.c)' (0x6af060) of size 3 '.str39 (perlio.c)' is ascii string 'r+' 0x0000006af025 is located 0 bytes to the right of global variable '.str38 (perlio.c)' (0x6af020) of size 5 '.str38 (perlio.c)' is ascii string 'unix' Shadow bytes around the buggy address:



Stack buffer overflow in 464.h264ref:

int k, satd = 0, m[16], dd, d[16]; ... for (dd=d[k=0]; k<16; dd=d[++k]) ^^^^^^ // On the last iteration, d[++k] reads d[16], one element after the array boundary.

READ of size 4 mem: 0x00007fff516bd140 thread T0 #0 0x506211 in SATD mv-search.c:1093 #1 0x509524 in SubPelBlockMotionSearch mv-search.c:1398 #2 0x527300 in BlockMotionSearch mv-search.c:2672 #3 0x53091e in PartitionMotionSearch mv-search.c:3272 ... Address 0x00007fff516bd140 is inside T0's stack

See also: http://www.spec.org/cpu2006/Docs/faq.html#Run.05

Global buffer overflow in 464.h264ref:

context_ini.c:222: BIARI_CTX_INIT2 (NUM_BLOCK_TYPES, NUM_BCBP_CTX, tc->bcbp_contexts, INIT_BCBP, img->model_number);

READ of size 4 at 0x00000000005ec1c0 thread T0 #0 0x4139cf in biari_init_context biariencode.c:334 #1 0x43f8f3 in init_contexts context_ini.c:222 #2 0x5a6f33 in start_slice slice.c:118 #3 0x5a93b7 in encode_one_slice slice.c:223 #4 0x466d7a in code_a_picture image.c:236 #5 0x4728c0 in frame_picture image.c:800 #6 0x4696ef in encode_one_frame image.c:411 #7 0x48167d in main lencod.c:413 0x00000000005ec1c0 is located 0 bytes to the right of global variable 'INIT_BCBP_I' (0x5ec0c0) of size 256

Clone this wiki locally