Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in RTC::StunMessage::Dump() #254

Closed
ibc opened this issue Dec 18, 2018 · 1 comment
Closed

heap-buffer-overflow in RTC::StunMessage::Dump() #254

ibc opened this issue Dec 18, 2018 · 1 comment
Assignees
@ibc
Labels
bug fuzzer

Comments

@ibc
Copy link
Member

ibc commented Dec 18, 2018
edited
Loading 

=================================================================
==21136==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0000fb68c at pc 0x00000094cf2f bp 0x7ffce364f310 sp 0x7ffce364f308
READ of size 1 at 0x60b0000fb68c thread T0
    #0 0x94cf2e in RTC::StunMessage::Dump() const /mediasoup/worker/out/../src/RTC/StunMessage.cpp:384:58
    #1 0xb3b3a9 in Fuzzer::RTC::StunMessage::Fuzz(unsigned char const*, unsigned long) /mediasoup/worker/out/../fuzzer/src/RTC/FuzzerStunMessage.cpp:14:7
    #2 0xb3b02d in LLVMFuzzerTestOneInput /mediasoup/worker/out/../fuzzer/src/fuzzer.cpp:68:3
    #3 0x45f65a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:576:15
    #4 0x45ed75 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:485:3
    #5 0x4611ab in fuzzer::Fuzzer::MutateAndTestOne() /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:713:19
    #6 0x461e85 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> >, fuzzer::fuzzer_allocator<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> > > > const&) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:844:5
    #7 0x4586d3 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:765:6
    #8 0x4803b2 in main /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #9 0x7f97bd8cb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x434c08 in _start (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x434c08)

0x60b0000fb68c is located 0 bytes to the right of 108-byte region [0x60b0000fb620,0x60b0000fb68c)
allocated by thread T0 here:
    #0 0x595392 in operator new[](unsigned long) /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:109:3
    #1 0x45f541 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:563:23
    #2 0x45ed75 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:485:3
    #3 0x4611ab in fuzzer::Fuzzer::MutateAndTestOne() /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:713:19
    #4 0x461e85 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> >, fuzzer::fuzzer_allocator<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> > > > const&) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:844:5
    #5 0x4586d3 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:765:6
    #6 0x4803b2 in main /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #7 0x7f97bd8cb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mediasoup/worker/out/../src/RTC/StunMessage.cpp:384:58 in RTC::StunMessage::Dump() const
Shadow bytes around the buggy address:
  0x0c1680017680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1680017690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c16800176a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c16800176b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c16800176c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c16800176d0: 00[04]fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c16800176e0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c16800176f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c1680017700: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1680017710: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1680017720: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==21136==ABORTING
MS: 1 CopyPart-; base unit: 30d160fe7bd3cd2193f5bd6d4d40166a7a8b99df
0x0,0x1,0x0,0x58,0x21,0x12,0xa4,0x42,0xb7,0xe7,0xa7,0x1,0xbc,0x34,0xd6,0x86,0xfa,0x0,0x1,0xff,0x80,0x2a,0x0,0x8,0x0,0x0,0x0,0x0,0x0,0x0,0x40,0x0,0x80,0x2a,0x0,0x8,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x80,0x2a,0x0,0x8,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x24,0x0,0x4,0x6e,0x0,0x1,0xff,0x80,0x2a,0x0,0x8,0x93,0x2f,0xf9,0xb1,0x51,0x26,0x3b,0x38,0x0,0x6,0x0,0x9,0x1,0x0,0x0,0x21,0x3a,0x68,0x36,0x76,0x6e,0x0,0x1,0xff,0x80,0x2a,0x0,0x8,0x6d,0x80,0xa7,0x0,0x40,0x0,0x80,0x2a,0x0,0x8,0x0,0x0,
\x00\x01\x00X!\x12\xa4B\xb7\xe7\xa7\x01\xbc4\xd6\x86\xfa\x00\x01\xff\x80*\x00\x08\x00\x00\x00\x00\x00\x00@\x00\x80*\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x80*\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x04n\x00\x01\xff\x80*\x00\x08\x93/\xf9\xb1Q&;8\x00\x06\x00\x09\x01\x00\x00!:h6vn\x00\x01\xff\x80*\x00\x08m\x80\xa7\x00@\x00\x80*\x00\x08\x00\x00
artifact_prefix='fuzzer/reports/'; Test unit written to fuzzer/reports/crash-2ac1acbcc48ad55f82c8fe7f0694c4dae7a9d155
@ibc ibc self-assigned this Dec 18, 2018
@ibc
Copy link
Member Author

ibc commented Dec 18, 2018

I've added a MS_ERROR:

if (this->messageIntegrity != nullptr)
{
	static char messageIntegrity[41];

	for (int i{ 0 }; i < 20; ++i)
	{
		MS_ERROR("--- i:%d", i);

		std::snprintf(messageIntegrity + (i * 2), 3, "%.2x", this->messageIntegrity[i]);
	}

	MS_DEBUG_DEV("  messageIntegrity: %s", messageIntegrity);
}

and the output is just:

[id:fuzzer] RTC::StunMessage::Dump() | --- i:0

so clearly this->messageIntegrity is not nullptr, but it points to non allocated memory.

(report commited)

ibc added a commit that referenced this issue Dec 18, 2018
@ibc
fuzzer: add report for #254
28ed80d
@ibc ibc closed this as completed in 54b1b23 Dec 18, 2018
lavarsicious pushed a commit to lavarsicious/mediasoup that referenced this issue Feb 5, 2019
@ibc @lavarsicious
fuzzer: add report for versatica#254
246e758
lavarsicious pushed a commit to lavarsicious/mediasoup that referenced this issue Feb 5, 2019
@ibc @lavarsicious
StunMessage::Parse(): make sure that, if present, MESSAGE-INTEGRITY v…
864a358 
…alue is 20 bytes (fixes versatica#254)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ibc ibc

Labels
bug fuzzer
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ibc