heap buffer overflow during dvbv5-scan

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

i’m experiencing heap buffer overflow when I use dvbv5-scan.

I tried with latest v4l-utils master, kernel 5.8.0-31.

card:
[2932932.804279] si2168 2-0064: Silicon Labs Si2168-D60 successfully identified
[2932932.804282] si2168 2-0064: firmware version: D 6.0.1
[2932932.808400] si2157 3-0060: Silicon Labs Si2141 successfully attached
[2932963.129981] si2168 2-0064: downloading firmware from file 'dvb-demod-si2168-d60-01.fw'
[2932963.555566] si2168 2-0064: firmware version: D 6.0.2
[2932963.573916] si2157 3-0060: found a 'Silicon Labs Si2141-A10'
[2932963.573969] si2157 3-0060: downloading firmware from file 'dvb-tuner-si2141-a10-01.fw'
[2932964.054795] si2157 3-0060: firmware version: 1.1.10
[2932964.075497] si2168 2-0064: downloading firmware from file 'dvb-demod-si2168-d60-01.fw'
[2932964.504849] si2168 2-0064: firmware version: D 6.0.2

Backtrace:

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1  0x00007ffff7c6e864 in __GI_abort () at abort.c:79
#2  0x00007ffff7cd1af6 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7df9128 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7cda46c in malloc_printerr (str=str@entry=0x7ffff7df7409 "realloc(): invalid next size") at malloc.c:5389
#4  0x00007ffff7cde41c in _int_realloc (av=av@entry=0x7ffff7e2bba0 <main_arena>, oldp=oldp@entry=0x5555555aa4a0, oldsize=oldsize@entry=832, nb=832) at malloc.c:4601
#5  0x00007ffff7ce0056 in __GI___libc_realloc (oldmem=0x5555555aa4b0, bytes=816) at malloc.c:3246
#6  0x000055555557fc8d in dvb_desc_t2_delivery_init (parms=0x5555555a1930, buf=0x5555555a7f8d "", ext=<optimized out>, desc=0x5555555b5b80) at descriptors/desc_t2_delivery.c:86
#7  0x0000555555581dd9 in dvb_extension_descriptor_init (parms=parms@entry=0x5555555a1930, buf=buf@entry=0x5555555a7f8c "\004", desc=desc@entry=0x5555555b5b60) at descriptors/desc_extension.c:159
#8  0x00005555555789c3 in dvb_desc_parse (parms=parms@entry=0x5555555a1930, buf=buf@entry=0x5555555a7f6a "A\030\003\351\037\003\352\037\003\353\037\003\354\037\003\355\037\003\356\037\003\357\037\003\360\037_\004", buflen=buflen@entry=106,
    head_desc=head_desc@entry=0x5555555b50c6) at descriptors.c:195
#9  0x000055555557a439 in dvb_table_nit_init (parms=0x5555555a1930, buf=0x5555555a7f50 "@\360\205\061", <incomplete sequence \325>, buflen=<optimized out>, table=<optimized out>) at tables/nit.c:120
#10 0x0000555555575a96 in dvb_parse_section (buf_length=136, buf=0x5555555a7f50 "@\360\205\061", <incomplete sequence \325>, sect=0x7fffffffe0f0, parms=0x5555555a1930) at dvb-scan.c:281
#11 dvb_read_sections (__p=__p@entry=0x5555555a1930, dmx_fd=dmx_fd@entry=4, sect=sect@entry=0x7fffffffe0f0, timeout=4294959072, timeout@entry=12) at dvb-scan.c:384
#12 0x0000555555576acd in dvb_read_section_with_id (timeout=12, table=0x5555555b5f00, ts_id=-1, pid=16, tid=64 '@', dmx_fd=4, parms=0x5555555a1930) at dvb-scan.c:409
#13 dvb_read_section (timeout=12, table=0x5555555b5f00, pid=16, tid=64 '@', dmx_fd=4, parms=0x5555555a1930) at dvb-scan.c:102
#14 dvb_get_ts_tables (__p=__p@entry=0x5555555a1930, dmx_fd=dmx_fd@entry=4, delivery_system=<optimized out>, other_nit=other_nit@entry=0, timeout_multiply=timeout_multiply@entry=1) at dvb-scan.c:582
#15 0x000055555557733b in dvb_scan_transponder (__p=__p@entry=0x5555555a1930, entry=0x5555555a8f60, dmx_fd=4, check_frontend=0x555555567b70 <check_frontend>, args=0x7fffffffe280, other_nit=0, timeout_multiply=1) at dvb-scan.c:690
#16 0x0000555555568a95 in dvb_local_scan (open_dev=<optimized out>, entry=<optimized out>, check_frontend=<optimized out>, args=<optimized out>, other_nit=<optimized out>, timeout_multiply=<optimized out>) at dvb-dev-local.c:789
#17 0x0000555555566fb3 in run_scan (dvb=0x7fffffffe228, args=0x7fffffffe280) at dvbv5-scan.c:298
#18 main (argc=<optimized out>, argv=<optimized out>) at dvbv5-scan.c:562


Address sanitizer:

Lock   (0x1f) C/N= 29.75dB UCB= 0 postBER= 74.0x10^-3
=================================================================
==2140614==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100005ed00 at pc 0x5555555f50a7 bp 0x7fffffffd410 sp 0x7fffffffd400
READ of size 1 at 0x62100005ed00 thread T0
    #0 0x5555555f50a6 in dvb_desc_t2_delivery_init (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0xa10a6)
    #1 0x55555560152c in dvb_extension_descriptor_init (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0xad52c)
    #2 0x5555555d4430 in dvb_desc_parse (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x80430)
    #3 0x5555555dc870 in dvb_table_nit_init (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x88870)
    #4 0x5555555ca85d in dvb_parse_section (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x7685d)
    #5 0x5555555cbdab in dvb_read_sections (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x77dab)
    #6 0x5555555cc065 in dvb_read_section_with_id (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x78065)
    #7 0x5555555c873f in dvb_read_section (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x7473f)
    #8 0x5555555cd772 in dvb_get_ts_tables (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x79772)
    #9 0x5555555ce8c2 in dvb_scan_transponder (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x7a8c2)
    #10 0x55555559ff5c in dvb_local_scan (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x4bf5c)
    #11 0x555555598904 in dvb_dev_scan (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x44904)
    #12 0x5555555949b0 in run_scan (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x409b0)
    #13 0x555555596a0c in main (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x42a0c)
    #14 0x7ffff729ecb1 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28cb1)
    #15 0x555555592f4d in _start (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x3ef4d)

0x62100005ed00 is located 0 bytes to the right of 4096-byte region [0x62100005dd00,0x62100005ed00)
allocated by thread T0 here:
    #0 0x7ffff76876e7 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb06e7)
    #1 0x5555555cb5a6 in dvb_read_sections (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x775a6)
    #2 0x5555555cc065 in dvb_read_section_with_id (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x78065)
    #3 0x5555555c873f in dvb_read_section (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x7473f)
    #4 0x5555555cd772 in dvb_get_ts_tables (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x79772)
    #5 0x5555555ce8c2 in dvb_scan_transponder (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x7a8c2)
    #6 0x55555559ff5c in dvb_local_scan (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x4bf5c)
    #7 0x555555598904 in dvb_dev_scan (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x44904)
    #8 0x5555555949b0 in run_scan (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x409b0)
    #9 0x555555596a0c in main (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0x42a0c)
    #10 0x7ffff729ecb1 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28cb1)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/damarion/src/v4l-utils/utils/dvb/dvbv5-scan+0xa10a6) in dvb_desc_t2_delivery_init
Shadow bytes around the buggy address:
  0x0c4280003d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280003d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280003d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280003d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280003d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4280003da0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280003db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280003dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280003dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280003de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280003df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2140614==ABORTING

Will be glad to debug this further but I will need a bot of assistance….

Thanks,

Damjan
[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]

  Powered by Linux