Re: Stack-buffer overflow in pjsip_multipart_parse and pj_scan_get_quotes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Ming —

Please try the following to reproduce the issues:

$ ./configure CFLAGS='-fsanitize=address -fno-omit-frame-pointer' LDFLAGS='-fsanitize=address -fno-omit-frame-pointer'

$ clang -o out multipart-parse-overflow.c -O1 -g -fsanitize=address -fno-omit-frame-pointer pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid

$ ./out

I've attached the AddressSanitizer output for the three issues.

Best

    -Stephan

On 11/10/2017 02:05 AM, Ming wrote:
> Hi Stephan,
>
> Thanks for the report.
>
> I ran all three programs under AddressSanitizer (https://github.com/google/sanitizers/wiki/AddressSanitizer) and it didn't report any warning or error at all.
>
> Command I used (on Mac):
> clang -fsanitize=address -O1 -fno-omit-frame-pointer -g -o out pj-scan-get-until-ch-overflow.c pjsip/lib/libpjsip-x86_64-apple-darwin16.7.0.a pjlib-util/lib/libpjlib-util-x86_64-apple-darwin16.7.0.a pjlib/lib/libpj-x86_64-apple-darwin16.7.0.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm
>
> && ./out
>
> The valgrind reports you attached do not seem to point to any stack overflow either (or perhaps it could be me that don't know how to read it). So if you have additional details (such as which packet bytes trigger the issue, or better yet, which particular PJSIP code is the problematic one, or even better yet, how to fix it :) ), please share them with us.
>
> Regards,
> Ming
>
> On Fri, Nov 10, 2017 at 12:14 AM, Stephan Zeisberg <stephan@xxxxxxxxx <mailto:stephan@xxxxxxxxx>> wrote:
>
>     Dear all —
>
>     Please find attached two sample programs that parse a SIP message using pjsip_parse_msg. Both programs cause a stack-buffer overflow.
>
>     # Version
>
>     trunk
>
>     # How to reproduce pjsip_multipart_parse overflow:
>
>     $ clang -o out multipart-parse-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
>
>     $ valgrind ./out
>
>     The resulting valgrind output is attached.
>
>     # How to reproduce pj_scan_get_quotes overflow:
>
>     $ clang -o out pj-scan-get-quotes-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
>
>     $ valgrind ./out
>
>     The resulting valgrind output is attached.
>
>     The issues have been found with afl-fuzz in ASAN mode.
>
>     Cheers
>
>         -Stephan Zeisberg
>
>
>     _______________________________________________
>     Visit our blog: http://blog.pjsip.org
>
>     pjsip mailing list
>     pjsip@xxxxxxxxxxxxxxx <mailto:pjsip@xxxxxxxxxxxxxxx>
>     http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>
>
>
>
>
> _______________________________________________
> Visit our blog: http://blog.pjsip.org
>
> pjsip mailing list
> pjsip@xxxxxxxxxxxxxxx
> http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org


=================================================================
==19660==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff0c32ec4e at pc 0x0000005400ed bp 0x7fff0c32dcd0 sp 0x7fff0c32dcc8
READ of size 1 at 0x7fff0c32ec4e thread T0
    #0 0x5400ec in pjsip_multipart_parse (/tmp/pj/out+0x5400ec)
    #1 0x50be47 in int_parse_msg (/tmp/pj/out+0x50be47)
    #2 0x50b221 in pjsip_parse_msg (/tmp/pj/out+0x50b221)
    #3 0x509b73 in main /tmp/pj/multipart-parse-overflow.c:97:3
    #4 0x7ff42d5a5039 in __libc_start_main (/lib64/libc.so.6+0x21039)
    #5 0x41a529 in _start (/tmp/pj/out+0x41a529)

Address 0x7fff0c32ec4e is located in stack of thread T0 at offset 1134 in frame
    #0 0x509a1f in main /tmp/pj/multipart-parse-overflow.c:11

  This frame has 2 object(s):
    [32, 80) 'err_list'
    [112, 1134) 'packet' <== Memory access at offset 1134 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/tmp/pj/out+0x5400ec) in pjsip_multipart_parse
Shadow bytes around the buggy address:
  0x10006185dd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006185dd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006185dd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006185dd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006185dd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006185dd80: 00 00 00 00 00 00 00 00 00[06]f3 f3 f3 f3 f3 f3
  0x10006185dd90: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
  0x10006185dda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006185ddb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006185ddc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006185ddd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19660==ABORTING

=================================================================
==19818==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffd86f8c8e at pc 0x000000571e0f bp 0x7fffd86f79a0 sp 0x7fffd86f7998
READ of size 1 at 0x7fffd86f8c8e thread T0
    #0 0x571e0e in pj_scan_get_quotes (/tmp/pj/out+0x571e0e)
    #1 0x571a26 in pj_scan_get_quote (/tmp/pj/out+0x571a26)
    #2 0x517c09 in int_parse_name_addr (/tmp/pj/out+0x517c09)
    #3 0x50de54 in int_parse_uri_or_name_addr (/tmp/pj/out+0x50de54)
    #4 0x5176b6 in parse_hdr_fromto (/tmp/pj/out+0x5176b6)
    #5 0x515471 in parse_hdr_to (/tmp/pj/out+0x515471)
    #6 0x50b7ec in int_parse_msg (/tmp/pj/out+0x50b7ec)
    #7 0x50b221 in pjsip_parse_msg (/tmp/pj/out+0x50b221)
    #8 0x509b73 in main /tmp/pj/pj-scan-get-quotes-overflow.c:97:3
    #9 0x7fc0a8160039 in __libc_start_main (/lib64/libc.so.6+0x21039)
    #10 0x41a529 in _start (/tmp/pj/out+0x41a529)

Address 0x7fffd86f8c8e is located in stack of thread T0 at offset 1134 in frame
    #0 0x509a1f in main /tmp/pj/pj-scan-get-quotes-overflow.c:11

  This frame has 2 object(s):
    [32, 80) 'err_list'
    [112, 1134) 'packet' <== Memory access at offset 1134 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/tmp/pj/out+0x571e0e) in pj_scan_get_quotes
Shadow bytes around the buggy address:
  0x10007b0d7140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0d7150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0d7160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0d7170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0d7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007b0d7190: 00[06]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x10007b0d71a0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0d71b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0d71c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0d71d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0d71e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19818==ABORTING


=================================================================
==19922==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe7c1b652e at pc 0x000000572f17 bp 0x7ffe7c1b5710 sp 0x7ffe7c1b5708
READ of size 1 at 0x7ffe7c1b652e thread T0
    #0 0x572f16 in pj_scan_get_until_ch (/tmp/pj/out+0x572f16)
    #1 0x515a81 in parse_hdr_via (/tmp/pj/out+0x515a81)
    #2 0x50b7ec in int_parse_msg (/tmp/pj/out+0x50b7ec)
    #3 0x50b221 in pjsip_parse_msg (/tmp/pj/out+0x50b221)
    #4 0x509b73 in main /tmp/pj/pj-scan-get-until-ch-overflow.c:97:3
    #5 0x7f4104091039 in __libc_start_main (/lib64/libc.so.6+0x21039)
    #6 0x41a529 in _start (/tmp/pj/out+0x41a529)

Address 0x7ffe7c1b652e is located in stack of thread T0 at offset 1134 in frame
    #0 0x509a1f in main /tmp/pj/pj-scan-get-until-ch-overflow.c:11

  This frame has 2 object(s):
    [32, 80) 'err_list'
    [112, 1134) 'packet' <== Memory access at offset 1134 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/tmp/pj/out+0x572f16) in pj_scan_get_until_ch
Shadow bytes around the buggy address:
  0x10004f82ec50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f82ec60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f82ec70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f82ec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f82ec90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004f82eca0: 00 00 00 00 00[06]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x10004f82ecb0: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10004f82ecc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f82ecd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f82ece0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004f82ecf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19922==ABORTING

_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@xxxxxxxxxxxxxxx
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux