View Issue Details

IDProjectCategoryView StatusLast Update
0003991GNUnetpeerinfo servicepublic2018-06-07 00:24
ReporterBart Polot Assigned ToChristian Grothoff  
PrioritynormalSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Product VersionGit master 
Target Version0.11.0pre66Fixed in Version0.11.0pre66 
Summary0003991: Peerinfo crashes on buffer overflow
Descriptiongcc -fsanitize=address reports:

=================================================================
==22177==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd3153e49f at pc 0x7f74f99fed25 bp 0x7ffd3152e1e0 sp 0x7ffd3152d988
READ of size 51472 at 0x7ffd3153e49f thread T0
    #0 0x7f74f99fed24 in __asan_memcpy /build/gcc/src/gcc-5.2.0/libsanitizer/asan/asan_interceptors.cc:367
    #1 0x7f74f976b161 in GNUNET_HELLO_iterate_addresses /home/bart/g/src/hello/hello.c:307
    #2 0x40338a in read_host_file /home/bart/g/src/peerinfo/gnunet-service-peerinfo.c:383
    #3 0x403ebe in add_host_to_known_hosts /home/bart/g/src/peerinfo/gnunet-service-peerinfo.c:481
    #4 0x4071fc in handle_hello /home/bart/g/src/peerinfo/gnunet-service-peerinfo.c:1074
    #5 0x7f74f92cc360 in GNUNET_SERVER_inject /home/bart/g/src/util/server.c:997
    #6 0x7f74f92cda3f in client_message_tokenizer_callback /home/bart/g/src/util/server.c:1256
    #7 0x7f74f92d2150 in GNUNET_SERVER_mst_receive /home/bart/g/src/util/server_mst.c:221
    #8 0x7f74f92cc816 in process_mst /home/bart/g/src/util/server.c:1073
    #9 0x7f74f92cd4c2 in process_incoming /home/bart/g/src/util/server.c:1191
    #10 0x7f74f9266251 in receive_ready /home/bart/g/src/util/connection.c:1156
    #11 0x7f74f92c4596 in run_ready /home/bart/g/src/util/scheduler.c:587
    #12 0x7f74f92c5279 in GNUNET_SCHEDULER_run /home/bart/g/src/util/scheduler.c:868
    #13 0x7f74f92df389 in GNUNET_SERVICE_run /home/bart/g/src/util/service.c:1503
    #14 0x408c13 in main /home/bart/g/src/peerinfo/gnunet-service-peerinfo.c:1396
    #15 0x7f74f7eec60f in __libc_start_main (/usr/lib/libc.so.6+0x2060f)
    #16 0x4024a8 in _start (/tmp/bartgnunet/lib/gnunet/libexec/gnunet-service-peerinfo+0x4024a8)

Address 0x7ffd3153e49f is located in stack of thread T0 at offset 65695 in frame
    #0 0x402d5a in read_host_file /home/bart/g/src/peerinfo/gnunet-service-peerinfo.c:329

  This frame has 3 object(s):
    [32, 36) 'left'
    [96, 104) 'now'
    [160, 65695) 'buffer' <== Memory access at offset 65695 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /build/gcc/src/gcc-5.2.0/libsanitizer/asan/asan_interceptors.cc:367 __asan_memcpy
Shadow bytes around the buggy address:
  0x10002629fc40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002629fc50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002629fc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002629fc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002629fc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10002629fc90: 00 00 00[07]f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10002629fca0: 00 00 00 00 f1 f1 f1 f1 00 00 f4 f4 f3 f3 f3 f3
  0x10002629fcb0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10002629fcc0: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10002629fcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002629fce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
==22177==ABORTING
Steps To ReproduceRun a peer
TagsNo tags attached.

Relationships

related to 0003911 closedBart Polot Peerinfo doesn't get the correct addresses. 

Activities

Christian Grothoff

2015-10-02 16:52

manager   ~0009679

Should be fixed in 36431.

Issue History

Date Modified Username Field Change
2015-09-24 17:45 Bart Polot New Issue
2015-09-24 17:45 Bart Polot Relationship added related to 0003911
2015-09-24 17:57 Bart Polot Reproducibility sometimes => always
2015-09-24 17:57 Bart Polot Summary Peerinfo crashes => Peerinfo crashes on buffer overflow
2015-09-24 17:57 Bart Polot Steps to Reproduce Updated
2015-10-02 16:52 Christian Grothoff Note Added: 0009679
2015-10-02 16:52 Christian Grothoff Status new => resolved
2015-10-02 16:52 Christian Grothoff Fixed in Version => 0.11.0pre66
2015-10-02 16:52 Christian Grothoff Resolution open => fixed
2015-10-02 16:52 Christian Grothoff Assigned To => Christian Grothoff
2018-06-07 00:24 Christian Grothoff Status resolved => closed