possible heap-buffer-overflow in peek #857
Description
Hello, I found a heap-buffer-overflow when running the following fuzz driver in OSS-Fuzz environment.
#include "augeas.h"
#include "config.h"
#include "fa.h"
#include "internal.h"
#include <stdint.h>
#include <stddef.h>
#include <string.h>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
if (size < 3) {
return 0;
}
// Creating two fa structures
struct fa *fa1 = NULL;
struct fa *fa2 = NULL;
// Attempt to compile FA from input data
struct fa *fa_tmp1;
struct fa *fa_tmp2;
fa_compile((const char *)data, size, &fa_tmp1);
fa_compile((const char *)data, size, &fa_tmp2);
// Using fa_minus to manipulate fa structures
fa1 = fa_minus(fa_tmp1, fa_tmp2);
fa2 = fa_minus(fa_tmp1, fa_tmp2);
// Calling the target function fa_equals
int result = fa_equals(fa1, fa2);
return 0;
}
Here is the ASAN log:
==12==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000002593 at pc 0x55681f7ba210 bp 0x7ffd87170cd0 sp 0x7ffd87170cc8
READ of size 1 at 0x502000002593 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x55681f7ba20f in peek /src/augeas/src/fa.c:3291:12
#1 0x55681f7ba20f in parse_regexp /src/augeas/src/fa.c:3527:9
#2 0x55681f7cb40d in parse_simple_exp /src/augeas/src/fa.c:3384:18
#3 0x55681f7cb40d in parse_repeated_exp /src/augeas/src/fa.c:3459:21
#4 0x55681f7cb40d in parse_concat_exp /src/augeas/src/fa.c:3502:21
#5 0x55681f7cc4e1 in parse_concat_exp /src/augeas/src/fa.c:3507:26
#6 0x55681f7cc4e1 in parse_concat_exp /src/augeas/src/fa.c:3507:26
#7 0x55681f7b9e49 in parse_regexp /src/augeas/src/fa.c:3530:14
#8 0x55681f7b8c32 in fa_compile /src/augeas/src/fa.c:3133:10
#9 0x55681f79d887 in LLVMFuzzerTestOneInput /src/augeas/augeas_fa_compile_fuzzer.cc:21:5
#10 0x55681f6522f0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#11 0x55681f651b15 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
#12 0x55681f6532f5 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:760:19
#13 0x55681f654085 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:905:5
#14 0x55681f642ecb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
#15 0x55681f66e2a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#16 0x7f208749b082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58)
#17 0x55681f63574d in _start (/out/augeas_fa_compile_fuzzer+0x5274d)
DEDUP_TOKEN: peek--parse_regexp--parse_simple_exp
0x502000002593 is located 0 bytes after 3-byte region [0x502000002590,0x502000002593)
allocated by thread T0 here:
#0 0x55681f75e0bf in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
#1 0x55681f7d3003 in operator new(unsigned long) cxa_noexception.cpp
#2 0x55681f651b15 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
#3 0x55681f6532f5 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:760:19
#4 0x55681f654085 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:905:5
#5 0x55681f642ecb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
#6 0x55681f66e2a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#7 0x7f208749b082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58)
DEDUP_TOKEN: __interceptor_malloc--operator new(unsigned long)--fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/augeas/src/fa.c:3291:12 in peek
Shadow bytes around the buggy address:
0x502000002300: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fd
0x502000002380: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x502000002400: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x502000002480: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fd
0x502000002500: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
=>0x502000002580: fa fa[03]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000002600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000002680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000002700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000002780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000002800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12==ABORTING
MS: 2 ShuffleBytes-ChangeByte-; base unit: 555d624f951d8e283d24aaf465f64d0705432784
0x3a,0xa,0x28,
:\012(
artifact_prefix='augeas_fa_compile_fuzzer_'; Test unit written to augeas_fa_compile_fuzzer_crash-08c06554421a39083014b63635666806fda211b7
Base64: Ogoo