bug-cflow
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

global-buffer-overflow bugs in find_option_type

From: Youngseok Choi
Subject: global-buffer-overflow bugs in find_option_type
Date: Wed, 08 Mar 2023 14:15:42 +0900 (KST)
Hello, cflow developers.

We are developing a new fuzzer, and it found three global-overflow errors in find_option_type.

Bug 1: global-buffer-overflow in find_option_type

Command to Reproduce
./cflow --l =

Stack Trace
==6130==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55dc656f5220 at pc 0x55dc656a2273 bp 0x7ffe954bc010 sp 0x7ffe954bc000
READ of size 8 at 0x55dc656f5220 thread T0
    #0 0x55dc656a2272 in find_option_type (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1e272)
    #1 0x55dc656a33da in set_level_indent (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1f3da)
    #2 0x55dc656a3a0a in parse_opt (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1fa0a)
    #3 0x55dc656cde84 in group_parse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x49e84)
    #4 0x55dc656d0df6 in parser_parse_opt (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4cdf6)
    #5 0x55dc656d18db in parser_parse_next (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4d8db)
    #6 0x55dc656d1dfd in argp_parse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4ddfd)
    #7 0x55dc656a44fa in main (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x204fa)
    #8 0x7fa630589c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #9 0x55dc65694699 in _start (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x10699)

Bug 2: global-buffer-overflow by find_option_type

Command to Reproduce
./cflow "-s:?d#?"

Stack Trace
==2451==ERROR: AddressSanitizer: global-buffer-overflow on address 0x562569b77423 at pc 0x7f2669338bb5 bp 0x7ffeaae6f290 sp 0x7ffeaae6ea38
READ of size 4 at 0x562569b77423 thread T0
    #0 0x7f2669338bb4  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xafbb4)
    #1 0x562569b35204 in find_option_type (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1e204)
    #2 0x562569b35674 in symbol_override (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1e674)
    #3 0x562569b36dea in parse_opt (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1fdea)
    #4 0x562569b60e84 in group_parse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x49e84)
    #5 0x562569b63d01 in parser_parse_opt (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4cd01)
    #6 0x562569b648db in parser_parse_next (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4d8db)
    #7 0x562569b64dfd in argp_parse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4ddfd)
    #8 0x562569b374fa in main (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x204fa)
    #9 0x7f2668eb9c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #10 0x562569b27699 in _start (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x10699)

Bug 3: global-buffer-overflow by find_option_type

Command to Reproduce
./cflow -T

Stack Trace
==3430==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55af15c246e2 at pc 0x7feada15fbb5 bp 0x7ffef3ae7780 sp 0x7ffef3ae6f28
READ of size 4 at 0x55af15c246e2 thread T0
    #0 0x7feada15fbb4  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xafbb4)
    #1 0x55af15be2204 in find_option_type (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1e204)
    #2 0x55af15be33da in set_level_indent (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1f3da)
    #3 0x55af15be38d6 in parse_opt (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1f8d6)
    #4 0x55af15c0de84 in group_parse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x49e84)
    #5 0x55af15c10d01 in parser_parse_opt (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4cd01)
    #6 0x55af15c118db in parser_parse_next (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4d8db)
    #7 0x55af15c11dfd in argp_parse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4ddfd)
    #8 0x55af15be44fa in main (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x204fa)
    #9 0x7fead9ce0c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #10 0x55af15bd4699 in _start (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x10699)

Bug 3 stack trace is similar to Bug 1 trace, however command is different.

Environment
- OS: Ubuntu 18.04.1
- gcc 7.5.0
- cflow: 1.7

Note that we configured cflow with address sanitizer:
CFLAGS="-fsanitize=address" ./configure
make -j

Many Thanks,
Youngseok Choi
reply via email to
[Prev in Thread] Current Thread [Next in Thread]