During a fuzzing experiment, we detected a negative size parameter.
The command for this is quite messy, so I wonder if this is valid bug report.
Command to Reproduce
Please refer the uploaded POC shell script.
Stack Trace
==5364==ERROR: AddressSanitizer: negative-size-param: (size=-4)
#0 0x7fd8e2cd71a0 in __interceptor_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7b1a0)
#1 0x55f1884c9703 in _argp_fmtstream_update (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x59703)
#2 0x55f1884ca344 in argp_fmtstream_set_lmargin (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x5a344)
#3 0x55f1884b8727 in _help (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x48727)
#4 0x55f1884b8d73 in argp_state_help (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x48d73)
#5 0x55f18848f7ae in cflow_help (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1f7ae)
#6 0x55f18848fe97 in parse_opt (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1fe97)
#7 0x55f1884b9e84 in group_parse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x49e84)
#8 0x55f1884bcd01 in parser_parse_opt (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4cd01)
#9 0x55f1884bd8db in parser_parse_next (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4d8db)
#10 0x55f1884bddfd in argp_parse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4ddfd)
#11 0x55f1884904fa in main (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x204fa)
#12 0x7fd8e288cc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#13 0x55f188480699 in _start (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x10699)
0x611000000328 is located 104 bytes inside of 200-byte region [0x6110000002c0,0x611000000388)
allocated by thread T0 here:
#0 0x7fd8e2d3ab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x55f1884c8520 in argp_make_fmtstream (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x58520)
#2 0x55f1884b84a7 in _help (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x484a7)
#3 0x55f1884b8d73 in argp_state_help (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x48d73)
#4 0x55f18848f7ae in cflow_help (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1f7ae)
#5 0x55f18848fe97 in parse_opt (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1fe97)
#6 0x55f1884b9e84 in group_parse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x49e84)
#7 0x55f1884bcd01 in parser_parse_opt (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4cd01)
#8 0x55f1884bd8db in parser_parse_next (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4d8db)
#9 0x55f1884bddfd in argp_parse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x4ddfd)
#10 0x55f1884904fa in main (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x204fa)
#11 0x7fd8e288cc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
Environment
- OS: Ubuntu 18.04.1
- gcc 7.5.0
- cflow: 1.7
Note that we configured cflow with address sanitizer.
CFLAGS="-fsanitize=address" ./configure
make -j
Many Thanks,
Youngseok Choi
poc.zip