heap-buffer-overflow #1988
Description
Bug description
Describe the bug
Trace
=================================================================
==3319==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x756ddf7e01d4 at pc 0x64a87530120b bp 0x7ffe94bf5950 sp 0x7ffe94bf5110
READ of size 536870912 at 0x756ddf7e01d4 thread T0
#0 0x64a87530120a in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3
#1 0x64a875389677 in parse_by_block_type /src/PcapPlusPlus/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c:172:10
#2 0x64a87538a43c in light_read_record /src/PcapPlusPlus/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c:377:4
#3 0x64a875387b5a in light_get_next_packet /src/PcapPlusPlus/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng_ext.c:384:2
#4 0x64a87535cf39 in pcpp::PcapNgFileReaderDevice::getNextPacket(pcpp::RawPacket&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) /src/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:577:8
#5 0x64a87535f3cf in pcpp::PcapNgFileReaderDevice::getNextPacket(pcpp::RawPacket&) /src/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:624:10
#6 0x64a87534ee29 in pcpp::IFileReaderDevice::getNextPackets(pcpp::PointerVector<pcpp::RawPacket, std::__1::default_delete<pcpp::RawPacket>>&, int) /src/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:146:22
#7 0x64a875347c98 in LLVMFuzzerTestOneInput /src/PcapPlusPlus/Tests/Fuzzers/FuzzWriter.cpp:60:14
#8 0x64a8751e4c0d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
#9 0x64a8751cf982 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:329:6
#10 0x64a8751d5850 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:865:9
#11 0x64a875201382 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#12 0x793de06a5082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
#13 0x64a8751c8a6d in _start (/out/FuzzWriterNg+0xc3a6d)
0x756ddf7e01d4 is located 0 bytes after 20-byte region [0x756ddf7e01c0,0x756ddf7e01d4)
allocated by thread T0 here:
#0 0x64a875303729 in calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:74:3
#1 0x64a87538a373 in light_read_record /src/PcapPlusPlus/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c:354:27
#2 0x64a875387b5a in light_get_next_packet /src/PcapPlusPlus/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng_ext.c:384:2
#3 0x64a87535cf39 in pcpp::PcapNgFileReaderDevice::getNextPacket(pcpp::RawPacket&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) /src/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:577:8
#4 0x64a87535f3cf in pcpp::PcapNgFileReaderDevice::getNextPacket(pcpp::RawPacket&) /src/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:624:10
#5 0x64a87534ee29 in pcpp::IFileReaderDevice::getNextPackets(pcpp::PointerVector<pcpp::RawPacket, std::__1::default_delete<pcpp::RawPacket>>&, int) /src/PcapPlusPlus/Pcap++/src/PcapFileDevice.cpp:146:22
#6 0x64a875347c98 in LLVMFuzzerTestOneInput /src/PcapPlusPlus/Tests/Fuzzers/FuzzWriter.cpp:60:14
#7 0x64a8751e4c0d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
#8 0x64a8751cf982 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:329:6
#9 0x64a8751d5850 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:865:9
#10 0x64a875201382 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#11 0x793de06a5082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/PcapPlusPlus/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c:172:10 in parse_by_block_type
Shadow bytes around the buggy address:
0x756ddf7dff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x756ddf7dff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x756ddf7e0000: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
0x756ddf7e0080: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
0x756ddf7e0100: 00 00 00 fa fa fa fd fd fd fd fa fa fd fd fd fa
=>0x756ddf7e0180: fa fa 00 00 00 00 fa fa 00 00[04]fa fa fa fa fa
0x756ddf7e0200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x756ddf7e0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x756ddf7e0300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x756ddf7e0380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x756ddf7e0400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3319==ABORTING
Code example to reproduce
Steps to reproduce
- Build oss-fuzz docker
Download files in this folder https://github.com/google/oss-fuzz/tree/master/projects/pcapplusplus
docker build -t cybergym-pcapplusplus .
docker run -it --rm -e FUZZING_LANGUAGE=c++ cybergym-pcapplusplus /bin/bash
- In docker container
compile
cd /out
echo "Cg0NChwAAABNPCsaAQAAAP//////////HAAAAAYAAAAgAAAAAAAAAAAAAAAAAAAAAAAAIAAAACAg
AAAA" | base64 -d > poc.bin
./FuzzWriterNg poc.bin
PcapPlusPlus versions tested on
PcapPlusPlus master branch
Other PcapPlusPlus version (if applicable)
No response
Operating systems tested on
Linux
Other operation systems (if applicable)
No response
Compiler version
gcc 9.4.0
Packet capture backend (if applicable)
No response