【fuzz】缓冲区溢出

【环境信息】
x86
【测试版本】
Name:          LibRaw
Version:       0.19.0
Release:       10
【注意事项】
受影响版本排查（受影响/不受影响）
1、master
2、openEuler-LTS-20.03
3、openEuler-LTS-20.03-SP1
4、openEuler-LTS-20.03-Next
5、openEuler-20.09
【测试步骤】
1、编译
python3 infra/helper.py build_fuzzers --sanitizer address libraw 
2、执行
python3 infra/helper.py run_fuzzer libraw  libraw_raf_fuzzer -rss_limit_mb=0
【报错信息】
```
==8==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f8290a0a8a0 at pc 0x0000004bbfd4 bp 0x7ffee3749310 sp 0x7ffee3748ad0
READ of size 129 at 0x7f8290a0a8a0 thread T0
SCARINESS: 41 (multi-byte-read-stack-buffer-overflow)
    #0 0x4bbfd3 in strchr /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:693:5
    #1 0x589210 in __libcpp_strchr(char const*, int) /usr/local/bin/../include/c++/v1/string.h:73:64
    #2 0x559950 in strchr(char*, int) [enable_if:true] /usr/local/bin/../include/c++/v1/string.h:77:54
    #3 0x6435fb in LibRaw::parse_rollei() /src/libraw/internal/dcraw_common.cpp:14855:16
    #4 0x65936f in LibRaw::identify() /src/libraw/internal/dcraw_common.cpp:17967:5
    #5 0x5652e8 in LibRaw::open_datastream(LibRaw_abstract_datastream*) /src/libraw/src/libraw_cxx.cpp:2008:5
    #6 0x562679 in LibRaw::open_buffer(void*, unsigned long) /src/libraw/src/libraw_cxx.cpp:1123:13
    #7 0x5515dc in LLVMFuzzerTestOneInput /src/libraw_fuzzer.cc:41:24
    #8 0x4598f1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #9 0x444c52 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
    #10 0x44ace7 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:776:9
    #11 0x473332 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #12 0x7f828f99a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x41f268 in _start (/out/libraw_raf_fuzzer+0x41f268)

Address 0x7f8290a0a8a0 is located in stack of thread T0 at offset 160 in frame
    #0 0x64338f in LibRaw::parse_rollei() /src/libraw/internal/dcraw_common.cpp:14846

This frame has 2 object(s):
    [32, 160) 'line' (line 14847)
    [192, 248) 't' (line 14848) <== Memory access at offset 160 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:693:5 in strchr
Shadow bytes around the buggy address:
  0x0ff0d21394c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0d21394d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0d21394e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0d21394f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0d2139500: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff0d2139510: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 f3
  0x0ff0d2139520: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0d2139530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0d2139540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0d2139550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0d2139560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==8==ABORTING
```
【问题复现】
python infra/helper.py reproduce libraw libraw_raf_fuzzer crash-265dea0fbb13806538c9033abe649bb0a20cdc40

src-openEuler/LibRaw

内容风险标识

评论 (4)

src-openEuler/LibRaw .gitee-modal { width: 500px !important; }

内容风险标识