A heap-buffer-overflow was triggered by sqlcheck::CheckPattern

Question

A heap-buffer-overflow was triggered by sqlcheck::CheckPattern

Asteriska001 opened this issue 2 years ago · 0 comments

Description

A heap-buffer-overflow was triggered by sqlcheck::CheckPattern
The issue is being triggered in function sqlcheck::CheckPattern(sqlcheck::Configuration&, std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, bool&, std::__cxx11::basic_regex<char, std::__cxx11::regex_traits > const&, sqlcheck::RiskLevel, sqlcheck::PatternType, std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::__cxx11::basic_string<char, std::char_traits, std::allocator >, bool, unsigned long) /AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/src/checker.cpp:239

Version

Ver. 1.3 Latest Commit

Environment

Ubuntu 18.04，64bit

Command

cmake .. && make && make install

ASAN

ASAN log.

==5826==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000ed0 at pc 0x5565d1015801 bp 0x7ffdea13e470 sp 0x7ffdea13e460
READ of size 8 at 0x603000000ed0 thread T0
    #0 0x5565d1015800 in sqlcheck::CheckPattern(sqlcheck::Configuration&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool&, std::__cxx11::basic_regex<char, std::__cxx11::regex_traits<char> > const&, sqlcheck::RiskLevel, sqlcheck::PatternType, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, bool, unsigned long) /AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/src/checker.cpp:239
    #1 0x5565d1090356 in sqlcheck::CheckConcatenation(sqlcheck::Configuration&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool&) /AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/src/list.cpp:689
    #2 0x5565d1016dad in sqlcheck::CheckStatement(sqlcheck::Configuration&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/src/checker.cpp:351
    #3 0x5565d1013143 in sqlcheck::Check(sqlcheck::Configuration&) /AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/src/checker.cpp:58
    #4 0x5565d101119d in main /AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/src/main.cpp:124
    #5 0x7f7a713040b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #6 0x5565d10108bd in _start (/AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/build/bin/sqlcheck+0x8a8bd)

0x603000000ed0 is located 0 bytes to the right of 32-byte region [0x603000000eb0,0x603000000ed0)
allocated by thread T0 here:
    #0 0x7f7a7192c5a7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x5565d102d8ca in __gnu_cxx::new_allocator<unsigned long>::allocate(unsigned long, void const*) /usr/include/c++/10/ext/new_allocator.h:115
    #2 0x5565d102a800 in std::allocator_traits<std::allocator<unsigned long> >::allocate(std::allocator<unsigned long>&, unsigned long) /usr/include/c++/10/bits/alloc_traits.h:460
    #3 0x5565d1027bd7 in std::_Vector_base<unsigned long, std::allocator<unsigned long> >::_M_allocate(unsigned long) /usr/include/c++/10/bits/stl_vector.h:346
    #4 0x5565d102234a in void std::vector<unsigned long, std::allocator<unsigned long> >::_M_realloc_insert<unsigned long>(__gnu_cxx::__normal_iterator<unsigned long*, std::vector<unsigned long, std::allocator<unsigned long> > >, unsigned long&&) (/AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/build/bin/sqlcheck+0x9c34a)
    #5 0x5565d101e8a6 in void std::vector<unsigned long, std::allocator<unsigned long> >::emplace_back<unsigned long>(unsigned long&&) (/AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/build/bin/sqlcheck+0x988a6)
    #6 0x5565d101c245 in std::vector<unsigned long, std::allocator<unsigned long> >::push_back(unsigned long&&) (/AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/build/bin/sqlcheck+0x96245)
    #7 0x5565d10156d5 in sqlcheck::CheckPattern(sqlcheck::Configuration&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool&, std::__cxx11::basic_regex<char, std::__cxx11::regex_traits<char> > const&, sqlcheck::RiskLevel, sqlcheck::PatternType, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, bool, unsigned long) /AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/src/checker.cpp:231
    #8 0x5565d1090356 in sqlcheck::CheckConcatenation(sqlcheck::Configuration&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool&) /AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/src/list.cpp:689
    #9 0x5565d1016dad in sqlcheck::CheckStatement(sqlcheck::Configuration&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/src/checker.cpp:351
    #10 0x5565d1013143 in sqlcheck::Check(sqlcheck::Configuration&) /AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/src/checker.cpp:58
    #11 0x5565d101119d in main /AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/src/main.cpp:124
    #12 0x7f7a713040b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /AFLplusplus/my_test/sqlcheck/fuzzVal/sqlcheck/src/checker.cpp:239 in sqlcheck::CheckPattern(sqlcheck::Configuration&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool&, std::__cxx11::basic_regex<char, std::__cxx11::regex_traits<char> > const&, sqlcheck::RiskLevel, sqlcheck::PatternType, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, bool, unsigned long)
Shadow bytes around the buggy address:
  0x0c067fff8180: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff8190: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c067fff81a0: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff81b0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff81c0: fd fd fa fa fd fd fd fd fa fa 00 00 05 fa fa fa
=>0x0c067fff81d0: 00 00 05 fa fa fa 00 00 00 00[fa]fa fa fa fa fa
  0x0c067fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==5826==ABORTING

Poc

Poc file.

id_000002,sig_06,src_000017+000171,time_45682305,execs_585589,op_splice,rep_4.zip