Date: Mon, 19 Aug 2019 21:24:19 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 239974] ping(8) crashes with SIGSEGV - Out-of-Bounds Write of size 1 (global-buffer-overflow) Message-ID: <bug-239974-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D239974 Bug ID: 239974 Summary: ping(8) crashes with SIGSEGV - Out-of-Bounds Write of size 1 (global-buffer-overflow) Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: neerajpal09@gmail.com Created attachment 206711 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D206711&action= =3Dedit proposed patch ping(8) crashes with Segmentation Fault due to Out-0f-Bound Write of size 1, causing global-buffer-overflow * /usr/src/sbin/ping/ping.c:945 Compiled with address sanitizer option "-fsanitize=3Daddress" on clang/gcc = to verify the reproducibility with detailed log info. [Steps to reproduce] * compile: make CC=3Dclang CFLAGS=3D"-fsanitize=3Daddress -O0" * /usr/obj/usr/src/amd64.amd64/sbin/ping/ping -G 1 -h 65452 localhost without compiling with sanitizer, it crashes when: * ping -G 1 -h 69517 localhost root@freebsd:/usr/src/sbin/ping # ping -G 1 -h 69517 localhost PING localhost (127.0.0.1): (0 ... 1) data bytes 8 bytes from 127.0.0.1: icmp_seq=3D0 ttl=3D64 Segmentation fault Below command will crash at any test case: (tested with already available ping with system) * command: ping -G -h 123456 localhost Sanitizer log as follows: =3D=3D4641=3D=3DERROR: AddressSanitizer: global-buffer-overflow on address 0x000000bad87f at pc 0x0000002e6d49 bp 0x7ffffffed7b0 sp 0x7ffffffed7a8 WRITE of size 1 at 0x000000bad87f thread T0 #0 0x2e6d48 in main /usr/src/sbin/ping/ping.c:945:15 #1 0x23a10e in _start /usr/src/lib/csu/amd64/crt1.c:76:7 0x000000bad87f is located 0 bytes to the right of global variable 'outpackh= dr' defined in '/usr/src/sbin/ping/ping.c:172:15' (0xb9d880) of size 65535 SUMMARY: AddressSanitizer: global-buffer-overflow /usr/src/sbin/ping/ping.c:945:15 in main Shadow bytes around the buggy address: 0x400000175ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x400000175ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x400000175ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x400000175ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x400000175af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x400000175b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07] 0x400000175b10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x400000175b20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x400000175b30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x400000175b40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x400000175b50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc =3D=3D4641=3D=3DABORTING [Inferior 1 (process 4641) exited with code 01 Note: root privilege required. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-239974-227>