Date: Mon, 19 Aug 2019 21:48:24 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 239975] ping(8) crashes with SIGSEGV - Out-of-Bounds Read of size 2 (global-buffer-overflow) Message-ID: <bug-239975-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D239975 Bug ID: 239975 Summary: ping(8) crashes with SIGSEGV - Out-of-Bounds Read of size 2 (global-buffer-overflow) Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: neerajpal09@gmail.com ping(8) crashes with Segmentation Fault due to Out-0f-Bound Read of size 2, causing global-buffer-overflow * in_cksum /usr/src/sbin/ping/utils.c:80:3 Compiled with address sanitizer option "-fsanitize=3Daddress" on clang/gcc = to verify the reproducibility with detailed log info. [Steps to reproduce] * compile: make CC=3Dclang CFLAGS=3D"-fsanitize=3Daddress -O0" * /usr/obj/usr/src/amd64.amd64/sbin/ping/ping -G 123456 -g 123456 localhost without compiling with sanitizer, it crashes when: * ping -G 123456 -g 123456 localhost Sanitizer log as follows: root@freebsd:/usr/src/sbin/ping # /usr/obj/usr/src/amd64.amd64/sbin/ping/pi= ng -G 123456 -g 123456 localhost PING localhost (127.0.0.1): (123456 ... 123456) data bytes =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D4196=3D=3DERROR: AddressSanitizer: global-buffer-overflow on address 0x000000bad87f at pc 0x0000002414c5 bp 0x7ffffffed310 sp 0x7ffffffecac0 READ of size 2 at 0x000000bad87f thread T0 #0 0x2414c4 in __asan_memcpy /usr/src/contrib/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23= :3 #1 0x2ef73a in in_cksum /usr/src/sbin/ping/utils.c:80:3 #2 0x2e8f30 in pinger /usr/src/sbin/ping/ping.c:1050:20 #3 0x2e5dd9 in main /usr/src/sbin/ping/ping.c:874:3 #4 0x23a10e in _start /usr/src/lib/csu/amd64/crt1.c:76:7 0x000000bad87f is located 0 bytes to the right of global variable 'outpackh= dr' defined in '/usr/src/sbin/ping/ping.c:172:15' (0xb9d880) of size 65535 SUMMARY: AddressSanitizer: global-buffer-overflow /usr/src/contrib/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23= :3 in __asan_memcpy Shadow bytes around the buggy address: 0x400000175ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x400000175ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x400000175ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x400000175ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x400000175af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x400000175b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07] 0x400000175b10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x400000175b20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x400000175b30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x400000175b40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x400000175b50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc =3D=3D4196=3D=3DABORTING Note: root privilege required. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-239975-227>