Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in bam/BamReader_p.cpp:507:30, BamReaderPrivate::LoadReferenceData() #234

Open
schsiung opened this issue Jan 4, 2024 · 0 comments

Comments

@schsiung
Copy link

schsiung commented Jan 4, 2024

Expected behavior and actual behavior.

global-buffer-overflow_POC_bamtools-2.5.2.tar.gz

Expect running without heap-buffer-overflow .

Steps to reproduce the problem.

  1. bin/bamtools convert -format json -in /data/openeuler/bamtools/bamtools-2.5.2/build/obj/out/default/crashes/id:000004,sig:06,src:000000+000010,time:6133,execs:603,op:splice,rep:7 -out myData1.json
 [AFL++ 4547ba12d0d6] /data/openeuler/bamtools # /data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools convert -format json -in /data/openeuler/bamtools/bamtools-2.5.2/build/obj/out/default/crashes/id:000004,sig:06,src:000000+000010,time:6133,execs:603,op:splice,rep:7 -out myData1.json
=================================================================
==1725245==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000034 at pc 0x5572ec655576 bp 0x7ffe0d913230 sp 0x7ffe0d9129f8
READ of size 5 at 0x602000000034 thread T0
    #0 0x5572ec655575 in __interceptor_strlen (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xf5575) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)
    #1 0x5572ec84bfaa in std::char_traits<char>::length(char const*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/char_traits.h:399:9
    #2 0x5572ec84bfaa in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/basic_string.h:536:36
    #3 0x5572ec84bfaa in BamTools::Internal::BamReaderPrivate::LoadReferenceData() /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:507:30
    #4 0x5572ec8444d4 in BamTools::Internal::BamReaderPrivate::Open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:543:9
    #5 0x5572ec829246 in BamTools::Internal::BamMultiReaderPrivate::Open(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamMultiReader_p.cpp:548:43
    #6 0x5572ec703587 in BamTools::ConvertTool::ConvertToolPrivate::Run() /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:197:17
    #7 0x5572ec719388 in BamTools::ConvertTool::Run(int, char**) /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:1050:17
    #8 0x5572ec7019f6 in main /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools.cpp:207:34
    #9 0x7f670a3bcd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #10 0x7f670a3bce3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #11 0x5572ec63f434 in _start (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xdf434) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)

0x602000000034 is located 0 bytes to the right of 4-byte region [0x602000000030,0x602000000034)
allocated by thread T0 here:
    #0 0x5572ec6fd15d in operator new[](unsigned long) (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0x19d15d) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)
    #1 0x5572ec84bd81 in BamTools::RaiiBuffer::RaiiBuffer(unsigned long) /data/openeuler/bamtools/bamtools-2.5.2/src/api/BamAux.h:381:18
    #2 0x5572ec84bd81 in BamTools::Internal::BamReaderPrivate::LoadReferenceData() /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:495:20
    #3 0x5572ec8444d4 in BamTools::Internal::BamReaderPrivate::Open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:543:9
    #4 0x5572ec829246 in BamTools::Internal::BamMultiReaderPrivate::Open(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamMultiReader_p.cpp:548:43
    #5 0x5572ec703587 in BamTools::ConvertTool::ConvertToolPrivate::Run() /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:197:17
    #6 0x5572ec719388 in BamTools::ConvertTool::Run(int, char**) /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:1050:17
    #7 0x5572ec7019f6 in main /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools.cpp:207:34
    #8 0x7f670a3bcd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xf5575) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396) in __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 fa fa fa[04]fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1725245==ABORTING
  1. GDB info gdb bin/bamtools
 Reading symbols from /data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools...
(gdb) Starting program: /data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools convert -format json -in /data/openeuler/bamtools/bamtools-2.5.2/build/obj/out/default/crashes/id:000004,sig:06,src:000000+000010,time:6133,execs:603,op:splice,rep:7 -out myData1.json
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
=================================================================
==1709286==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000034 at pc 0x555555649576 bp 0x7fffffffcb90 sp 0x7fffffffc358
READ of size 5 at 0x602000000034 thread T0
[Detaching after fork from child process 1709414]
    #0 0x555555649575 in __interceptor_strlen (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xf5575) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)
    #1 0x55555583ffaa in std::char_traits<char>::length(char const*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/char_traits.h:399:9
    #2 0x55555583ffaa in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/basic_string.h:536:36
    #3 0x55555583ffaa in BamTools::Internal::BamReaderPrivate::LoadReferenceData() /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:507:30
    #4 0x5555558384d4 in BamTools::Internal::BamReaderPrivate::Open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:543:9
    #5 0x55555581d246 in BamTools::Internal::BamMultiReaderPrivate::Open(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamMultiReader_p.cpp:548:43
    #6 0x5555556f7587 in BamTools::ConvertTool::ConvertToolPrivate::Run() /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:197:17
    #7 0x55555570d388 in BamTools::ConvertTool::Run(int, char**) /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:1050:17
    #8 0x5555556f59f6 in main /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools.cpp:207:34
    #9 0x7ffff7a67d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #10 0x7ffff7a67e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #11 0x555555633434 in _start (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xdf434) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)

0x602000000034 is located 0 bytes to the right of 4-byte region [0x602000000030,0x602000000034)
allocated by thread T0 here:
    #0 0x5555556f115d in operator new[](unsigned long) (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0x19d15d) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396)
    #1 0x55555583fd81 in BamTools::RaiiBuffer::RaiiBuffer(unsigned long) /data/openeuler/bamtools/bamtools-2.5.2/src/api/BamAux.h:381:18
    #2 0x55555583fd81 in BamTools::Internal::BamReaderPrivate::LoadReferenceData() /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:495:20
    #3 0x5555558384d4 in BamTools::Internal::BamReaderPrivate::Open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamReader_p.cpp:543:9
    #4 0x55555581d246 in BamTools::Internal::BamMultiReaderPrivate::Open(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /data/openeuler/bamtools/bamtools-2.5.2/src/api/internal/bam/BamMultiReader_p.cpp:548:43
    #5 0x5555556f7587 in BamTools::ConvertTool::ConvertToolPrivate::Run() /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:197:17
    #6 0x55555570d388 in BamTools::ConvertTool::Run(int, char**) /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools_convert.cpp:1050:17
    #7 0x5555556f59f6 in main /data/openeuler/bamtools/bamtools-2.5.2/src/toolkit/bamtools.cpp:207:34
    #8 0x7ffff7a67d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/data/openeuler/bamtools/bamtools-2.5.2/build/obj/bin/bamtools+0xf5575) (BuildId: 6b8cf8a6f047dcbc60d06ddbea1ab4e653d5a396) in __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 fa fa fa[04]fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1709286==ABORTING
[Inferior 1 (process 1709286) exited with code 01]
(gdb) No stack.

Operating system

[AFL++ 4547ba12d0d6] /data/openeuler/bamtools/bamtools-2.5.2/build/obj # uname -a
Linux 4547ba12d0d6 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
[AFL++ 4547ba12d0d6] /data/openeuler/bamtools/bamtools-2.5.2/build/obj # 

version

bamtools-2.5.2

From: [email protected]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant