[Bug 239975] ping(8) crashes with SIGSEGV - Out-of-Bounds Read of size 2 (global-buffer-overflow)
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Aug 19 21:48:25 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239975
Bug ID: 239975
Summary: ping(8) crashes with SIGSEGV - Out-of-Bounds Read of
size 2 (global-buffer-overflow)
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: bin
Assignee: bugs at FreeBSD.org
Reporter: neerajpal09 at gmail.com
ping(8) crashes with Segmentation Fault due to Out-0f-Bound Read of size 2,
causing global-buffer-overflow
* in_cksum /usr/src/sbin/ping/utils.c:80:3
Compiled with address sanitizer option "-fsanitize=address" on clang/gcc to
verify the reproducibility with detailed log info.
[Steps to reproduce]
* compile: make CC=clang CFLAGS="-fsanitize=address -O0"
* /usr/obj/usr/src/amd64.amd64/sbin/ping/ping -G 123456 -g 123456 localhost
without compiling with sanitizer, it crashes when:
* ping -G 123456 -g 123456 localhost
Sanitizer log as follows:
root at freebsd:/usr/src/sbin/ping # /usr/obj/usr/src/amd64.amd64/sbin/ping/ping
-G 123456 -g 123456 localhost
PING localhost (127.0.0.1): (123456 ... 123456) data bytes
=================================================================
==4196==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000000bad87f at pc 0x0000002414c5 bp 0x7ffffffed310 sp 0x7ffffffecac0
READ of size 2 at 0x000000bad87f thread T0
#0 0x2414c4 in __asan_memcpy
/usr/src/contrib/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
#1 0x2ef73a in in_cksum /usr/src/sbin/ping/utils.c:80:3
#2 0x2e8f30 in pinger /usr/src/sbin/ping/ping.c:1050:20
#3 0x2e5dd9 in main /usr/src/sbin/ping/ping.c:874:3
#4 0x23a10e in _start /usr/src/lib/csu/amd64/crt1.c:76:7
0x000000bad87f is located 0 bytes to the right of global variable 'outpackhdr'
defined in '/usr/src/sbin/ping/ping.c:172:15' (0xb9d880) of size 65535
SUMMARY: AddressSanitizer: global-buffer-overflow
/usr/src/contrib/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
in __asan_memcpy
Shadow bytes around the buggy address:
0x400000175ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x400000175ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x400000175ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x400000175ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x400000175af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x400000175b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]
0x400000175b10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x400000175b20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x400000175b30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x400000175b40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x400000175b50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4196==ABORTING
Note: root privilege required.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list