Summary: | ASTERISK-24804: ASAN heap-buffer-overflow c_setpat | ||
Reporter: | Badalian Vyacheslav (slavon) | Labels: | |
Date Opened: | 2015-02-17 15:13:35.000-0600 | Date Closed: | 2018-02-12 12:15:34.000-0600 |
Priority: | Minor | Regression? | |
Status: | Closed/Complete | Components: | Core/General |
Versions: | 11.15.0 13.18.4 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ||
Description: | To reproduce
run {{asterisk -r}} and {{type 'з'}} (Add RU keyboard UTF8 and type 'p' key) {code} ==2802==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001d80 at pc 0x77585e bp 0x7fff723064e0 sp 0x7fff723064d8 READ of size 1 at 0x619000001d80 thread T0 #0 0x77585d in c_setpat /root/asterisk-11.15.0/main/editline/search.c:184 #1 0x776b0e in ed_search_prev_history /root/asterisk-11.15.0/main/editline/common.c:756 #2 0x78707c in el_gets /root/asterisk-11.15.0/main/editline/read.c:475 #3 0x47c316 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3182 #4 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029 #5 0x7f5190f71d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c) #6 0x42d304 (/usr/sbin/asterisk+0x42d304) 0x619000001d80 is located 0 bytes to the right of 1024-byte region [0x619000001980,0x619000001d80) allocated by thread T0 here: #0 0x394ae547ef in malloc (/usr/lib64/libasan.so.1+0x394ae547ef) #1 0x780b89 in search_init /root/asterisk-11.15.0/main/editline/search.c:73 #2 0x780b89 in el_init /root/asterisk-11.15.0/main/editline/el.c:92 #3 0x46d43b in ast_el_initialize /root/asterisk-11.15.0/main/asterisk.c:2988 #4 0x47c5a4 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3174 #5 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029 #6 0x7f5190f71d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c) SUMMARY: AddressSanitizer: heap-buffer-overflow /root/asterisk-11.15.0/main/editline/search.c:184 c_setpat Shadow bytes around the buggy address: 0x0c327fff8360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff83b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==2802==ABORTING {code} | ||
Comments: | By: Badalian Vyacheslav (slavon) 2015-02-17 15:24:35.010-0600 Realy? Edit line from NetBSD 2002-02-25 ??? You do my day! Check it for UTF8 support! By: Matt Jordan (mjordan) 2015-02-18 19:28:38.244-0600 You can instruct Asterisk to use {{libedit}}, if it is installed. The one in the source is only there if a system one is not available. By: Badalian Vyacheslav (slavon) 2015-02-18 23:20:12.323-0600 Bad.... {code} [root@vm-asterisk02t asterisk-11.15.0]# rpm -qa | grep libedit libedit-devel-2.11-4.20080712cvs.1.el6.x86_64 libedit-2.11-4.20080712cvs.1.el6.x86_64 {code} I was recompile asterisk and retry. Bug still here. {code} vm-asterisk02t*CLI> ================================================================= ==25666==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001880 at pc 0x3b58231608 bp 0x7fffcc10eac0 sp 0x7fffcc10ea98 READ of size 1025 at 0x619000001880 thread T0 #0 0x3b58231607 in strlen (/usr/lib64/libasan.so.1+0x3b58231607) #1 0x7fadea2d12d0 in c_setpat (/usr/lib64/libedit.so.0+0x132d0) #2 0x7fadea2ca9d7 in ed_search_prev_history (/usr/lib64/libedit.so.0+0xc9d7) #3 0x7fadea2cf48d in el_gets (/usr/lib64/libedit.so.0+0x1148d) #4 0x47c1a6 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3182 #5 0x42a4e2 in main /root/asterisk-11.15.0/main/asterisk.c:4029 #6 0x3b5521ed5c in __libc_start_main (/lib64/libc.so.6+0x3b5521ed5c) #7 0x42d194 (/usr/sbin/asterisk+0x42d194) 0x619000001880 is located 0 bytes to the right of 1024-byte region [0x619000001480,0x619000001880) allocated by thread T0 here: #0 0x3b582547ef in malloc (/usr/lib64/libasan.so.1+0x3b582547ef) #1 0x7fadea2d1bfd in search_init (/usr/lib64/libedit.so.0+0x13bfd) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 strlen Shadow bytes around the buggy address: 0x0c327fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff82f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff8310:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==25666==ABORTING {code} By: Corey Farrell (coreyfarrell) 2018-02-12 12:15:34.973-0600 We are removing the embedded libedit from Asterisk 16+ (as you pointed out it is ancient). Even libedit-2.11 is a decade old, Fedora 26 has libedit-3.1-17.20160618cvs.fc26.x86_64 so it's possible libedit has already fixed this bug. I suggest pursuing this bug with Redhat or (if confirmed in latest version) libedit. Any fix would need to be from those sources. |