[Home]

Summary:ASTERISK-24804: ASAN heap-buffer-overflow c_setpat
Reporter:Badalian Vyacheslav (slavon)Labels:
Date Opened:2015-02-17 15:13:35.000-0600Date Closed:2018-02-12 12:15:34.000-0600
Priority:MinorRegression?
Status:Closed/CompleteComponents:Core/General
Versions:11.15.0 13.18.4 Frequency of
Occurrence
Related
Issues:
Environment:Attachments:
Description:To reproduce
run {{asterisk -r}}
and {{type 'ะท'}} (Add RU keyboard UTF8 and type 'p' key)

{code}
==2802==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001d80 at pc 0x77585e bp 0x7fff723064e0 sp 0x7fff723064d8
READ of size 1 at 0x619000001d80 thread T0
   #0 0x77585d in c_setpat /root/asterisk-11.15.0/main/editline/search.c:184
   #1 0x776b0e in ed_search_prev_history /root/asterisk-11.15.0/main/editline/common.c:756
   #2 0x78707c in el_gets /root/asterisk-11.15.0/main/editline/read.c:475
   #3 0x47c316 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3182
   #4 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029
   #5 0x7f5190f71d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
   #6 0x42d304 (/usr/sbin/asterisk+0x42d304)

0x619000001d80 is located 0 bytes to the right of 1024-byte region [0x619000001980,0x619000001d80)
allocated by thread T0 here:
   #0 0x394ae547ef in malloc (/usr/lib64/libasan.so.1+0x394ae547ef)
   #1 0x780b89 in search_init /root/asterisk-11.15.0/main/editline/search.c:73
   #2 0x780b89 in el_init /root/asterisk-11.15.0/main/editline/el.c:92
   #3 0x46d43b in ast_el_initialize /root/asterisk-11.15.0/main/asterisk.c:2988
   #4 0x47c5a4 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3174
   #5 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029
   #6 0x7f5190f71d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/asterisk-11.15.0/main/editline/search.c:184 c_setpat
Shadow bytes around the buggy address:
 0x0c327fff8360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff8380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff83b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x0c327fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x0c327fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
 Addressable:           00
 Partially addressable: 01 02 03 04 05 06 07
 Heap left redzone:       fa
 Heap right redzone:      fb
 Freed heap region:       fd
 Stack left redzone:      f1
 Stack mid redzone:       f2
 Stack right redzone:     f3
 Stack partial redzone:   f4
 Stack after return:      f5
 Stack use after scope:   f8
 Global redzone:          f9
 Global init order:       f6
 Poisoned by user:        f7
 Contiguous container OOB:fc
 ASan internal:           fe
==2802==ABORTING
{code}
Comments:By: Badalian Vyacheslav (slavon) 2015-02-17 15:24:35.010-0600

Realy? Edit line from NetBSD 2002-02-25 ??? You do my day!

Check it for UTF8 support!
By: Matt Jordan (mjordan) 2015-02-18 19:28:38.244-0600

You can instruct Asterisk to use {{libedit}}, if it is installed. The one in the source is only there if a system one is not available.
By: Badalian Vyacheslav (slavon) 2015-02-18 23:20:12.323-0600

Bad....

{code}
[root@vm-asterisk02t asterisk-11.15.0]# rpm -qa | grep libedit
libedit-devel-2.11-4.20080712cvs.1.el6.x86_64
libedit-2.11-4.20080712cvs.1.el6.x86_64
{code}

I was recompile asterisk and retry. Bug still here.

{code}
vm-asterisk02t*CLI> =================================================================
==25666==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001880 at pc 0x3b58231608 bp 0x7fffcc10eac0 sp 0x7fffcc10ea98
READ of size 1025 at 0x619000001880 thread T0
   #0 0x3b58231607 in strlen (/usr/lib64/libasan.so.1+0x3b58231607)
   #1 0x7fadea2d12d0 in c_setpat (/usr/lib64/libedit.so.0+0x132d0)
   #2 0x7fadea2ca9d7 in ed_search_prev_history (/usr/lib64/libedit.so.0+0xc9d7)
   #3 0x7fadea2cf48d in el_gets (/usr/lib64/libedit.so.0+0x1148d)
   #4 0x47c1a6 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3182
   #5 0x42a4e2 in main /root/asterisk-11.15.0/main/asterisk.c:4029
   #6 0x3b5521ed5c in __libc_start_main (/lib64/libc.so.6+0x3b5521ed5c)
   #7 0x42d194 (/usr/sbin/asterisk+0x42d194)

0x619000001880 is located 0 bytes to the right of 1024-byte region [0x619000001480,0x619000001880)
allocated by thread T0 here:
   #0 0x3b582547ef in malloc (/usr/lib64/libasan.so.1+0x3b582547ef)
   #1 0x7fadea2d1bfd in search_init (/usr/lib64/libedit.so.0+0x13bfd)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 strlen
Shadow bytes around the buggy address:
 0x0c327fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff82f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff8300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8310:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x0c327fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x0c327fff8330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff8340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff8350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x0c327fff8360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
 Addressable:           00
 Partially addressable: 01 02 03 04 05 06 07
 Heap left redzone:       fa
 Heap right redzone:      fb
 Freed heap region:       fd
 Stack left redzone:      f1
 Stack mid redzone:       f2
 Stack right redzone:     f3
 Stack partial redzone:   f4
 Stack after return:      f5
 Stack use after scope:   f8
 Global redzone:          f9
 Global init order:       f6
 Poisoned by user:        f7
 Contiguous container OOB:fc
 ASan internal:           fe
==25666==ABORTING

{code}
By: Corey Farrell (coreyfarrell) 2018-02-12 12:15:34.973-0600

We are removing the embedded libedit from Asterisk 16+ (as you pointed out it is ancient).  Even libedit-2.11 is a decade old, Fedora 26 has libedit-3.1-17.20160618cvs.fc26.x86_64 so it's possible libedit has already fixed this bug.

I suggest pursuing this bug with Redhat or (if confirmed in latest version) libedit.  Any fix would need to be from those sources.