Skip to content

Commit

Permalink
Fix a heap-buffer-overflow
Browse files Browse the repository at this point in the history 
Found by AddressSanitizer:
==8157==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000f5897 at pc 0x4816ef bp 0x7fffffffafb0 sp 0x7fffffffafa0
READ of size 1 at 0x61d0000f5897 thread T0
    #0 0x4816ee in Expand_Series ../src/core/m-series.c:138
    #1 0x4e258c in Insert_Gobs ../src/core/t-gob.c:219
    #2 0x4e7782 in T_Gob ../src/core/t-gob.c:833
    #3 0x42e26f in Do_Act ../src/core/c-function.c:338
    #4 0x42e9d8 in Do_Action ../src/core/c-function.c:396
    #5 0x41395b in Do_Next ../src/core/c-do.c:886
    #6 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    #7 0x4883d6 in N_if ../src/core/n-control.c:632
    #8 0x42dd9c in Do_Native ../src/core/c-function.c:289
    #9 0x41395b in Do_Next ../src/core/c-do.c:886
    #10 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    #11 0x4893c0 in N_unless ../src/core/n-control.c:792
    #12 0x42dd9c in Do_Native ../src/core/c-function.c:289
    #13 0x41395b in Do_Next ../src/core/c-do.c:886
    #14 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    #15 0x488c03 in N_switch ../src/core/n-control.c:736
    #16 0x42dd9c in Do_Native ../src/core/c-function.c:289
    #17 0x41395b in Do_Next ../src/core/c-do.c:886
    #18 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    #19 0x4883d6 in N_if ../src/core/n-control.c:632
    #20 0x42dd9c in Do_Native ../src/core/c-function.c:289
    #21 0x41395b in Do_Next ../src/core/c-do.c:886
    #22 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    #23 0x42ea5c in Do_Function ../src/core/c-function.c:415
    #24 0x41395b in Do_Next ../src/core/c-do.c:886
    #25 0x415658 in Try_Block ../src/core/c-do.c:1083
    #26 0x4862f8 in N_attempt ../src/core/n-control.c:306
    #27 0x42dd9c in Do_Native ../src/core/c-function.c:289
    #28 0x41395b in Do_Next ../src/core/c-do.c:886
    #29 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    #30 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131
    #31 0x49693a in N_for ../src/core/n-loop.c:486
    #32 0x42dd9c in Do_Native ../src/core/c-function.c:289
    #33 0x41395b in Do_Next ../src/core/c-do.c:886
    #34 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    #35 0x4883d6 in N_if ../src/core/n-control.c:632
    #36 0x42dd9c in Do_Native ../src/core/c-function.c:289
    #37 0x41395b in Do_Next ../src/core/c-do.c:886
    #38 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    #39 0x42ea5c in Do_Function ../src/core/c-function.c:415
    #40 0x41395b in Do_Next ../src/core/c-do.c:886
    #41 0x415658 in Try_Block ../src/core/c-do.c:1083
    #42 0x488f7d in N_try ../src/core/n-control.c:760
    #43 0x42dd9c in Do_Native ../src/core/c-function.c:289
    #44 0x41395b in Do_Next ../src/core/c-do.c:886
    #45 0x4118a1 in Do_Args ../src/core/c-do.c:668
    #46 0x413700 in Do_Next ../src/core/c-do.c:879
    #47 0x4118a1 in Do_Args ../src/core/c-do.c:668
    #48 0x413700 in Do_Next ../src/core/c-do.c:879
    #49 0x414f2f in Do_Block_Value_Throw ../src/core/c-do.c:1048
    #50 0x5725ac in Parse_Rules_Loop ../src/core/u-parse.c:830
    #51 0x5731f8 in Parse_Rules_Loop ../src/core/u-parse.c:927
    #52 0x56c799 in Parse_Series ../src/core/u-parse.c:96
    rebol#53 0x576950 in N_parse ../src/core/u-parse.c:1269
    rebol#54 0x42dd9c in Do_Native ../src/core/c-function.c:289
    rebol#55 0x41395b in Do_Next ../src/core/c-do.c:886
    rebol#56 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    rebol#57 0x4883d6 in N_if ../src/core/n-control.c:632
    rebol#58 0x42dd9c in Do_Native ../src/core/c-function.c:289
    rebol#59 0x41395b in Do_Next ../src/core/c-do.c:886
    rebol#60 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    rebol#61 0x42ea5c in Do_Function ../src/core/c-function.c:415
    rebol#62 0x41395b in Do_Next ../src/core/c-do.c:886
    rebol#63 0x415658 in Try_Block ../src/core/c-do.c:1083
    rebol#64 0x4862f8 in N_attempt ../src/core/n-control.c:306
    rebol#65 0x42dd9c in Do_Native ../src/core/c-function.c:289
    rebol#66 0x41395b in Do_Next ../src/core/c-do.c:886
    rebol#67 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    rebol#68 0x487b91 in N_do ../src/core/n-control.c:524
    rebol#69 0x42dd9c in Do_Native ../src/core/c-function.c:289
    rebol#70 0x41395b in Do_Next ../src/core/c-do.c:886
    rebol#71 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    rebol#72 0x487fcb in N_either ../src/core/n-control.c:598
    rebol#73 0x42dd9c in Do_Native ../src/core/c-function.c:289
    rebol#74 0x41395b in Do_Next ../src/core/c-do.c:886
    rebol#75 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    rebol#76 0x487fcb in N_either ../src/core/n-control.c:598
    rebol#77 0x42dd9c in Do_Native ../src/core/c-function.c:289
    rebol#78 0x41395b in Do_Next ../src/core/c-do.c:886
    rebol#79 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    rebol#80 0x487fcb in N_either ../src/core/n-control.c:598
    rebol#81 0x42dd9c in Do_Native ../src/core/c-function.c:289
    rebol#82 0x41395b in Do_Next ../src/core/c-do.c:886
    rebol#83 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    rebol#84 0x42ea5c in Do_Function ../src/core/c-function.c:415
    rebol#85 0x4198c2 in Apply_Function ../src/core/c-do.c:1524
    rebol#86 0x419fa8 in Do_Sys_Func ../src/core/c-do.c:1584
    rebol#87 0x41e406 in Init_Mezz ../src/core/c-do.c:2313
    rebol#88 0x405fd3 in RL_Start ../src/core/a-lib.c:167
    rebol#89 0x59d1f7 in main ../src/os/host-main.c:231
    rebol#90 0x7ffff571403f in __libc_start_main (/usr/lib/libc.so.6+0x2003f)
    rebol#91 0x405858 (/home/zsx/work/r3.git/make/r3-view-linux+0x405858)

0x61d0000f5897 is located 7 bytes to the right of 2064-byte region [0x61d0000f5080,0x61d0000f5890)
allocated by thread T0 here:
    #0 0x7ffff6f56b77 in __interceptor_malloc (/usr/lib/libasan.so.1+0x57b77)
    #1 0x47c300 in Make_Mem ../src/core/m-pools.c:125
    #2 0x47ca2f in Fill_Pool ../src/core/m-pools.c:233
    #3 0x47d80c in Make_Series ../src/core/m-pools.c:388
    #4 0x4826f3 in Copy_Series ../src/core/m-series.c:261
    #5 0x43ca14 in Copy_Deep_Values ../src/core/f-blocks.c:131
    #6 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
    #7 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
    #8 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
    #9 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
    #10 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
    #11 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
    #12 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
    #13 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
    #14 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
    #15 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
    #16 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
    #17 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159
    #18 0x43cd9f in Clone_Block ../src/core/f-blocks.c:174
    #19 0x42db12 in Clone_Function ../src/core/c-function.c:266
    #20 0x43cc00 in Copy_Deep_Values ../src/core/f-blocks.c:139
    #21 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159
    #22 0x4fd371 in T_Object ../src/core/t-object.c:364
    #23 0x42e26f in Do_Act ../src/core/c-function.c:338
    #24 0x42e9d8 in Do_Action ../src/core/c-function.c:396
    #25 0x41395b in Do_Next ../src/core/c-do.c:886
    #26 0x4133cc in Do_Next ../src/core/c-do.c:860
    #27 0x414b73 in Do_Blk ../src/core/c-do.c:1016
    #28 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131
    #29 0x49693a in N_for ../src/core/n-loop.c:486

SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:138 Expand_Series
Shadow bytes around the buggy address:
  0x0c3a80016ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a80016ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a80016ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a80016af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a80016b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a80016b10: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a80016b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a80016b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a80016b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a80016b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a80016b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==8157==ABORTING

This is happening because "GOB_TAIL(gob) = count" sets the tail of a
series with length of "count" to be "count", and Expand_Series expects
a terminator in the series. (m-series.c:90 size  = (series->tail + 1) * wide;)
  • Loading branch information
@zsx
zsx committed Oct 13, 2014
1 parent 27c679d commit 758d800
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/core/t-gob.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,7 @@ const REBCNT Gob_Flag_Words[] = {

// Create or expand the pane series:
if (!GOB_PANE(gob)) {
GOB_PANE(gob) = Make_Series(count, sizeof(REBGOB*), 0);
GOB_PANE(gob) = Make_Series(count + 1, sizeof(REBGOB*), 0);
LABEL_SERIES(GOB_PANE(gob), "gob pane");
GOB_TAIL(gob) = count;
index = 0;
Expand Down

0 comments on commit 758d800

Please sign in to comment.