a heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c #1039
Comments
This was referenced Aug 15, 2024
This was referenced Jan 24, 2025
This was referenced Jan 31, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Hi, I found a heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c
To reproduce
Steps to reproduce the behavior:
export CC=afl-clang-fast
./configure
make && make install
poc_file:
poc_file.zip
Evidence
==82377==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1d55b9b7fc at pc 0x563778036868 bp 0x7fff8f67cc50 sp 0x7fff8f67cc48
WRITE of size 4 at 0x7f1d55b9b7fc thread T0
#0 0x563778036867 in cfg_mark_ports /root/fuzz/fuzz_unbound/unbound/util/config_file.c:1769:16
#1 0x5637780f6444 in ub_c_parse /root/fuzz/fuzz_unbound/unbound/./util/configparser.y:807:7
#2 0x56377808ae44 in config_read /root/fuzz/fuzz_unbound/unbound/util/config_file.c:1437:2
#3 0x563777b0441a in run_daemon /root/fuzz/fuzz_unbound/unbound/daemon/unbound.c:712:7
#4 0x563777b033e0 in main /root/fuzz/fuzz_unbound/unbound/daemon/unbound.c:838:2
#5 0x7f1d560d7d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
#6 0x7f1d560d7e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
#7 0x563777909e34 in _start (/usr/local/sbin/unbound+0x3cbe34) (BuildId: 0d770d8f7835f96a6db0ad985a4c0f7c946e452d)
0x7f1d55b9b7fc is located 4 bytes before 262144-byte region [0x7f1d55b9b800,0x7f1d55bdb800)
allocated by thread T0 here:
#0 0x5637779a3e48 in __interceptor_calloc (/usr/local/sbin/unbound+0x465e48) (BuildId: 0d770d8f7835f96a6db0ad985a4c0f7c946e452d)
#1 0x563777fcef03 in config_create /root/fuzz/fuzz_unbound/unbound/util/config_file.c:187:41
#2 0x563777b041da in run_daemon /root/fuzz/fuzz_unbound/unbound/daemon/unbound.c:710:14
#3 0x563777b033e0 in main /root/fuzz/fuzz_unbound/unbound/daemon/unbound.c:838:2
#4 0x7f1d560d7d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzz/fuzz_unbound/unbound/util/config_file.c:1769:16 in cfg_mark_ports
Shadow bytes around the buggy address:
0x7f1d55b9b500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f1d55b9b580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f1d55b9b600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f1d55b9b680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7f1d55b9b700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x7f1d55b9b780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x7f1d55b9b800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1d55b9b880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1d55b9b900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1d55b9b980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1d55b9ba00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==82377==ABORTING
System:
Unbound version: 1.19.3
OS: Ubuntu 22.04.3 LTS
The text was updated successfully, but these errors were encountered: