-
Notifications
You must be signed in to change notification settings - Fork 1k
AddressSanitizerFoundBugs
- http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
- http://googlechromereleases.blogspot.com/2011/11/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2011/12/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2012/01/stable-channel-update_23.html
- http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
- http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html
- http://googlechromereleases.blogspot.com/2012/04/stable-and-beta-channel-updates.html
- http://googlechromereleases.blogspot.com/2012/04/stable-channel-update_30.html
- http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html
- http://googlechromereleases.blogspot.com/2012/06/stable-channel-update_26.html
- http://googlechromereleases.blogspot.com/2012/07/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2012/07/stable-channel-release.html
- http://googlechromereleases.blogspot.com/2012/08/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2012/08/stable-channel-update_30.html
- http://googlechromereleases.blogspot.com/2012/09/stable-channel-update_25.html
- http://googlechromereleases.blogspot.com/2012/10/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2012/11/stable-channel-release-and-beta-channel.html
- http://googlechromereleases.blogspot.com/2012/11/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2012/12/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2013/01/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2013/02/stable-channel-update_21.html
- http://googlechromereleases.blogspot.com/2013/03/stable-channel-update_26.html
- http://googlechromereleases.blogspot.com/2013/05/stable-channel-release.html
- http://googlechromereleases.blogspot.com/2013/06/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2013/07/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2013/08/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2013/10/stable-channel-update_15.html
- http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2013/12/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2014/01/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2014/01/stable-channel-update_27.html
- http://googlechromereleases.blogspot.com/2014/02/stable-channel-update_20.html
- http://googlechromereleases.blogspot.com/2014/03/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2014/03/stable-channel-update_11.html
- http://googlechromereleases.blogspot.com/2014/04/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2014/05/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2014/05/stable-channel-update_20.html
- http://googlechromereleases.blogspot.com/2014/08/stable-channel-update_26.html
- http://googlechromereleases.blogspot.com/2014/10/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_18.html
- http://googlechromereleases.blogspot.com/2015/01/stable-update.html
- http://googlechromereleases.blogspot.com/2015/02/chrome-for-android-update.html
- http://googlechromereleases.blogspot.com/2015/03/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_28.html
- http://googlechromereleases.blogspot.com/2015/05/stable-channel-update_19.html
- http://googlechromereleases.blogspot.com/2015/07/stable-channel-update_21.html
- http://googlechromereleases.blogspot.com/2015/09/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2015/10/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2015/12/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.html
- http://googlechromereleases.blogspot.com/2016/03/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2016/03/stable-channel-update_8.html
- http://googlechromereleases.blogspot.com/2016/03/stable-channel-update_24.html
- http://googlechromereleases.blogspot.com/2016/04/stable-channel-update_13.html
- http://googlechromereleases.blogspot.com/2016/05/stable-channel-update_25.html
- http://googlechromereleases.blogspot.com/2016/06/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2016/08/stable-channel-update-for-desktop.html
- http://googlechromereleases.blogspot.com/2016/08/stable-channel-update-for-desktop_31.html
- https://googlechromereleases.blogspot.com/2016/10/stable-channel-update-for-desktop.html
- https://googlechromereleases.blogspot.com/2016/12/stable-channel-update-for-desktop.html
- https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html
- https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html
- https://chromereleases.googleblog.com/2017/11/stable-channel-update-for-desktop.html (note: [777728] Critical CVE-2017-15398: Stack buffer overflow in QUIC. Reported by Ned Williamson on 2017-10-24)
- https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html
- https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html
- http://support.apple.com/kb/HT5000
- http://support.apple.com/kb/HT5192
- http://support.apple.com/kb/HT5400
- http://support.apple.com/kb/HT5485
- http://support.apple.com/kb/HT5502
- http://support.apple.com/en-sa/HT5485
Chromium's asan bot: http://build.chromium.org/p/chromium.memory/console
- https://bugzilla.mozilla.org/show_bug.cgi?id=709483
- https://bugzilla.mozilla.org/show_bug.cgi?id=709580
- http://www.mozilla.org/security/announce/2012/mfsa2012-14.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-21.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-22.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-23.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-31.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-38.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-40.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-44.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-48.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-58.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-62.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-63.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-65.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-85.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-86.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-87.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-92.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-96.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-105.html
- http://www.mozilla.org/security/announce/2012/mfsa2012-106.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-02.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-03.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-05.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-22.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-28.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-31.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-35.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-48.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-50.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-64.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-65.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-67.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-77.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-79.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-81.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-95.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-98.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-100.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-101.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-102.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-108.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-109.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-111.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-114.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-26.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-37.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-38.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-39.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-46.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-49.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-51.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-52.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-53.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-57.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-58.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-63.html ... and more
See also http://blog.mozilla.com/decoder/2012/01/27/trying-new-code-analysis-techniques/#more-14
Some (but not all) bugs found in ffmpeg:
- http://git.videolan.org/?p=ffmpeg.git;a=commit;h=1149fbc7631a8c2258386f9aa247806715493b10
- http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e0966eb140b3569b3d6b5b5008961944ef229c06
- http://git.videolan.org/?p=ffmpeg.git;a=commit;h=bb4b0ad83b13c3af57675e80163f3f333adef96f
- http://git.videolan.org/?p=ffmpeg.git;a=commit;h=0d7a16a9467eab58aca4508a70cb546741664ac0
ffmpeg's asan bot: http://fate.libav.org/x86_64-linux-clang-asan
https://lists.gnu.org/archive/html/bug-bash/2015-06/msg00089.html
- http://code.google.com/p/webrtc/issues/detail?id=281
- http://code.google.com/p/webrtc/issues/detail?id=282
- https://rt.cpan.org/Ticket/Display.html?id=72700
- https://rt.perl.org/rt3/Ticket/Display.html?id=111594
- https://rt.perl.org/rt3/Ticket/Display.html?id=111586
- https://rt.perl.org/rt3/Public/Bug/Display.html?id=113060
- http://curl.haxx.se/docs/adv_20141105.html (CVE-2014-3707)
- https://bugs.php.net/bug.php?id=63700
- https://bugs.php.net/bug.php?id=65564
- https://bugs.php.net/bug.php?id=68095
- https://bugs.php.net/bug.php?id=68027 (CVE-2014-3668)
- https://bugs.php.net/bug.php?id=70430
parrot (http://www.parrot.org/)
- https://github.com/parrot/parrot/commit/df12f34e946553
- https://github.com/parrot/parrot/commit/b58a50c2b147c
- https://github.com/parrot/parrot/commit/1e5f20eefce263
- http://bugs.mysql.com/bug.php?id=67242
- http://bugs.mysql.com/bug.php?id=67243
- http://bugs.mysql.com/bug.php?id=67244
- https://github.com/facebook/rocksdb/commit/ec0acfbca115fc6cda85d2246474ee5148d80af8
- https://github.com/facebook/rocksdb/commit/469a9f32a7583b1650e904b8e5d603dc81f762b7
http://postgresql.1045698.n5.nabble.com/pgsql-Avoid-potential-buffer-overflow-crash-td5779963.html
https://github.com/hypertable/hypertable/commit/237f170de93ceda11560f87970c4494a8790e0d9
http://www.mail-archive.com/vim_dev@googlegroups.com/msg15549.html
Phusion Passenger (https://www.phusionpassenger.com/)
- https://github.com/FooBarWidget/passenger/commit/795e8bb2f5b82b332ea26ba2d7c902317aa62fe9
- https://github.com/FooBarWidget/passenger/commit/45c11efb6d0de8e182b74f81dba1cd370b58368d
Percona Server with XtraDB (http://www.percona.com/software/percona-server)
- https://bugzilla.gnome.org/show_bug.cgi?id=708026 (initially found by DrASan)
- http://llvm.org/bugs/show_bug.cgi?id=12245
- http://llvm.org/bugs/show_bug.cgi?id=12267
- http://llvm.org/bugs/show_bug.cgi?id=12284
- http://llvm.org/bugs/show_bug.cgi?id=12305
- http://llvm.org/viewvc/llvm-project?view=rev&revision=140427
- http://llvm.org/viewvc/llvm-project?view=rev&revision=152738
- http://llvm.org/bugs/show_bug.cgi?id=14186
- http://llvm.org/viewvc/llvm-project?rev=169047&view=rev
- http://llvm.org/viewvc/llvm-project?rev=171150&view=rev
- http://llvm.org/viewvc/llvm-project?rev=175509&view=rev (and some more)
- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=52629
- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58396
- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60024
- https://trac.torproject.org/projects/tor/ticket/8844
- https://trac.torproject.org/projects/tor/ticket/8845
- https://trac.torproject.org/projects/tor/ticket/12227
- http://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commit;h=f940fece
- https://debbugs.gnu.org/cgi/bugreport.cgi?bug=20998
http://injoit.org/index.php/j1/article/viewFile/231/184
This paper describes our experience in integration of ASan
technology into large-scale software products: Tizen
distribution and Linux kernel. The tool has already found
around a hundred of serious memory bugs in various Tizen
applications and in mainline Linux kernel.
- http://hg.dovecot.org/dovecot-2.2/rev/740935acc0f8
- http://core.tcl.tk/tk/tktview/b1534b438bc711e848ad7ade3642ce0a6323fe8e
- http://core.tcl.tk/tk/tktview/9bad630c3163b4b2ef8781089ae27058c957a428
- https://bugzilla.gnome.org/show_bug.cgi?id=751603
- https://bugzilla.gnome.org/show_bug.cgi?id=751631
- https://bugzilla.gnome.org/show_bug.cgi?id=751643
- https://bugzilla.gnome.org/show_bug.cgi?id=752191
- https://bugzilla.gnome.org/show_bug.cgi?id=751633
- https://savannah.gnu.org/bugs/index.php?45391
- https://github.com/radare/radare2/issues/2665
- https://github.com/radare/radare2/issues/2683
- https://github.com/radare/radare2/issues/2684
- https://github.com/radare/radare2/issues/2705
- https://github.com/radare/radare2/issues/2706
- https://github.com/radare/radare2/issues/2736 (cmd_zign, script)
- https://github.com/radare/radare2/issues/2737 (script, r_print_fill)
- https://github.com/radare/radare2/issues/2759 (r_reg_get_name_idx) (fixed)
- https://github.com/radare/radare2/issues/2760 (r_core_syscmd_ls) (fixed)
- https://github.com/radare/radare2/issues/2764 (r_num_calc) (fixed)
- https://github.com/radare/radare2/issues/2765 (r_str_escape_) (fixed)
- https://github.com/radare/radare2/issues/2795 (cmd_type) (fixed)
- https://github.com/radare/radare2/issues/2796 (cmd_write) (fixed)
- https://github.com/radare/radare2/issues/2797 (cmd_flag) (fixed)
- https://github.com/radare/radare2/issues/2806 (r_core_yank_hud_file) (fixed)
- https://github.com/radare/radare2/issues/2807 (cmd_open) (fixed)
- https://github.com/radare/radare2/issues/2808 (updateAddr) (fixed)
- https://github.com/radare/radare2/issues/2809 (r_core_magic_at, UAF) (fixed)
- https://github.com/radare/radare2/issues/2832 (r_mem_copyendian)
- https://github.com/radare/radare2/issues/2833 (r_wstr_clen) (fixed)
- https://github.com/radare/radare2/issues/2836 (r_str_glob) (fixed)
- https://github.com/radare/radare2/issues/2850 (cmd_search, fixed)
- https://github.com/radare/radare2/issues/2851 (core_anal_bytes, fixed)
- https://github.com/radare/radare2/issues/2852 (pdi, fixed)
- https://github.com/radare/radare2/issues/2853 (perform_disassembly, fixed)
- https://github.com/radare/radare2/issues/2854 (radare_compare, fixed)
- https://github.com/radare/radare2/issues/2855 (UAF, r_num_calc_index, fixed)
- https://github.com/radare/radare2/issues/2869 (heap overflow write, r_rprint_randomart, fixed)
- https://github.com/radare/radare2/issues/2870 (UNFIXED, core_anal_bytes again)
- https://github.com/radare/radare2/issues/2871 (pdi again, fixed)
- https://github.com/radare/radare2/issues/2872 (perform_disassebly again, fixed)
- https://github.com/radare/radare2/issues/2889 (UAF r_num_calc_index again, fixed)
- https://github.com/radare/radare2/issues/2909 (fixed, cmd_search again, fixed)
- https://github.com/radare/radare2/issues/2910 (r_core_write_op, fixed)
- https://bugs.freedesktop.org/show_bug.cgi?id=90784_
Use-after-free in 400.perlbench (a pointer is used after it is passed to realloc
).
READ of size 1 at 0x00000000023b7413 thread T0 (bad: 0x00002000008edd04; shadow: 0x0000100000476e82)
#0 0x66490a in Perl_sv_setpvn sv.c:4127
#1 0x45766c in Perl_magic_get mg.c:772
#2 0x453bcb in Perl_mg_get mg.c:169
#3 0x669fb8 in Perl_sv_setsv_flags sv.c:3796
#4 0x684c3f in Perl_sv_mortalcopy sv.c:6748
#5 0x56fedd in Perl_pp_leaveeval pp_ctl.c:3486
#6 0x635d44 in Perl_runops_standard run.c:37
#7 0x4d2ad6 in S_run_body perl.c:2017
#8 0x4f9077 in main perlmain.c:100
#9 0x7fa3900e2c4d in __libc_start_main ??:0
#10 0x403519 in _start ??:0
0x00000000023b7413 is located 3 bytes inside of 5-byte region [0x00000000023b7410,0x00000000023b7415)
freed by thread T0 here:
#0 0x7bc852 in realloc _asan_rtl_
#1 0x733e2e in Perl_safesysrealloc util.c:132
#2 0x650a82 in Perl_sv_grow sv.c:1620
#3 0x66c3f5 in Perl_sv_setsv_flags sv.c:4012
#4 0x5735e8 in Perl_pp_sassign pp_hot.c:122
#5 0x635d44 in Perl_runops_standard run.c:37
#6 0x4d2ad6 in S_run_body perl.c:2017
#7 0x4f9077 in main perlmain.c:100
#8 0x7fa3900e2c4d in __libc_start_main ??:0
previously allocated by thread T0 here:
#0 0x7bc852 in realloc _asan_rtl_
#1 0x733e2e in Perl_safesysrealloc util.c:132
#2 0x650a82 in Perl_sv_grow sv.c:1620
#3 0x6745f5 in Perl_sv_catpvn_flags sv.c:4376
#4 0x675027 in Perl_sv_catsv_flags sv.c:4460
#5 0x5402a3 in Perl_pp_substcont pp_ctl.c:190
#6 0x635d44 in Perl_runops_standard run.c:37
#7 0x4d2ad6 in S_run_body perl.c:2017
#8 0x4f9077 in main perlmain.c:100
#9 0x7fa3900e2c4d in __libc_start_main ??:0
global-buffer-overflow in memcmp("perlio", "unix", 6)
:
==17858== ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006af025 at pc 0x426478 bp 0x7fffb37ffe40 sp 0x7fffb37ffe18
READ of size 6 at 0x0000006af025 thread T0
#0 0x426477 in __interceptor_memcmp _asan_rtl_
#1 0x4bf792 in PerlIO_find_layer perlio.c:751
#2 0x4c0ab2 in PerlIO_default_buffer perlio.c:1015
#3 0x4c1171 in PerlIO_default_layers perlio.c:1113
#4 0x4c255d in PerlIO_resolve_layers perlio.c:1433
#5 0x4c3289 in PerlIO_openn perlio.c:1519
#6 0x4c1410 in PerlIO_fdopen perlio.c:4745
#7 0x4cfca1 in Perl_PerlIO_stdin perlio.c:4686
#8 0x4b57df in S_open_script perl.c:3348
#9 0x4d13f7 in main perlmain.c:96
#10 0x7fcab450876c in __libc_start_main libc-start.c:226
#11 0x4359b4 in _start ??:0
0x0000006af025 is located 59 bytes to the left of global variable '.str39 (perlio.c)' (0x6af060) of size 3
'.str39 (perlio.c)' is ascii string 'r+'
0x0000006af025 is located 0 bytes to the right of global variable '.str38 (perlio.c)' (0x6af020) of size 5
'.str38 (perlio.c)' is ascii string 'unix'
Shadow bytes around the buggy address:
Stack buffer overflow in 464.h264ref:
int k, satd = 0, m[16], dd, d[16];
...
for (dd=d[k=0]; k<16; dd=d[++k])
^^^^^^
// On the last iteration, d[++k] reads d[16], one element after the array boundary.
READ of size 4 mem: 0x00007fff516bd140 thread T0
#0 0x506211 in SATD mv-search.c:1093
#1 0x509524 in SubPelBlockMotionSearch mv-search.c:1398
#2 0x527300 in BlockMotionSearch mv-search.c:2672
#3 0x53091e in PartitionMotionSearch mv-search.c:3272
...
Address 0x00007fff516bd140 is inside T0's stack
See also: http://www.spec.org/cpu2006/Docs/faq.html#Run.05
Global buffer overflow in 464.h264ref:
context_ini.c:222:
BIARI_CTX_INIT2 (NUM_BLOCK_TYPES, NUM_BCBP_CTX, tc->bcbp_contexts, INIT_BCBP, img->model_number);
READ of size 4 at 0x00000000005ec1c0 thread T0
#0 0x4139cf in biari_init_context biariencode.c:334
#1 0x43f8f3 in init_contexts context_ini.c:222
#2 0x5a6f33 in start_slice slice.c:118
#3 0x5a93b7 in encode_one_slice slice.c:223
#4 0x466d7a in code_a_picture image.c:236
#5 0x4728c0 in frame_picture image.c:800
#6 0x4696ef in encode_one_frame image.c:411
#7 0x48167d in main lencod.c:413
0x00000000005ec1c0 is located 0 bytes to the right of global variable 'INIT_BCBP_I' (0x5ec0c0) of size 256