You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, developers of picoc:
In the test of the binary picoc instrumented with ASAN, I found mulitple SEGV/heap-buffer-overflow/FPE/stack-overflow vulnerability in picoc, the version is 3.2.2, commit a97d94f which is also the master branch.
Here are the lists of the crashes:
SEGV on unknown address in ExpressionInfixOperator in expression.c:1004
heap-buffer-overflow in LexGetCharacterConstant in lex.c:416
SEGV on unknown address in TypeGetMatching in type.c:56
heap-buffer-overflow in TableSearchIdentifier in table.c:141
SEGV on unknown address in ExpressionGetStructElement in expression.c:1397
heap-buffer-overflow in StringStrcpy in cstdlib/string.c:12
heap-buffer-overflow in LexSkipComment in lex.c:441
heap-buffer-overflow in LexScanGetToken in lex.c:472
SEGV on unknown address in ExpressionPrefixOperator in expression.c:727
SEGV on unknown address in ExpressionInfixOperator in expression.c:932 (also line 933 can lead to SEGV)
FPE on unknown address in ExpressionInfixOperator in expression.c:1105
FPE on unknown address in ExpressionInfixOperator in expression.c:1026
stack-overflow in ParserCopy in parse.c:455
SEGV on unknown address in StringStrcmp in cstdlib/string.c:26
heap-buffer-overflow in ExpressionCoerceInteger in expression.c:244
ASAN output
input: ExpressionInfixOperator_2
AddressSanitizer:DEADLYSIGNAL
=================================================================
==29353==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000527bcc bp 0x7ffdbc8390f0 sp 0x7ffdbc838f80 T0)
==29353==The signal is caused by a READ memory access.
==29353==Hint: address points to the zero page.
#0 0x527bcc in ExpressionInfixOperator /home/ferry/hwz/zeroday/picoc/expression.c:1004:50
#1 0x527bcc in ExpressionStackCollapse /home/ferry/hwz/zeroday/picoc/expression.c:1316:25
#2 0x522c7e in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1684:5
#3 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#4 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#5 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#6 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#7 0x7f2045d4283f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ferry/hwz/zeroday/picoc/expression.c:1004:50 in ExpressionInfixOperator
==29353==ABORTING
input: LexGetCharacterConstant
=================================================================
==16136==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000adb1 at pc 0x0000004fe989 bp 0x7ffd3f8f48f0 sp 0x7ffd3f8f48e8
READ of size 1 at 0x60400000adb1 thread T0
#0 0x4fe988 in LexGetCharacterConstant /home/ferry/hwz/zeroday/picoc/lex.c:416:37
#1 0x4fe988 in LexScanGetToken /home/ferry/hwz/zeroday/picoc/lex.c:505:24
#2 0x4fe988 in LexTokenize /home/ferry/hwz/zeroday/picoc/lex.c:642:17
#3 0x4fe988 in LexAnalyse /home/ferry/hwz/zeroday/picoc/lex.c:704:12
#4 0x511a1d in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:874:20
#5 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#6 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#7 0x7f379572983f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
0x60400000adb1 is located 0 bytes to the right of 33-byte region [0x60400000ad90,0x60400000adb1)
allocated by thread T0 here:
#0 0x4b0302 in malloc /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x5623bc in PlatformReadFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:94:16
#2 0x56294d in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:121:23
#3 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#4 0x7f379572983f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ferry/hwz/zeroday/picoc/lex.c:416:37 in LexGetCharacterConstant
Shadow bytes around the buggy address:
0x0c087fff9560: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff9570: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff9580: fa fa 00 00 00 00 01 fa fa fa 00 00 00 00 00 fa
0x0c087fff9590: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff95a0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
=>0x0c087fff95b0: fa fa 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
0x0c087fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff95f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==16136==ABORTING
input: TypeGetMatching
AddressSanitizer:DEADLYSIGNAL
=================================================================
==16782==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000545a43 bp 0x7ffd8ef99940 sp 0x7ffd8ef998f0 T0)
==16782==The signal is caused by a READ memory access.
==16782==Hint: address points to the zero page.
#0 0x545a43 in TypeGetMatching /home/ferry/hwz/zeroday/picoc/type.c:56:46
#1 0x526076 in ExpressionPrefixOperator /home/ferry/hwz/zeroday/picoc/expression.c:676:21
#2 0x526076 in ExpressionStackCollapse /home/ferry/hwz/zeroday/picoc/expression.c:1257:21
#3 0x522c7e in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1684:5
#4 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#5 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#6 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#7 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#8 0x7f9a5b15f83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#9 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ferry/hwz/zeroday/picoc/type.c:56:46 in TypeGetMatching
==16782==ABORTING
input: TableSearchIdentifier
=================================================================
==28653==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000036 at pc 0x0000004f6284 bp 0x7ffd870251e0 sp 0x7ffd870251d8
READ of size 1 at 0x603000000036 thread T0
#0 0x4f6283 in TableSearchIdentifier /home/ferry/hwz/zeroday/picoc/table.c:141:17
#1 0x4f6283 in TableSetIdentifier /home/ferry/hwz/zeroday/picoc/table.c:154:37
#2 0x50518a in LexGetStringConstant /home/ferry/hwz/zeroday/picoc/lex.c:390:17
#3 0x4fb61c in LexScanGetToken /home/ferry/hwz/zeroday/picoc/lex.c:502:24
#4 0x4fb61c in LexTokenize /home/ferry/hwz/zeroday/picoc/lex.c:642:17
#5 0x4fb61c in LexAnalyse /home/ferry/hwz/zeroday/picoc/lex.c:704:12
#6 0x511a1d in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:874:20
#7 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#8 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#9 0x7fc725c1f83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
0x603000000036 is located 10 bytes to the left of 32-byte region [0x603000000040,0x603000000060)
allocated by thread T0 here:
#0 0x4b04ba in calloc /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:154
#1 0x4f6295 in TableSetIdentifier /home/ferry/hwz/zeroday/picoc/table.c:162:39
#2 0x4f6d49 in LexInit /home/ferry/hwz/zeroday/picoc/lex.c:112:13
#3 0x55bb63 in PicocInitialize /home/ferry/hwz/zeroday/picoc/platform.c:27:5
#4 0x4f3a7c in main /home/ferry/hwz/zeroday/picoc/picoc.c:44:5
#5 0x7fc725c1f83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ferry/hwz/zeroday/picoc/table.c:141:17 in TableSearchIdentifier
Shadow bytes around the buggy address:
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00 00 01[fa]fa 00 00 00 00 fa fa 00 00
0x0c067fff8010: 00 06 fa fa 00 00 00 07 fa fa 00 00 00 04 fa fa
0x0c067fff8020: 00 00 00 07 fa fa 00 00 00 00 fa fa 00 00 00 05
0x0c067fff8030: fa fa 00 00 00 06 fa fa 00 00 00 05 fa fa 00 00
0x0c067fff8040: 00 05 fa fa 00 00 00 00 fa fa 00 00 00 07 fa fa
0x0c067fff8050: 00 00 00 03 fa fa 00 00 00 07 fa fa 00 00 00 05
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==28653==ABORTING
input: ExpressionGetStructElement
AddressSanitizer:DEADLYSIGNAL
=================================================================
==5395==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000051cd98 bp 0x7ffec6f09db0 sp 0x7ffec6f09c40 T0)
==5395==The signal is caused by a READ memory access.
==5395==Hint: address points to the zero page.
#0 0x51cd98 in ExpressionGetStructElement /home/ferry/hwz/zeroday/picoc/expression.c:1397:25
#1 0x52011c in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1562:25
#2 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#3 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#4 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#5 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#6 0x7fa18758e83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ferry/hwz/zeroday/picoc/expression.c:1397:25 in ExpressionGetStructElement
==5395==ABORTING
input: strcpy
=================================================================
==24725==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000aeb8 at pc 0x000000449ef7 bp 0x7ffc9f6121f0 sp 0x7ffc9f6119a0
WRITE of size 6 at 0x60400000aeb8 thread T0
#0 0x449ef6 in strcpy /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:438
#1 0x579c51 in StringStrcpy /home/ferry/hwz/zeroday/picoc/cstdlib/string.c:12:33
#2 0x520084 in ExpressionParseFunctionCall /home/ferry/hwz/zeroday/picoc/expression.c:1909:13
#3 0x520084 in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1607:17
#4 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#5 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#6 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#7 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#8 0x7f12dd6bd83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#9 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
0x60400000aeb8 is located 0 bytes to the right of 40-byte region [0x60400000ae90,0x60400000aeb8)
allocated by thread T0 here:
#0 0x4b04ba in calloc /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:154
#1 0x5535a8 in VariableAlloc /home/ferry/hwz/zeroday/picoc/variable.c:77:20
#2 0x5535a8 in VariableAllocValueAndData /home/ferry/hwz/zeroday/picoc/variable.c:97:30
#3 0x5535a8 in VariableAllocValueFromType /home/ferry/hwz/zeroday/picoc/variable.c:119:30
#4 0x557cee in VariableDefine /home/ferry/hwz/zeroday/picoc/variable.c:303:23
#5 0x557cee in VariableDefineButIgnoreIdentical /home/ferry/hwz/zeroday/picoc/variable.c:383:20
#6 0x510a41 in ParseDeclaration /home/ferry/hwz/zeroday/picoc/parse.c:366:35
#7 0x50936a in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:738:34
#8 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#9 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#10 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#11 0x7f12dd6bd83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:438 in strcpy
Shadow bytes around the buggy address:
0x0c087fff9580: fa fa 00 00 00 00 01 fa fa fa 00 00 00 00 00 fa
0x0c087fff9590: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff95a0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff95b0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff95c0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
=>0x0c087fff95d0: fa fa 00 00 00 00 00[fa]fa fa 00 00 00 00 00 fa
0x0c087fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff95f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==24725==ABORTING
input: LexSkipComment
=================================================================
==12771==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000055d7 at pc 0x0000004fdf21 bp 0x7fff642154f0 sp 0x7fff642154e8
READ of size 1 at 0x6030000055d7 thread T0
#0 0x4fdf20 in LexSkipComment /home/ferry/hwz/zeroday/picoc/lex.c:441:44
#1 0x4fdf20 in LexScanGetToken /home/ferry/hwz/zeroday/picoc/lex.c:532:17
#2 0x4fdf20 in LexTokenize /home/ferry/hwz/zeroday/picoc/lex.c:642:17
#3 0x4fdf20 in LexAnalyse /home/ferry/hwz/zeroday/picoc/lex.c:704:12
#4 0x511a1d in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:874:20
#5 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#6 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#7 0x7f32a94a283f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
0x6030000055d7 is located 0 bytes to the right of 23-byte region [0x6030000055c0,0x6030000055d7)
allocated by thread T0 here:
#0 0x4b0302 in malloc /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x5623bc in PlatformReadFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:94:16
#2 0x56294d in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:121:23
#3 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#4 0x7f32a94a283f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ferry/hwz/zeroday/picoc/lex.c:441:44 in LexSkipComment
Shadow bytes around the buggy address:
0x0c067fff8a60: 00 00 fa fa fd fd fd fa fa fa 00 00 00 00 fa fa
0x0c067fff8a70: fd fd fd fa fa fa 00 00 00 00 fa fa fd fd fd fa
0x0c067fff8a80: fa fa fd fd fd fa fa fa 00 00 00 00 fa fa fd fd
0x0c067fff8a90: fd fa fa fa 00 00 00 00 fa fa fd fd fd fa fa fa
0x0c067fff8aa0: 00 00 00 00 fa fa fd fd fd fa fa fa 00 00 00 00
=>0x0c067fff8ab0: fa fa fd fd fd fa fa fa 00 00[07]fa fa fa fa fa
0x0c067fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==12771==ABORTING
input: LexScanGetToken
=================================================================
==4136==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000adb6 at pc 0x0000004fdf84 bp 0x7ffd95bfbb30 sp 0x7ffd95bfbb28
READ of size 1 at 0x60400000adb6 thread T0
#0 0x4fdf83 in LexScanGetToken /home/ferry/hwz/zeroday/picoc/lex.c:472:44
#1 0x4fdf83 in LexTokenize /home/ferry/hwz/zeroday/picoc/lex.c:642:17
#2 0x4fdf83 in LexAnalyse /home/ferry/hwz/zeroday/picoc/lex.c:704:12
#3 0x511a1d in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:874:20
#4 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#5 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#6 0x7ff147c6683f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
0x60400000adb6 is located 0 bytes to the right of 38-byte region [0x60400000ad90,0x60400000adb6)
allocated by thread T0 here:
#0 0x4b0302 in malloc /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x5623bc in PlatformReadFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:94:16
#2 0x56294d in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:121:23
#3 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#4 0x7ff147c6683f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ferry/hwz/zeroday/picoc/lex.c:472:44 in LexScanGetToken
Shadow bytes around the buggy address:
0x0c087fff9560: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff9570: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff9580: fa fa 00 00 00 00 01 fa fa fa 00 00 00 00 00 fa
0x0c087fff9590: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff95a0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
=>0x0c087fff95b0: fa fa 00 00 00 00[06]fa fa fa fa fa fa fa fa fa
0x0c087fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff95f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4136==ABORTING
input : ExpressionPrefixOperator_2
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8154==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000527428 bp 0x7ffd59fceff0 sp 0x7ffd59fcee80 T0)
==8154==The signal is caused by a READ memory access.
==8154==Hint: address points to the zero page.
#0 0x527428 in ExpressionPrefixOperator /home/ferry/hwz/zeroday/picoc/expression.c:727:20
#1 0x527428 in ExpressionStackCollapse /home/ferry/hwz/zeroday/picoc/expression.c:1257:21
#2 0x522c7e in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1684:5
#3 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#4 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#5 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#6 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#7 0x7f10b680a83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ferry/hwz/zeroday/picoc/expression.c:727:20 in ExpressionPrefixOperator
==8154==ABORTING
input: ExpressionInfixOperator_3
AddressSanitizer:DEADLYSIGNAL
=================================================================
==12218==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000052869f bp 0x7fffe56cd350 sp 0x7fffe56cd1e0 T0)
==12218==The signal is caused by a READ memory access.
==12218==Hint: address points to the zero page.
#0 0x52869f in ExpressionInfixOperator /home/ferry/hwz/zeroday/picoc/expression.c:932:24
#1 0x52869f in ExpressionStackCollapse /home/ferry/hwz/zeroday/picoc/expression.c:1316:25
#2 0x51ea46 in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1556:78
#3 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#4 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#5 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#6 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#7 0x7f772bb8283f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ferry/hwz/zeroday/picoc/expression.c:932:24 in ExpressionInfixOperator
==12218==ABORTING
input: ExpressionInfixOperator_FPE_1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==7966==ERROR: AddressSanitizer: FPE on unknown address 0x000000532e59 (pc 0x000000532e59 bp 0x7ffd10cb6930 sp 0x7ffd10cb67c0 T0)
#0 0x532e59 in ExpressionInfixOperator /home/ferry/hwz/zeroday/picoc/expression.c:1105:35
#1 0x532e59 in ExpressionStackCollapse /home/ferry/hwz/zeroday/picoc/expression.c:1316:25
#2 0x522c7e in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1684:5
#3 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#4 0x50ac80 in ParseFor /home/ferry/hwz/zeroday/picoc/parse.c:485:9
#5 0x50ac80 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:715:9
#6 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#7 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#8 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#9 0x7f035833a83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/ferry/hwz/zeroday/picoc/expression.c:1105:35 in ExpressionInfixOperator
==7966==ABORTING
input: ExpressionInfixOperator_FPE_2
AddressSanitizer:DEADLYSIGNAL
=================================================================
==27557==ERROR: AddressSanitizer: FPE on unknown address 0x000000531f71 (pc 0x000000531f71 bp 0x7ffe058e05b0 sp 0x7ffe058e0440 T0)
#0 0x531f71 in ExpressionInfixOperator /home/ferry/hwz/zeroday/picoc/expression.c:1026:26
#1 0x531f71 in ExpressionStackCollapse /home/ferry/hwz/zeroday/picoc/expression.c:1316:25
#2 0x522c7e in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1684:5
#3 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#4 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#5 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#6 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#7 0x7fc68240583f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/ferry/hwz/zeroday/picoc/expression.c:1026:26 in ExpressionInfixOperator
==27557==ABORTING
input: ParserCopy
AddressSanitizer:DEADLYSIGNAL
=================================================================
==31403==ERROR: AddressSanitizer: stack-overflow on address 0x7fff2ac14fb8 (pc 0x0000004aefde bp 0x7fff2ac15820 sp 0x7fff2ac14fc0 T0)
#0 0x4aefde in __asan_memcpy /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
#1 0x508b35 in ParserCopy /home/ferry/hwz/zeroday/picoc/parse.c:455:5
#2 0x54a6ba in TypeParseFront /home/ferry/hwz/zeroday/picoc/type.c:408:5
... (Omit many contents)
SUMMARY: AddressSanitizer: stack-overflow /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
==31403==ABORTING
input: strcmp
hello
char *s
AddressSanitizer:DEADLYSIGNAL
=================================================================
==24145==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000489390 bp 0x7fff2568bf70 sp 0x7fff2568b700 T0)
==24145==The signal is caused by a READ memory access.
==24145==Hint: address points to the zero page.
#0 0x489390 in __interceptor_strcmp.part.66 /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:448
#1 0x57a351 in StringStrcmp /home/ferry/hwz/zeroday/picoc/cstdlib/string.c:26:33
#2 0x520084 in ExpressionParseFunctionCall /home/ferry/hwz/zeroday/picoc/expression.c:1909:13
#3 0x520084 in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1607:17
#4 0x5209ef in ExpressionParseFunctionCall /home/ferry/hwz/zeroday/picoc/expression.c:1834:13
#5 0x5209ef in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1607:17
#6 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#7 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#8 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#9 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#10 0x7f3c6769c83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#11 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:448 in __interceptor_strcmp.part.66
==24145==ABORTING
input: ExpressionCoerceInteger
=================================================================
==15829==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000005672 at pc 0x00000051b4fd bp 0x7ffe0cda9f90 sp 0x7ffe0cda9f88
READ of size 1 at 0x603000005672 thread T0
#0 0x51b4fc in ExpressionCoerceInteger /home/ferry/hwz/zeroday/picoc/expression.c:244:32
#1 0x51b4fc in ExpressionAssignToPointer /home/ferry/hwz/zeroday/picoc/expression.c:492:13
#2 0x51b4fc in ExpressionAssign /home/ferry/hwz/zeroday/picoc/expression.c:555:9
#3 0x520b8c in ExpressionParseFunctionCall /home/ferry/hwz/zeroday/picoc/expression.c:1837:21
#4 0x520b8c in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1607:17
#5 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#6 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#7 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#8 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#9 0x7f9f6d1aa83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
0x603000005672 is located 2 bytes to the right of 32-byte region [0x603000005650,0x603000005670)
allocated by thread T0 here:
#0 0x4b04ba in calloc /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:154
#1 0x4f6295 in TableSetIdentifier /home/ferry/hwz/zeroday/picoc/table.c:162:39
#2 0x50518a in LexGetStringConstant /home/ferry/hwz/zeroday/picoc/lex.c:390:17
#3 0x4fb61c in LexScanGetToken /home/ferry/hwz/zeroday/picoc/lex.c:502:24
#4 0x4fb61c in LexTokenize /home/ferry/hwz/zeroday/picoc/lex.c:642:17
#5 0x4fb61c in LexAnalyse /home/ferry/hwz/zeroday/picoc/lex.c:704:12
#6 0x511a1d in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:874:20
#7 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#8 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#9 0x7f9f6d1aa83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ferry/hwz/zeroday/picoc/expression.c:244:32 in ExpressionCoerceInteger
Shadow bytes around the buggy address:
0x0c067fff8a70: fd fd fd fa fa fa 00 00 00 00 fa fa fd fd fd fa
0x0c067fff8a80: fa fa fd fd fd fa fa fa 00 00 00 00 fa fa fd fd
0x0c067fff8a90: fd fa fa fa 00 00 00 00 fa fa fd fd fd fa fa fa
0x0c067fff8aa0: 00 00 00 00 fa fa fd fd fd fa fa fa 00 00 00 00
0x0c067fff8ab0: fa fa fd fd fd fa fa fa 00 00 00 02 fa fa 00 00
=>0x0c067fff8ac0: 00 06 fa fa 00 00 00 06 fa fa 00 00 00 00[fa]fa
0x0c067fff8ad0: 00 00 00 04 fa fa 00 00 00 03 fa fa 00 00 00 06
0x0c067fff8ae0: fa fa 00 00 00 07 fa fa 00 00 00 00 fa fa 00 00
0x0c067fff8af0: 00 00 fa fa 00 00 00 02 fa fa 00 00 00 05 fa fa
0x0c067fff8b00: 00 00 00 04 fa fa 00 00 00 04 fa fa 00 00 00 03
0x0c067fff8b10: fa fa 00 00 00 00 fa fa 00 00 00 04 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==15829==ABORTING
Hi, developers of picoc:
In the test of the binary picoc instrumented with ASAN, I found mulitple SEGV/heap-buffer-overflow/FPE/stack-overflow vulnerability in picoc, the version is 3.2.2, commit a97d94f which is also the master branch.
Here are the lists of the crashes:
ASAN output
input: ExpressionInfixOperator_2
input: LexGetCharacterConstant
input: TypeGetMatching
input: TableSearchIdentifier
input: ExpressionGetStructElement
input: strcpy
input: LexSkipComment
input: LexScanGetToken
input : ExpressionPrefixOperator_2
input: ExpressionInfixOperator_3
input: ExpressionInfixOperator_FPE_1
input: ExpressionInfixOperator_FPE_2
input: ParserCopy
input: strcmp
input: ExpressionCoerceInteger
Crash input
https://github.com/17ssDP/fuzzer_crashes/tree/main/picoc
Validation steps
Environment
Ubuntu 16.04
Clang 10.0.1
gcc 5.5
The text was updated successfully, but these errors were encountered: