[sr-dev] [kamailio/kamailio] SEGV on unknown address (Issue #2993)

taotao gu notifications at github.com
Wed Jan 5 10:50:04 CET 2022


Linux x1-1 5.11.0-43-generic #47~20.04.2-Ubuntu SMP Mon Dec 13 11:06:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

poc  [https://github.com/gtt1995/poc/blob/main/kamailio/148907.testcase](https://github.com/gtt1995/poc/blob/main/kamailio/148907.testcase)


AddressSanitizer:DEADLYSIGNAL
=================================================================
==2350==ERROR: AddressSanitizer: SEGV on unknown address 0x608000010000 (pc 0x7f8ec09469c3 bp 0x7ffd84505c90 sp 0x7ffd84505718 T0)
==2350==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
    #0 0x7f8ec09469c3 in libc.so.6
    #1 0x7f8ec0835209 in libc.so.6
    #2 0x7f8ec08d5f32 in libc.so.6
    #3 0x7f8ec08d63e9 in syslog
    #4 0x64a045 in parse_identityinfo /src/kamailio/src/core/parser/parse_identityinfo.c:315:3
    #5 0x64b29b in parse_identityinfo_header /src/kamailio/src/core/parser/parse_identityinfo.c:346:2
    #6 0x576467 in LLVMFuzzerTestOneInput /src/kamailio/misc/fuzz/fuzz_parse_msg.c:53:5
    #7 0x456e73 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp:0
    #8 0x45665a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) cxa_noexception.cpp:0
    #9 0x457efb in fuzzer::Fuzzer::MutateAndTestOne() cxa_noexception.cpp:0
    #10 0x4589e5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) cxa_noexception.cpp:0
    #11 0x44812d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp:0
    #12 0x471172 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #13 0x7f8ec07e20b2 in __libc_start_main
    #14 0x41fa0d in _start

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18b9c3)
==2350==ABORTING
MS: 3 ChangeBinInt-ShuffleBytes-EraseBytes-; base unit: ae3912c98bceb907c57e00fbcb572ff78ca2f12c
0x2d,0x2d,0x32,0x32,0x52,0x52,0x41,0x52,0xec,0x53,0x52,0x52,0x20,0x73,0x2d,0x34,0x38,0x39,0x31,0x36,0x9,0x48,0x48,0x48,0x1a,0xa,0x50,0x72,0x69,0x76,0x61,0x63,0x79,0x3a,0xa,0x20,0x73,0x32,0xa,0x49,0x64,0x65,0x6e,0x74,0x69,0x74,0x79,0x2d,0x49,0x6e,0x66,0x6f,0x3a,0x3c,0x3a,0x3a,0x3a,0x3a,0xff,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xa,0xa,0xff,0xff,0xff,0xff,0xff,
--22RRAR\354SRR s-48916\011HHH\032\012Privacy:\012 s2\012Identity-Info:<::::\377\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\012\012\377\377\377\377\377
artifact_prefix=&#x27;/clusterfuzz/run_bot/clusterfuzz/bot/inputs/fuzzer-testcases/&#x27;; Test unit written to /clusterfuzz/run_bot/clusterfuzz/bot/inputs/fuzzer-testcases/crash-9886d78e9acf21b875f4e58d2d14222a4ed1e86f
Base64: LS0yMlJSQVLsU1JSIHMtNDg5MTYJSEhIGgpQcml2YWN5OgogczIKSWRlbnRpdHktSW5mbzo8Ojo6Ov/q6urq6urq6urq6urq6urq6urq6goK//////8=
stat::number_of_executed_units: 14639
stat::average_exec_per_sec:     1219
stat::new_units_added:          1293
stat::slowest_unit_time_sec:    0
stat::peak_rss_mb:              142
INFO: exiting: 77 time: 85s


+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+

==2350==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
    #0 0x7f8ec09469c3  (/lib/x86_64-linux-gnu/libc.so.6+0x18b9c3)
    #1 0x7f8ec0835209  (/lib/x86_64-linux-gnu/libc.so.6+0x7a209)
    #2 0x7f8ec08d5f32  (/lib/x86_64-linux-gnu/libc.so.6+0x11af32)
    #3 0x7f8ec08d63e9  (/lib/x86_64-linux-gnu/libc.so.6+0x11b3e9)
    #4 0x64a045  (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x64a045)
    #5 0x64b29b  (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x64b29b)
    #6 0x576467  (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x576467)
    #7 0x456e73  (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x456e73)
    #8 0x45665a  (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x45665a)
    #9 0x457efb  (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x457efb)
    #10 0x4589e5  (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x4589e5)
    #11 0x44812d  (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x44812d)
    #12 0x471172  (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x471172)
    #13 0x7f8ec07e20b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #14 0x41fa0d  (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x41fa0d)


-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2993
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/issues/2993 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20220105/f4445ccf/attachment-0001.htm>


More information about the sr-dev mailing list