[sr-dev] [kamailio/kamailio] SEGV on unknown address (Issue #2993)
taotao gu
notifications at github.com
Wed Jan 5 10:50:04 CET 2022
Linux x1-1 5.11.0-43-generic #47~20.04.2-Ubuntu SMP Mon Dec 13 11:06:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
poc [https://github.com/gtt1995/poc/blob/main/kamailio/148907.testcase](https://github.com/gtt1995/poc/blob/main/kamailio/148907.testcase)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2350==ERROR: AddressSanitizer: SEGV on unknown address 0x608000010000 (pc 0x7f8ec09469c3 bp 0x7ffd84505c90 sp 0x7ffd84505718 T0)
==2350==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
#0 0x7f8ec09469c3 in libc.so.6
#1 0x7f8ec0835209 in libc.so.6
#2 0x7f8ec08d5f32 in libc.so.6
#3 0x7f8ec08d63e9 in syslog
#4 0x64a045 in parse_identityinfo /src/kamailio/src/core/parser/parse_identityinfo.c:315:3
#5 0x64b29b in parse_identityinfo_header /src/kamailio/src/core/parser/parse_identityinfo.c:346:2
#6 0x576467 in LLVMFuzzerTestOneInput /src/kamailio/misc/fuzz/fuzz_parse_msg.c:53:5
#7 0x456e73 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp:0
#8 0x45665a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) cxa_noexception.cpp:0
#9 0x457efb in fuzzer::Fuzzer::MutateAndTestOne() cxa_noexception.cpp:0
#10 0x4589e5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) cxa_noexception.cpp:0
#11 0x44812d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp:0
#12 0x471172 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#13 0x7f8ec07e20b2 in __libc_start_main
#14 0x41fa0d in _start
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18b9c3)
==2350==ABORTING
MS: 3 ChangeBinInt-ShuffleBytes-EraseBytes-; base unit: ae3912c98bceb907c57e00fbcb572ff78ca2f12c
0x2d,0x2d,0x32,0x32,0x52,0x52,0x41,0x52,0xec,0x53,0x52,0x52,0x20,0x73,0x2d,0x34,0x38,0x39,0x31,0x36,0x9,0x48,0x48,0x48,0x1a,0xa,0x50,0x72,0x69,0x76,0x61,0x63,0x79,0x3a,0xa,0x20,0x73,0x32,0xa,0x49,0x64,0x65,0x6e,0x74,0x69,0x74,0x79,0x2d,0x49,0x6e,0x66,0x6f,0x3a,0x3c,0x3a,0x3a,0x3a,0x3a,0xff,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xa,0xa,0xff,0xff,0xff,0xff,0xff,
--22RRAR\354SRR s-48916\011HHH\032\012Privacy:\012 s2\012Identity-Info:<::::\377\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\012\012\377\377\377\377\377
artifact_prefix='/clusterfuzz/run_bot/clusterfuzz/bot/inputs/fuzzer-testcases/'; Test unit written to /clusterfuzz/run_bot/clusterfuzz/bot/inputs/fuzzer-testcases/crash-9886d78e9acf21b875f4e58d2d14222a4ed1e86f
Base64: LS0yMlJSQVLsU1JSIHMtNDg5MTYJSEhIGgpQcml2YWN5OgogczIKSWRlbnRpdHktSW5mbzo8Ojo6Ov/q6urq6urq6urq6urq6urq6urq6goK//////8=
stat::number_of_executed_units: 14639
stat::average_exec_per_sec: 1219
stat::new_units_added: 1293
stat::slowest_unit_time_sec: 0
stat::peak_rss_mb: 142
INFO: exiting: 77 time: 85s
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
==2350==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
#0 0x7f8ec09469c3 (/lib/x86_64-linux-gnu/libc.so.6+0x18b9c3)
#1 0x7f8ec0835209 (/lib/x86_64-linux-gnu/libc.so.6+0x7a209)
#2 0x7f8ec08d5f32 (/lib/x86_64-linux-gnu/libc.so.6+0x11af32)
#3 0x7f8ec08d63e9 (/lib/x86_64-linux-gnu/libc.so.6+0x11b3e9)
#4 0x64a045 (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x64a045)
#5 0x64b29b (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x64b29b)
#6 0x576467 (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x576467)
#7 0x456e73 (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x456e73)
#8 0x45665a (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x45665a)
#9 0x457efb (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x457efb)
#10 0x4589e5 (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x4589e5)
#11 0x44812d (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x44812d)
#12 0x471172 (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x471172)
#13 0x7f8ec07e20b2 (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#14 0x41fa0d (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x41fa0d)
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2993
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/2993 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20220105/f4445ccf/attachment-0001.htm>
More information about the sr-dev
mailing list