search

awslabs / aws-c-http

C99 implementation of the HTTP/1.1 and HTTP/2 specifications
Apache License 2.0
136 stars 42 forks source link

ASan global-buffer-overflow in aws_http_library_init #362

Closed jeremy-coulon closed 2 years ago

jeremy-coulon commented 2 years ago

AddressSanitizer has detected a bug with this very simple program:

#include <aws/http/http.h>

int main() {
    struct aws_allocator *allocator = aws_default_allocator();
    aws_http_library_init(allocator);
    aws_http_library_clean_up();

    return EXIT_SUCCESS;
}

I found it while trying to create aws-c-http conan package (from conan-center-index) with GCC 9 and ASan enabled.

=================================================================
==3590115==ERROR: AddressSanitizer: global-buffer-overflow on address 0x563a6c0abc48 at pc 0x563a6baa773e bp 0x7ffff19ce7e0 sp 0x7ffff19ce7d0
READ of size 4 at 0x563a6c0abc48 thread T0
    #0 0x563a6baa773d in hashlittle2 /root/.conan/data/aws-c-common/0.6.15/exalead/testing/build/62a2d8c8a1001dbf3640c6014741b289cdf1467f/source_subfolder/include/aws/common/private/lookup3.inl:551
    #1 0x563a6baaec3f in aws_hash_byte_cursor_ptr /root/.conan/data/aws-c-common/0.6.15/exalead/testing/build/62a2d8c8a1001dbf3640c6014741b289cdf1467f/source_subfolder/source/hash_table.c:975
    #2 0x563a6baa9a89 in s_hash_for /root/.conan/data/aws-c-common/0.6.15/exalead/testing/build/62a2d8c8a1001dbf3640c6014741b289cdf1467f/source_subfolder/source/hash_table.c:48
    #3 0x563a6baabb62 in aws_hash_table_create /root/.conan/data/aws-c-common/0.6.15/exalead/testing/build/62a2d8c8a1001dbf3640c6014741b289cdf1467f/source_subfolder/source/hash_table.c:517
    #4 0x563a6baac078 in aws_hash_table_put /root/.conan/data/aws-c-common/0.6.15/exalead/testing/build/62a2d8c8a1001dbf3640c6014741b289cdf1467f/source_subfolder/source/hash_table.c:583
    #5 0x563a6b99c48c in s_init_str_to_enum_hash_table /data/homes/jcoulon/.conan/data/aws-c-http/0.6.10/jcoulon/testing/build/ac18901644648bb56b86dece8c40e512c6f9c08e/source_subfolder/source/http.c:200
    #6 0x563a6b99cd9e in s_headers_init /data/homes/jcoulon/.conan/data/aws-c-http/0.6.10/jcoulon/testing/build/ac18901644648bb56b86dece8c40e512c6f9c08e/source_subfolder/source/http.c:317
    #7 0x563a6b99d3d9 in aws_http_library_init /data/homes/jcoulon/.conan/data/aws-c-http/0.6.10/jcoulon/testing/build/ac18901644648bb56b86dece8c40e512c6f9c08e/source_subfolder/source/http.c:495
    #8 0x563a6b99c109 in main /data.2/jcoulon/git/3rd-party/conan-center-index/recipes/aws-c-http/all/test_package/test_package.c:5
    #9 0x7f034d16b0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #10 0x563a6b99c02d in _start (/data.2/jcoulon/git/3rd-party/conan-center-index/recipes/aws-c-http/all/test_package/build/83bc1528ec4d34a8ab6b56567ff4074b120b7fdf/bin/test_package+0x1df02d)

0x563a6c0abc48 is located 56 bytes to the left of global variable '*.LC150' defined in '/data/homes/jcoulon/.conan/data/aws-c-http/0.6.10/jcoulon/testing/build/ac18901644648bb56b86dece8c40e512c6f9c08e/source_subfolder/source/http.c' (0x563a6c0abc80) of size 6
  '*.LC150' is ascii string ':path'
0x563a6c0abc4b is located 0 bytes to the right of global variable '*.LC149' defined in '/data/homes/jcoulon/.conan/data/aws-c-http/0.6.10/jcoulon/testing/build/ac18901644648bb56b86dece8c40e512c6f9c08e/source_subfolder/source/http.c' (0x563a6c0abc40) of size 11
  '*.LC149' is ascii string ':authority'
SUMMARY: AddressSanitizer: global-buffer-overflow /root/.conan/data/aws-c-common/0.6.15/exalead/testing/build/62a2d8c8a1001dbf3640c6014741b289cdf1467f/source_subfolder/include/aws/common/private/lookup3.inl:551 in hashlittle2
Shadow bytes around the buggy address:
  0x0ac7cd80d730: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9
  0x0ac7cd80d740: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ac7cd80d750: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x0ac7cd80d760: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
  0x0ac7cd80d770: 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
=>0x0ac7cd80d780: 00 f9 f9 f9 f9 f9 f9 f9 00[03]f9 f9 f9 f9 f9 f9
  0x0ac7cd80d790: 06 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ac7cd80d7a0: 07 f9 f9 f9 f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9
  0x0ac7cd80d7b0: 05 f9 f9 f9 f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9
  0x0ac7cd80d7c0: 00 07 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
  0x0ac7cd80d7d0: 00 00 02 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3590115==ABORTING

aws-c-http v0.6.10 aws-c-common v0.6.15

jeremy-coulon commented 2 years ago

It looks like there is sanitizer-blacklist.txt in aws-c-common exactly for this issue.