The buffer is passed to insert_element and hashElement where it is used as pointer to a uint32_t. Thus, 4 bytes are written.
*((uint32_t*) val) = R;
=================================================================
==16970==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200003a030 at pc 0x5555557d65b8 bp 0x7fffdd209d70 sp 0x7fffdd209d60
WRITE of size 4 at 0x60200003a030 thread T9
#0 0x5555557d65b7 in hashElement(unsigned char*, unsigned int*, unsigned char*, hashing_state_ctx*) common/hashing/hashing_util.h:182
#1 0x5555557d99f5 in insert_element(simple_hash_table_ctx*, unsigned char*, unsigned int*, unsigned char*, hashing_state_ctx*) common/hashing/simple_hashing.cpp:129
#2 0x5555557d8bf2 in gen_entries(void*) common/hashing/simple_hashing.cpp:119
#3 0x7ffff676c08b in start_thread (/usr/lib/libpthread.so.0+0x708b)
#4 0x7ffff52cae7e in __GI___clone (/usr/lib/libc.so.6+0xf5e7e)
0x60200003a033 is located 0 bytes to the right of 3-byte region [0x60200003a030,0x60200003a033)
allocated by thread T9 here:
#0 0x7ffff6efdce1 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:70
#1 0x5555557d8a87 in gen_entries(void*) common/hashing/simple_hashing.cpp:114
#2 0x7ffff676c08b in start_thread (/usr/lib/libpthread.so.0+0x708b)
Thread T9 created by T0 here:
#0 0x7ffff6e53511 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cc:243
#1 0x5555557d83a6 in simple_hashing(unsigned char*, unsigned int, unsigned int, unsigned int*, unsigned int*, unsigned int, unsigned int*, unsigned int, unsigned int, prf_state_ctx*) common/hashing/simple_hashing.cpp:53
#2 0x5555557ce2ad in ServerHashingRoutine(unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int*, unsigned char**, unsigned int*, unsigned int, crypto*, unsigned int) common/phasing_circuit.cpp:327
#3 0x5555557cbf85 in test_phasing_circuit(e_role, char*, unsigned short, SECURITYLEVELS, unsigned int, unsigned int, unsigned int, double, unsigned int, e_mt_gen_alg, e_sharing, int, unsigned int, unsigned int) common/phasing_circuit.cpp:71
#4 0x5555557e2325 in main /home/lennart/git/ABY/src/examples/psi_phasing/psi_phasing.cpp:109
#5 0x7ffff51f5f49 in __libc_start_main (/usr/lib/libc.so.6+0x20f49)
SUMMARY: AddressSanitizer: heap-buffer-overflow common/hashing/hashing_util.h:182 in hashElement(unsigned char*, unsigned int*, unsigned char*, hashing_state_ctx*)
Shadow bytes around the buggy address:
0x0c047ffff3b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047ffff3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047ffff3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047ffff3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047ffff3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047ffff400: fa fa 00 04 fa fa[03]fa fa fa fa fa fa fa fa fa
0x0c047ffff410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047ffff420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047ffff430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047ffff440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047ffff450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16970==ABORTING
Starting psi_phasing with the same parameters as in the test (
./psi_phasing.exe -r 1 -n 1024 -b 32) results in a heap overflow.In simple_hashing.cpp,
ctx->hs->outbitlenis 24 resulting in 3 bytes to be allocated.The buffer is passed to
insert_elementandhashElementwhere it is used as pointer to auint32_t. Thus, 4 bytes are written.