search

kvirc / KVIrc

The KVIrc IRC Client
http://www.kvirc.net/
GNU General Public License v2.0
240 stars 75 forks source link

ASAN report #2564

Closed freedom1b2830 closed 8 months ago

freedom1b2830 commented 10 months ago

execute 

LD_PRELOAD=asan.so kvirc

Report 1

execute cmd:

/chanserv help

see 

=================================================================
==230325==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200021e01f at pc 0x7f130a6818df bp 0x7ffcbde201b0 sp 0x7ffcbde1f958
READ of size 16 at 0x60200021e01f thread T0
    #0 0x7f130a6818de in __interceptor_strlen /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:461
    #1 0x5638202c9521 in KviIrcConnection::sendData(char const*, int) (/usr/bin/kvirc+0x320521) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #2 0x56382020b4d8 in KviKvsCoreSimpleCommands::raw(KviKvsRunTimeContext*, KviKvsVariantList*, KviKvsSwitchList*) (/usr/bin/kvirc+0x2624d8) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #3 0x563820271322 in KviKvsTreeNodeCoreSimpleCommand::execute(KviKvsRunTimeContext*) (/usr/bin/kvirc+0x2c8322) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #4 0x56382022c45c in KviKvsScript::executeInternal(KviKvsRunTimeContext*) (/usr/bin/kvirc+0x28345c) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #5 0x56382022c59f in KviKvsScript::execute(KviWindow*, KviKvsVariantList*, KviKvsVariant*, int, KviKvsExtendedRunTimeData*) (/usr/bin/kvirc+0x28359f) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #6 0x56382026ceb1 in KviKvsTreeNodeAliasSimpleCommand::execute(KviKvsRunTimeContext*) (/usr/bin/kvirc+0x2c3eb1) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #7 0x56382022c45c in KviKvsScript::executeInternal(KviKvsRunTimeContext*) (/usr/bin/kvirc+0x28345c) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #8 0x56382022c59f in KviKvsScript::execute(KviWindow*, KviKvsVariantList*, KviKvsVariant*, int, KviKvsExtendedRunTimeData*) (/usr/bin/kvirc+0x28359f) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #9 0x5638203067cf in KviUserInput::parseCommand(QString const&, KviWindow*, QString const&, bool) (/usr/bin/kvirc+0x35d7cf) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #10 0x5638201223a6 in KviInput::inputEditorEnterPressed() (/usr/bin/kvirc+0x1793a6) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #11 0x7f13088d1252  (/usr/lib/libQt5Core.so.5+0x2d1252) (BuildId: b7d92f8f8f7eea3410c75095ef7753f2fb9f139c)
    #12 0x7f13095aee2c in QWidget::event(QEvent*) (/usr/lib/libQt5Widgets.so.5+0x1aee2c) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #13 0x7f13095788fe in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/libQt5Widgets.so.5+0x1788fe) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #14 0x7f130957d917 in QApplication::notify(QObject*, QEvent*) (/usr/lib/libQt5Widgets.so.5+0x17d917) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #15 0x7f130889c167 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/libQt5Core.so.5+0x29c167) (BuildId: b7d92f8f8f7eea3410c75095ef7753f2fb9f139c)
    #16 0x7f13095cec3a  (/usr/lib/libQt5Widgets.so.5+0x1cec3a) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #17 0x7f13095788fe in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/libQt5Widgets.so.5+0x1788fe) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #18 0x7f130889c167 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/libQt5Core.so.5+0x29c167) (BuildId: b7d92f8f8f7eea3410c75095ef7753f2fb9f139c)
    #19 0x7f1308d4559f in QGuiApplicationPrivate::processKeyEvent(QWindowSystemInterfacePrivate::KeyEvent*) (/usr/lib/libQt5Gui.so.5+0x14559f) (BuildId: 7245f1a2960b0607fec4537ca24ef76fdfe1060c)
    #20 0x7f1308d2a6f4 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt5Gui.so.5+0x12a6f4) (BuildId: 7245f1a2960b0607fec4537ca24ef76fdfe1060c)
    #21 0x7f1301b2f4af  (/usr/lib/libQt5XcbQpa.so.5+0x654af) (BuildId: 49eef1b1e0214c650a81fa7a4d8ad1e8421732f6)
    #22 0x7f130790df68  (/usr/lib/libglib-2.0.so.0+0x59f68) (BuildId: 93b5cb3f732f5c35263e6a186fd475c9e1b21fb5)
    #23 0x7f130796c326  (/usr/lib/libglib-2.0.so.0+0xb8326) (BuildId: 93b5cb3f732f5c35263e6a186fd475c9e1b21fb5)
    #24 0x7f130790c161 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x58161) (BuildId: 93b5cb3f732f5c35263e6a186fd475c9e1b21fb5)
    #25 0x7f13088eaf7b in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt5Core.so.5+0x2eaf7b) (BuildId: b7d92f8f8f7eea3410c75095ef7753f2fb9f139c)
    #26 0x7f130889ae73 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt5Core.so.5+0x29ae73) (BuildId: b7d92f8f8f7eea3410c75095ef7753f2fb9f139c)
    #27 0x7f130889c312 in QCoreApplication::exec() (/usr/lib/libQt5Core.so.5+0x29c312) (BuildId: b7d92f8f8f7eea3410c75095ef7753f2fb9f139c)
    #28 0x5638200d5f99 in main (/usr/bin/kvirc+0x12cf99) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #29 0x7f1308045ccf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #30 0x7f1308045d89 in __libc_start_main_impl ../csu/libc-start.c:360
    #31 0x5638200e70b4 in _start (/usr/bin/kvirc+0x13e0b4) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)

0x60200021e01f is located 0 bytes after 15-byte region [0x60200021e010,0x60200021e01f)
allocated by thread T0 here:
    #0 0x7f130a6e1359 in __interceptor_malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f130ad26936 in KviDataBuffer::KviDataBuffer(int, unsigned char const*) (/usr/lib/libkvilib.so.5+0x5f936) (BuildId: 7ed7536232322995c5980a9496763ab89d383821)

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:461 in __interceptor_strlen
Shadow bytes around the buggy address:
  0x60200021dd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200021de00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200021de80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200021df00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200021df80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x60200021e000: fa fa 00[07]fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200021e080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200021e100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200021e180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200021e200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200021e280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==230325==ABORTING

Report 2

execute /NAMES #channel

=================================================================
==230462==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300059e221 at pc 0x7fba5ac818df bp 0x7ffc69e79850 sp 0x7ffc69e78ff8
READ of size 18 at 0x60300059e221 thread T0
    #0 0x7fba5ac818de in __interceptor_strlen /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:461
    #1 0x55b8a63ea521 in KviIrcConnection::sendData(char const*, int) (/usr/bin/kvirc+0x320521) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #2 0x55b8a632c4d8 in KviKvsCoreSimpleCommands::raw(KviKvsRunTimeContext*, KviKvsVariantList*, KviKvsSwitchList*) (/usr/bin/kvirc+0x2624d8) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #3 0x55b8a6392322 in KviKvsTreeNodeCoreSimpleCommand::execute(KviKvsRunTimeContext*) (/usr/bin/kvirc+0x2c8322) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #4 0x55b8a63aecea in KviKvsTreeNodeSpecialCommandIf::execute(KviKvsRunTimeContext*) (/usr/bin/kvirc+0x2e4cea) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #5 0x55b8a634d45c in KviKvsScript::executeInternal(KviKvsRunTimeContext*) (/usr/bin/kvirc+0x28345c) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #6 0x55b8a634d59f in KviKvsScript::execute(KviWindow*, KviKvsVariantList*, KviKvsVariant*, int, KviKvsExtendedRunTimeData*) (/usr/bin/kvirc+0x28359f) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #7 0x55b8a638deb1 in KviKvsTreeNodeAliasSimpleCommand::execute(KviKvsRunTimeContext*) (/usr/bin/kvirc+0x2c3eb1) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #8 0x55b8a634d45c in KviKvsScript::executeInternal(KviKvsRunTimeContext*) (/usr/bin/kvirc+0x28345c) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #9 0x55b8a634d59f in KviKvsScript::execute(KviWindow*, KviKvsVariantList*, KviKvsVariant*, int, KviKvsExtendedRunTimeData*) (/usr/bin/kvirc+0x28359f) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #10 0x55b8a6343b06 in KviKvsPopupMenu::itemClicked(QAction*) (/usr/bin/kvirc+0x279b06) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #11 0x7fba58ed1252  (/usr/lib/libQt5Core.so.5+0x2d1252) (BuildId: b7d92f8f8f7eea3410c75095ef7753f2fb9f139c)
    #12 0x7fba59cf3a26 in QMenu::triggered(QAction*) (/usr/lib/libQt5Widgets.so.5+0x2f3a26) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #13 0x7fba59cfb5e6  (/usr/lib/libQt5Widgets.so.5+0x2fb5e6) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #14 0x7fba58ed1252  (/usr/lib/libQt5Core.so.5+0x2d1252) (BuildId: b7d92f8f8f7eea3410c75095ef7753f2fb9f139c)
    #15 0x7fba59b6bbb6 in QAction::triggered(bool) (/usr/lib/libQt5Widgets.so.5+0x16bbb6) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #16 0x7fba59b7160a in QAction::activate(QAction::ActionEvent) (/usr/lib/libQt5Widgets.so.5+0x17160a) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #17 0x7fba59cf42da  (/usr/lib/libQt5Widgets.so.5+0x2f42da) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #18 0x7fba59cf43fc  (/usr/lib/libQt5Widgets.so.5+0x2f43fc) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #19 0x7fba59baf1a0 in QWidget::event(QEvent*) (/usr/lib/libQt5Widgets.so.5+0x1af1a0) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #20 0x7fba59b788fe in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/libQt5Widgets.so.5+0x1788fe) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #21 0x7fba59b7ddae in QApplication::notify(QObject*, QEvent*) (/usr/lib/libQt5Widgets.so.5+0x17ddae) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #22 0x7fba58e9c167 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/libQt5Core.so.5+0x29c167) (BuildId: b7d92f8f8f7eea3410c75095ef7753f2fb9f139c)
    #23 0x7fba59b7c0e9 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool) (/usr/lib/libQt5Widgets.so.5+0x17c0e9) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #24 0x7fba59bcd9b3  (/usr/lib/libQt5Widgets.so.5+0x1cd9b3) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #25 0x7fba59bcec06  (/usr/lib/libQt5Widgets.so.5+0x1cec06) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #26 0x7fba59b788fe in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/libQt5Widgets.so.5+0x1788fe) (BuildId: 3dd8a7a3f1d43470eedfbaf0771bed06055f841e)
    #27 0x7fba58e9c167 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/libQt5Core.so.5+0x29c167) (BuildId: b7d92f8f8f7eea3410c75095ef7753f2fb9f139c)
    #28 0x7fba5934196b in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) (/usr/lib/libQt5Gui.so.5+0x14196b) (BuildId: 7245f1a2960b0607fec4537ca24ef76fdfe1060c)
    #29 0x7fba5932a6f4 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt5Gui.so.5+0x12a6f4) (BuildId: 7245f1a2960b0607fec4537ca24ef76fdfe1060c)
    #30 0x7fba5212f4af  (/usr/lib/libQt5XcbQpa.so.5+0x654af) (BuildId: 49eef1b1e0214c650a81fa7a4d8ad1e8421732f6)
    #31 0x7fba57f0df68  (/usr/lib/libglib-2.0.so.0+0x59f68) (BuildId: 93b5cb3f732f5c35263e6a186fd475c9e1b21fb5)
    #32 0x7fba57f6c326  (/usr/lib/libglib-2.0.so.0+0xb8326) (BuildId: 93b5cb3f732f5c35263e6a186fd475c9e1b21fb5)
    #33 0x7fba57f0c161 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x58161) (BuildId: 93b5cb3f732f5c35263e6a186fd475c9e1b21fb5)
    #34 0x7fba58eeaf7b in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt5Core.so.5+0x2eaf7b) (BuildId: b7d92f8f8f7eea3410c75095ef7753f2fb9f139c)
    #35 0x7fba58e9ae73 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt5Core.so.5+0x29ae73) (BuildId: b7d92f8f8f7eea3410c75095ef7753f2fb9f139c)
    #36 0x7fba58e9c312 in QCoreApplication::exec() (/usr/lib/libQt5Core.so.5+0x29c312) (BuildId: b7d92f8f8f7eea3410c75095ef7753f2fb9f139c)
    #37 0x55b8a61f6f99 in main (/usr/bin/kvirc+0x12cf99) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)
    #38 0x7fba58645ccf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #39 0x7fba58645d89 in __libc_start_main_impl ../csu/libc-start.c:360
    #40 0x55b8a62080b4 in _start (/usr/bin/kvirc+0x13e0b4) (BuildId: b59d19250aa912da724fd622d8ec81dd7a3e775b)

0x60300059e221 is located 0 bytes after 17-byte region [0x60300059e210,0x60300059e221)
allocated by thread T0 here:
    #0 0x7fba5ace1359 in __interceptor_malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7fba5b353936 in KviDataBuffer::KviDataBuffer(int, unsigned char const*) (/usr/lib/libkvilib.so.5+0x5f936) (BuildId: 7ed7536232322995c5980a9496763ab89d383821)

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:461 in __interceptor_strlen
Shadow bytes around the buggy address:
  0x60300059df80: fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x60300059e000: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fd
  0x60300059e080: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa fd fd
  0x60300059e100: fd fa fa fa 00 00 00 06 fa fa fd fd fd fa fa fa
  0x60300059e180: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa
=>0x60300059e200: fa fa 00 00[01]fa fa fa fa fa fa fa fa fa fa fa
  0x60300059e280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60300059e300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60300059e380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60300059e400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60300059e480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==230462==ABORTING
ctrlaltca commented 10 months ago

It would be nice to know what version/commit you are testing. It looks like it could be already fixed by https://github.com/kvirc/KVIrc/pull/2502