search

radareorg / sdb

Simple and fast string based key-value database with support for arrays and json
https://www.radare.org/
MIT License
218 stars 62 forks source link

heap-buffer-overflow (WRITE of size 1) in sdb_json_indent and doIndent #150

Closed geeknik closed 6 years ago

geeknik commented 6 years ago

While testing sdb (85eeb0e), I was able to trigger a heap-buffer-overflow in sdb_json_indent with a simple JSON file: test002.json.gz

./sdb - < test002.json

==8501==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000051 at pc 0x000000509ea0 bp 0x7ffc06785d60 sp 0x7ffc06785d58
WRITE of size 1 at 0x603000000051 thread T0
    #0 0x509e9f in sdb_json_indent /root/sdb/src/./json/indent.c:104:5
    #1 0x514646 in sdb_querys /root/sdb/src/query.c:790:16
    #2 0x51233b in sdb_query /root/sdb/src/query.c:840:8
    #3 0x4ee616 in main /root/sdb/src/main.c:496:13
    #4 0x7fbf583121c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #5 0x41aa39 in _start (/root/sdb/src/sdb+0x41aa39)

0x603000000051 is located 0 bytes to the right of 17-byte region [0x603000000040,0x603000000051)
allocated by thread T0 here:
    #0 0x4c0a33 in malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x508f8b in sdb_json_indent /root/sdb/src/./json/indent.c:53:6

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sdb/src/./json/indent.c:104:5 in sdb_json_indent

During the same testing period, I was also able to trigger a similar heap-buffer-overflow in another part of the code called doIndent with this file: test005.json.gz

./sdb - < test005.json

==20513==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000005a at pc 0x000000509eb8 bp 0x7ffd9af5e780 sp 0x7ffd9af5e778
WRITE of size 1 at 0x60300000005a thread T0
    #0 0x509eb7 in doIndent /root/sdb/src/./json/indent.c:10:12
    #1 0x509eb7 in sdb_json_indent /root/sdb/src/./json/indent.c:90
    #2 0x514646 in sdb_querys /root/sdb/src/query.c:790:16
    #3 0x51233b in sdb_query /root/sdb/src/query.c:840:8
    #4 0x4ee616 in main /root/sdb/src/main.c:496:13
    #5 0x7fc32dbd31c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #6 0x41aa39 in _start (/root/sdb/src/sdb+0x41aa39)

0x60300000005a is located 0 bytes to the right of 26-byte region [0x603000000040,0x60300000005a)
allocated by thread T0 here:
    #0 0x4c0a33 in malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x508f8b in sdb_json_indent /root/sdb/src/./json/indent.c:53:6

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sdb/src/./json/indent.c:10:12 in doIndent
radare commented 6 years ago

Thanks!

On 10 Apr 2018, at 21:40, geeknik notifications@github.com wrote:

While testing sdb (85eeb0e), I was able to trigger a heap-buffer-overflow in sdb_json_indent with a simple JSON file: test002.json.gz

./sdb - < test002.json

==8501==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000051 at pc 0x000000509ea0 bp 0x7ffc06785d60 sp 0x7ffc06785d58 WRITE of size 1 at 0x603000000051 thread T0

0 0x509e9f in sdb_json_indent /root/sdb/src/./json/indent.c:104:5

#1 0x514646 in sdb_querys /root/sdb/src/query.c:790:16
#2 0x51233b in sdb_query /root/sdb/src/query.c:840:8
#3 0x4ee616 in main /root/sdb/src/main.c:496:13
#4 0x7fbf583121c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
#5 0x41aa39 in _start (/root/sdb/src/sdb+0x41aa39)

0x603000000051 is located 0 bytes to the right of 17-byte region [0x603000000040,0x603000000051) allocated by thread T0 here:

0 0x4c0a33 in malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3

#1 0x508f8b in sdb_json_indent /root/sdb/src/./json/indent.c:53:6

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sdb/src/./json/indent.c:104:5 in sdb_json_indent During the same testing period, I was also able to trigger a similar heap-buffer-overflow in another part of the code called doIndent with this file: test005.json.gz

./sdb - < test005.json

==20513==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000005a at pc 0x000000509eb8 bp 0x7ffd9af5e780 sp 0x7ffd9af5e778 WRITE of size 1 at 0x60300000005a thread T0

0 0x509eb7 in doIndent /root/sdb/src/./json/indent.c:10:12

#1 0x509eb7 in sdb_json_indent /root/sdb/src/./json/indent.c:90
#2 0x514646 in sdb_querys /root/sdb/src/query.c:790:16
#3 0x51233b in sdb_query /root/sdb/src/query.c:840:8
#4 0x4ee616 in main /root/sdb/src/main.c:496:13
#5 0x7fc32dbd31c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
#6 0x41aa39 in _start (/root/sdb/src/sdb+0x41aa39)

0x60300000005a is located 0 bytes to the right of 26-byte region [0x603000000040,0x60300000005a) allocated by thread T0 here:

0 0x4c0a33 in malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3

#1 0x508f8b in sdb_json_indent /root/sdb/src/./json/indent.c:53:6

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sdb/src/./json/indent.c:10:12 in doIndent — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.