The Samba-Bugzilla – Attachment 13162 Details for
Bug 12748
use of wrong buffer in cleanupdb_store_child() leads to stack overread
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
address sanitizer stack trace
samba-cleanupdb-buffer-overread-asan.txt (text/plain), 3.43 KB, created by
Hanno Böck
on 2017-04-19 09:02:40 UTC
(
hide
)
Description:
address sanitizer stack trace
Filename:
MIME Type:
Creator:
Hanno Böck
Created:
2017-04-19 09:02:40 UTC
Size:
3.43 KB
patch
obsolete
>================================================================= >==19205==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc4680b404 at pc 0x7f5be49269df bp 0x7ffc4680b0e0 sp 0x7ffc4680a890 >READ of size 8 at 0x7ffc4680b404 thread T0 > #0 0x7f5be49269de (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x5d9de) > #1 0x7f5bd9270053 in tdb_write ../common/io.c:184 > #2 0x7f5bd9265dab in _tdb_storev ../common/tdb.c:617 > #3 0x7f5bd926686b in _tdb_store ../common/tdb.c:643 > #4 0x7f5bd926686b in tdb_store ../common/tdb.c:667 > #5 0x7f5be155331f in cleanupdb_store_child ../source3/lib/cleanupdb.c:72 > #6 0x562faaadea66 in remove_child_pid ../source3/smbd/server.c:836 > #7 0x562faaadea66 in smbd_sig_chld_handler ../source3/smbd/server.c:916 > #8 0x7f5bdf9747d0 in tevent_common_check_signal ../tevent_signal.c:417 > #9 0x7f5bdf97a80b in epoll_event_loop ../tevent_epoll.c:647 > #10 0x7f5bdf97a80b in epoll_event_loop_once ../tevent_epoll.c:930 > #11 0x7f5bdf974cbe in std_event_loop_once ../tevent_standard.c:114 > #12 0x7f5bdf968d3d in _tevent_loop_once ../tevent.c:721 > #13 0x7f5bdf96948a in tevent_common_loop_wait ../tevent.c:844 > #14 0x7f5bdf974baa in std_event_loop_wait ../tevent_standard.c:145 > #15 0x562faaad880e in smbd_parent_loop ../source3/smbd/server.c:1384 > #16 0x562faaad880e in main ../source3/smbd/server.c:2038 > #17 0x7f5bdf5e81e0 in __libc_start_main (/lib64/libc.so.6+0x201e0) > #18 0x562faaad9049 in _start (/usr/sbin/smbd+0x13049) > >Address 0x7ffc4680b404 is located in stack of thread T0 at offset 36 in frame > #0 0x7f5be155327f in cleanupdb_store_child ../source3/lib/cleanupdb.c:59 > > This frame has 1 object(s): > [32, 36) 'key' <== Memory access at offset 36 overflows this variable >HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext > (longjmp and C++ exceptions *are* supported) >SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x5d9de) >Shadow bytes around the buggy address: > 0x100008cf9630: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 > 0x100008cf9640: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 > 0x100008cf9650: 00 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 > 0x100008cf9660: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f4 f4 f3 f3 > 0x100008cf9670: f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 >=>0x100008cf9680:[04]f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 > 0x100008cf9690: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 > 0x100008cf96a0: f2 f2 f2 f2 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 > 0x100008cf96b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x100008cf96c0: 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2 > 0x100008cf96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb >==19205==ABORTING
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 12748
:
13161
| 13162 |
13163
|
13164