You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using libfuzzer to fuzz the dumper, a heap overflow was found, this can reproduce on the lattest commit.
When trying to dereference a pointer: (*(--(stack).top)), , the status of the stack is not checked, resulting in an overflow.
./dumper_fuzzer ./libyaml_heap_overflow =================================================================
==3430052==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000001fc at pc 0x00000057c637 bp 0x7fffffffd030 sp 0x7fffffffd028
READ of size 4 at 0x6060000001fc thread T0
#0 0x57c636 in yaml_emitter_emit_flow_mapping_key /home/libyaml_issue/libyaml/src/emitter.c:810:27
#1 0x57a43b in yaml_emitter_state_machine /home/libyaml_issue/libyaml/src/emitter.c:453:20
#2 0x579790 in yaml_emitter_emit /home/libyaml_issue/libyaml/src/emitter.c:291:14
#3 0x566877 in yaml_emitter_close /home/libyaml_issue/libyaml/src/dumper.c:98:10
#4 0x553671 in LLVMFuzzerTestOneInput /home/libyaml_issue/libyaml/dumper_fuzzer.c:268:3
#5 0x4586a1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/libyaml_issue/libyaml/dumper_fuzzer+0x4586a1)
#6 0x443e12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/libyaml_issue/libyaml/dumper_fuzzer+0x443e12)
#7 0x4498c6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/libyaml_issue/libyaml/dumper_fuzzer+0x4498c6)
#8 0x472582 in main (/home/libyaml_issue/libyaml/dumper_fuzzer+0x472582)
#9 0x7ffff7a6f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#10 0x41e4dd in _start (/home/libyaml_issue/libyaml/dumper_fuzzer+0x41e4dd)
0x6060000001fc is located 4 bytes to the left of 64-byte region [0x606000000200,0x606000000240)
allocated by thread T0 here:
#0 0x51e20d in malloc (/home/libyaml_issue/libyaml/dumper_fuzzer+0x51e20d)
#1 0x553ef9 in yaml_malloc /home/libyaml_issue/libyaml/src/api.c:33:12
#2 0x557132 in yaml_emitter_initialize /home/libyaml_issue/libyaml/src/api.c:368:10
#3 0x553353 in LLVMFuzzerTestOneInput /home/libyaml_issue/libyaml/dumper_fuzzer.c:226:8
#4 0x4586a1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/libyaml_issue/libyaml/dumper_fuzzer+0x4586a1)
#5 0x443e12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/libyaml_issue/libyaml/dumper_fuzzer+0x443e12)
#6 0x4498c6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/libyaml_issue/libyaml/dumper_fuzzer+0x4498c6)
#7 0x472582 in main (/home/libyaml_issue/libyaml/dumper_fuzzer+0x472582)
#8 0x7ffff7a6f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/libyaml_issue/libyaml/src/emitter.c:810:27 in yaml_emitter_emit_flow_mapping_key
Shadow bytes around the buggy address:
0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0c7fff8000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff8010: 00 00 00 00 00 00 02 fa fa fa fa fa fd fd fd fd
0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0c7fff8030: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa[fa]
0x0c0c7fff8040: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
0x0c0c7fff8050: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff8070: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff8080: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3430052==ABORTING```
The text was updated successfully, but these errors were encountered:
When using libfuzzer to fuzz the dumper, a heap overflow was found, this can reproduce on the lattest commit.
When trying to dereference a pointer: (*(--(stack).top)), , the status of the stack is not checked, resulting in an overflow.
Version
POC file
https://github.com/HotSpurzzZ/testcases/blob/main/libyaml/libyaml_heap_overflow
Verification steps
Compile and run the following file
https://github.com/google/oss-fuzz/blob/master/projects/libyaml/libyaml_dumper_fuzzer.c
clang -g -fsanitize=address,fuzzer -O0 -I ./src/ -Iinclude -c libyaml_dumper_fuzzer.c -o dumper_fuzzer.o
clang++ -g -fsanitize=address,fuzzer -O0 dumper_fuzzer.o -o dumper_fuzzer src/.libs/libyaml.a
AddressSanitizer output
The text was updated successfully, but these errors were encountered: