Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-7924

getnetconfig.c: endnetconfig() may leak some bytes with some input

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.2.0
    • libtirpc
    • rhel-sst-filesystems
    • ssg_filesystems_storage_and_HA
    • 5
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:

      By applying libfuzzer to libtirpc, there exists some leaking input with unit tests, by checking the code, the stack var linep may be freed here, no matter ncp is NULL or not.

      http://git.linux-nfs.org/?p=steved/libtirpc.git;a=blob;f=src/getnetconfig.c;h=cfd33c24523be2f327a1ac1d3b2116556f591b99;hb=HEAD#l511

      [root@build]# ./fuzz_netconfig
      INFO: Running with entropic power schedule (0xFF, 100).
      INFO: Seed: 1938463231
      INFO: Loaded 1 modules   (100 inline 8-bit counters): 100 [0x566f00, 0x566f64),
      INFO: Loaded 1 PC tables (100 PCs): 100 [0x53c708,0x53cd48),
      INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
      INFO: A corpus is not provided, starting from an empty corpus
      #2 INITED cov: 67 ft: 68 corp: 1/1b exec/s: 0 rss: 34Mb
      #1018 NEW    cov: 69 ft: 70 corp: 2/14b lim: 14 exec/s: 0 rss: 41Mb L: 13/13 MS: 1 InsertRepeatedBytes-
      #1128 REDUCE cov: 69 ft: 70 corp: 2/13b lim: 14 exec/s: 0 rss: 42Mb L: 12/12 MS: 5 CrossOver-CrossOver-CrossOver-ChangeBinInt-CopyPart-
      #1442 NEW    cov: 69 ft: 71 corp: 3/30b lim: 17 exec/s: 0 rss: 45Mb L: 17/17 MS: 4 CopyPart-CrossOver-ShuffleBytes-InsertRepeatedBytes-
      #1516 REDUCE cov: 69 ft: 71 corp: 3/29b lim: 17 exec/s: 0 rss: 46Mb L: 16/16 MS: 4 CrossOver-EraseBytes-InsertRepeatedBytes-CrossOver-
      #3154 REDUCE cov: 69 ft: 72 corp: 4/61b lim: 33 exec/s: 0 rss: 65Mb L: 32/32 MS: 3 EraseBytes-ChangeBit-InsertRepeatedBytes-

      =================================================================
      ==96286==ERROR: LeakSanitizer: detected memory leaks

      Direct leak of 2000 byte(s) in 2 object(s) allocated from:
          #0 0x4e4032 in malloc (/opt/fuzzing/build/fuzz_netconfig+0x4e4032) (BuildId: bc22722f519954441dea0a1da3ad82162abb7b04)
          #1 0x7f62da891c52 in getnetconfigent /opt/libtirpc/src/getnetconfig.c:471:18

      SUMMARY: AddressSanitizer: 2000 byte(s) leaked in 2 allocation(s).
      INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.

      MS: 3 InsertByte-InsertByte-CMP- DE: "local"-; base unit: 4f872abc50800168557a27b32bc6c547a16f3177
      0x6c,0x6f,0x63,0x61,0x6c,0x0,0xa,0x0,0xa,0x0,0x0,0xa,0x0,0x0,
      local\000\012\000\012\000\000\012\000\000
      artifact_prefix='./'; Test unit written to ./leak-9ef93f15a2aa0034c7d6b6250e536c96d112ad5b
      Base64: bG9jYWwACgAKAAAKAAA=
      [root@build]# cat ./leak-9ef93f15a2aa0034c7d6b6250e536c96d112ad5b
      local

      Version-Release number of selected component (if applicable):

      libtirpc-1.3.3-1.el9.x86_64

              stevedatrhn Steve Dickson
              rh-ee-yieli Zhi Li
              Steve Dickson Steve Dickson
              Zhi Li Zhi Li
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: