Skip to content

使用asan和地址消毒进行稳定测试,parse出现heap-buffer-overflow. #111

New issue
New issue
Open
Open
使用asan和地址消毒进行稳定测试,parse出现heap-buffer-overflow.#111
@yushan107

Description

@yushan107
yushan107
opened on Jun 23, 2025

问题现象

使用【“[[[[[[[[[[[[[[[[[[[[[[ "" ]”】字符串进行fuzz测试,链接asan库和添加-fsanitize=address -fsanitize-recover=address选项,报堆内存溢出。

==166314==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffffba003fc0 at pc 0xffffbcf5a84c bp 0xffffe8dd4e70 sp 0xffffe8dd4648
READ of size 16 at 0xffffba003fc0 thread T0
#0 0xffffbcf5a848 in __interceptor_memcpy (/usr/lib64/libasan.so.8+0x4a848)
#1 0xaaaaaaf95fb0 (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x5fb0)
#2 0xaaaaaafa0f7c (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x10f7c)
#3 0xaaaaaaf9277c (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x277c)
#4 0xffffbca7763c (/usr/lib64/libc.so.6+0x2763c)
#5 0xffffbca77724 in __libc_start_main (/usr/lib64/libc.so.6+0x27724)
#6 0xaaaaaaf928ac (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x28ac)

0xffffba003fc0 is located 0 bytes to the right of 256-byte region [0xffffba003ec0,0xffffba003fc0)
allocated by thread T0 here:
#0 0xffffbcfc4784 (/usr/lib64/libasan.so.8+0xb4784)
#1 0xaaaaaaf934f8 (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x34f8)
#2 0xaaaaaafa0f7c (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x10f7c)
#3 0xaaaaaaf9277c (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x277c)
#4 0xffffbca7763c (/usr/lib64/libc.so.6+0x2763c)
#5 0xffffbca77724 in __libc_start_main (/usr/lib64/libc.so.6+0x27724)
#6 0xaaaaaaf928ac (/ssd/xxx/sonic_github/sonic-cpp/build_neon/sonic_neon_fuzz+0x28ac)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib64/libasan.so.8+0x4a848) in __interceptor_memcpy
Shadow bytes around the buggy address:
0x200ff74007a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff74007b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff74007c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff74007d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x200ff74007e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x200ff74007f0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x200ff7400800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff7400810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff7400820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff7400830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff7400840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==166314==ABORTING

fuzz用例:

void testfor_parse_char(char *caseName, int count)
{
   std::cout << "start ---- " << caseName << std::endl;
   for(int i = 0; i < 30000000; i++) {
           std::string data = "[[[[[[[[[[[[[[[[[[[[[[ \"\" ]";
           sonic_json::Document doc;
           doc.Parse(data.c_str());
   }
   std::cout << "---------- End execute " << caseName << " end ----------" << std::endl;
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions