Linux x1-1 5.11.0-43-generic #47~20.04.2-Ubuntu SMP Mon Dec 13 11:06:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
poc [https://github.com/gtt1995/poc/blob/main/kamailio/148907.testcase%5D(https:/...)
AddressSanitizer:DEADLYSIGNAL ================================================================= ==2350==ERROR: AddressSanitizer: SEGV on unknown address 0x608000010000 (pc 0x7f8ec09469c3 bp 0x7ffd84505c90 sp 0x7ffd84505718 T0) ==2350==The signal is caused by a READ memory access. SCARINESS: 20 (wild-addr-read) #0 0x7f8ec09469c3 in libc.so.6 #1 0x7f8ec0835209 in libc.so.6 #2 0x7f8ec08d5f32 in libc.so.6 #3 0x7f8ec08d63e9 in syslog #4 0x64a045 in parse_identityinfo /src/kamailio/src/core/parser/parse_identityinfo.c:315:3 #5 0x64b29b in parse_identityinfo_header /src/kamailio/src/core/parser/parse_identityinfo.c:346:2 #6 0x576467 in LLVMFuzzerTestOneInput /src/kamailio/misc/fuzz/fuzz_parse_msg.c:53:5 #7 0x456e73 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp:0 #8 0x45665a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) cxa_noexception.cpp:0 #9 0x457efb in fuzzer::Fuzzer::MutateAndTestOne() cxa_noexception.cpp:0 #10 0x4589e5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) cxa_noexception.cpp:0 #11 0x44812d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp:0 #12 0x471172 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #13 0x7f8ec07e20b2 in __libc_start_main #14 0x41fa0d in _start
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18b9c3) ==2350==ABORTING MS: 3 ChangeBinInt-ShuffleBytes-EraseBytes-; base unit: ae3912c98bceb907c57e00fbcb572ff78ca2f12c 0x2d,0x2d,0x32,0x32,0x52,0x52,0x41,0x52,0xec,0x53,0x52,0x52,0x20,0x73,0x2d,0x34,0x38,0x39,0x31,0x36,0x9,0x48,0x48,0x48,0x1a,0xa,0x50,0x72,0x69,0x76,0x61,0x63,0x79,0x3a,0xa,0x20,0x73,0x32,0xa,0x49,0x64,0x65,0x6e,0x74,0x69,0x74,0x79,0x2d,0x49,0x6e,0x66,0x6f,0x3a,0x3c,0x3a,0x3a,0x3a,0x3a,0xff,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xea,0xa,0xa,0xff,0xff,0xff,0xff,0xff, --22RRAR\354SRR s-48916\011HHH\032\012Privacy:\012 s2\012Identity-Info:<::::\377\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\352\012\012\377\377\377\377\377 artifact_prefix='/clusterfuzz/run_bot/clusterfuzz/bot/inputs/fuzzer-testcases/'; Test unit written to /clusterfuzz/run_bot/clusterfuzz/bot/inputs/fuzzer-testcases/crash-9886d78e9acf21b875f4e58d2d14222a4ed1e86f Base64: LS0yMlJSQVLsU1JSIHMtNDg5MTYJSEhIGgpQcml2YWN5OgogczIKSWRlbnRpdHktSW5mbzo8Ojo6Ov/q6urq6urq6urq6urq6urq6urq6goK//////8= stat::number_of_executed_units: 14639 stat::average_exec_per_sec: 1219 stat::new_units_added: 1293 stat::slowest_unit_time_sec: 0 stat::peak_rss_mb: 142 INFO: exiting: 77 time: 85s
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
==2350==The signal is caused by a READ memory access. SCARINESS: 20 (wild-addr-read) #0 0x7f8ec09469c3 (/lib/x86_64-linux-gnu/libc.so.6+0x18b9c3) #1 0x7f8ec0835209 (/lib/x86_64-linux-gnu/libc.so.6+0x7a209) #2 0x7f8ec08d5f32 (/lib/x86_64-linux-gnu/libc.so.6+0x11af32) #3 0x7f8ec08d63e9 (/lib/x86_64-linux-gnu/libc.so.6+0x11b3e9) #4 0x64a045 (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x64a045) #5 0x64b29b (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x64b29b) #6 0x576467 (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x576467) #7 0x456e73 (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x456e73) #8 0x45665a (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x45665a) #9 0x457efb (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x457efb) #10 0x4589e5 (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x4589e5) #11 0x44812d (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x44812d) #12 0x471172 (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x471172) #13 0x7f8ec07e20b2 (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #14 0x41fa0d (/clusterfuzz/run_bot/clusterfuzz/bot/builds/kamailio_libfuzzer_asan/custom/fuzz_parse_msg+0x41fa0d)
Thanks for the report, can you provide the kamailio version where this bug was found? There have been several fixes recently.
For the records, this is from the fuzzer code which is setup different from the usual kamailio runtime.
Anyhow, I tried to reproduce with master and it doesn't happen. Like mentioned above, it could be something already fixed.
If you can reproduce it with current master, provide the required troubleshooting details from issue template, like full kamailio version, operating system and kernel version, ...
Closed #2993.
-
Daniel-Constantin Mierla -
Henning Westerholt
-
taotao gu