Menu

#42 Heap Out-Of-Bounds Memory Access (122031871)

v1.0 (example)
open
nobody
None
5
2018-12-26
2018-12-26
Google-Autofuzz
No

Hello InChI team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
InChI (tested with revision v1.04, September 2011).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

Instructions:
unzip artifacts_122031871.zip
docker build --build-arg SANITIZER=address --tag=autofuzz-InChI-122031871 autofuzz_122031871
docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_122031871/poc-f7c37f50ca60834accc17f270de8fe64c1f2768eebe6c48d24b9f457f0b623d6_min:/tmp/poc autofuzz-InChI-122031871 "" /tmp/poc
docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_122031871/poc-f7c37f50ca60834accc17f270de8fe64c1f2768eebe6c48d24b9f457f0b623d6_min:/tmp/poc -it autofuzz-InChI-122031871

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

INFO: Seed: 1034086209
INFO: Loaded 0 modules (0 guards): 
/fuzzing/fuzzer: Running 1 inputs 500 time(s) each.
Running: /tmp/poc-f7c37f50ca60834accc17f270de8fe64c1f2768eebe6c48d24b9f457f0b623d6
=================================================================
==6==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001178 at pc 0x000000610b3a bp 0x7ffe9582cc80 sp 0x7ffe9582cc78
READ of size 2 at 0x602000001178 thread T0
    #0 0x610b39 in CheckNextSymmNeighborsAndBonds(tagAtom*, unsigned short, unsigned short, unsigned short, unsigned short, unsigned short*, unsigned short*, unsigned short*, unsigned short*, unsigned short*, unsigned short const*, unsigned short const*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap2.c:1595:10
    #1 0x611289 in CreateCheckSymmPaths(tagAtom*, unsigned short, unsigned short, unsigned short, unsigned short, unsigned short*, unsigned short*, unsigned short*, unsigned short*, unsigned short*, unsigned short**, unsigned short**, unsigned short const*, unsigned short const*, unsigned short*, unsigned short*, int*, int) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap2.c:1758:26
    #2 0x611351 in CreateCheckSymmPaths(tagAtom*, unsigned short, unsigned short, unsigned short, unsigned short, unsigned short*, unsigned short*, unsigned short*, unsigned short*, unsigned short*, unsigned short**, unsigned short**, unsigned short const*, unsigned short const*, unsigned short*, unsigned short*, int*, int) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap2.c:1766:30
    #3 0x61586a in RemoveCalculatedNonStereoCenterParities(tagAtom*, int, int, unsigned short**, unsigned short**, unsigned short*, unsigned short**, unsigned short*, unsigned short const*, unsigned short*, unsigned short*, unsigned short*, unsigned short**, unsigned short**, unsigned short**, unsigned short*, unsigned short*, tagCanonStat*, int) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap2.c:2743:38
    #4 0x6167d4 in RemoveCalculatedNonStereo /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap2.c:2875:15
    #5 0x61f979 in map_stereo_atoms4 /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap4.c:1608:22
    #6 0x61eae3 in map_stereo_atoms4 /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap4.c:1289:27
    #7 0x61eae3 in map_stereo_atoms4 /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap4.c:1289:27
    #8 0x6176b8 in map_stereo_bonds4 /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap4.c:931:15
    #9 0x5cc620 in Canon_INChI3(int, int, tagAtom*, tagCanonStat*, unsigned long, int) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichicano.c:1589:17
    #10 0x6042e5 in Create_INChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimake.c:3331:19
    #11 0x6fe754 in MakeOneInChIOutOfStrFromINChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr1.c:4411:14
    #12 0x6fd78a in MakeOneInChIOutOfStrFromINChI2 /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr1.c:4262:11
    #13 0x6c4a9f in NormalizeAndCompare /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr4.c:1073:11
    #14 0x6ce154 in RunBnsRestore1 /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr4.c:2562:11
    #15 0x6cf560 in RestoreAtomMakeBNS /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr4.c:2770:11
    #16 0x6cfd48 in OneInChI2Atom /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr4.c:2840:11
    #17 0x67e7fc in InChI2Atom /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr7.c:131:11
    #18 0x681407 in AllInchiToStructure /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr7.c:787:23
    #19 0x659c40 in ReadWriteInChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:929:23
    #20 0x543f6e in GetStructFromINCHI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/inchi_dll.c:2293:16
    #21 0x518759 in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/inchi_fuzzer.cc:27:3
    #22 0x523ede in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x523ede)
    #23 0x51903e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/fuzzer+0x51903e)
    #24 0x51d547 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/fuzzer+0x51d547)
    #25 0x518d5b in main (/fuzzing/fuzzer+0x518d5b)
    #26 0x7f34406852e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #27 0x41ff89 in _start (/fuzzing/fuzzer+0x41ff89)

0x602000001178 is located 0 bytes to the right of 8-byte region [0x602000001170,0x602000001178)
allocated by thread T0 here:
    #0 0x4de108 in __interceptor_malloc (/fuzzing/fuzzer+0x4de108)
    #1 0x68f0f9 in BreakAllTies /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichisort.c:546:37
    #2 0x61c572 in map_stereo_atoms4 /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap4.c:1568:17
    #3 0x61eae3 in map_stereo_atoms4 /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap4.c:1289:27
    #4 0x61eae3 in map_stereo_atoms4 /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap4.c:1289:27
    #5 0x6176b8 in map_stereo_bonds4 /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap4.c:931:15
    #6 0x5cc620 in Canon_INChI3(int, int, tagAtom*, tagCanonStat*, unsigned long, int) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichicano.c:1589:17
    #7 0x6042e5 in Create_INChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimake.c:3331:19
    #8 0x6fe754 in MakeOneInChIOutOfStrFromINChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr1.c:4411:14
    #9 0x6fd78a in MakeOneInChIOutOfStrFromINChI2 /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr1.c:4262:11
    #10 0x6c4a9f in NormalizeAndCompare /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr4.c:1073:11
    #11 0x6ce154 in RunBnsRestore1 /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr4.c:2562:11
    #12 0x6cf560 in RestoreAtomMakeBNS /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr4.c:2770:11
    #13 0x6cfd48 in OneInChI2Atom /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr4.c:2840:11
    #14 0x67e7fc in InChI2Atom /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr7.c:131:11
    #15 0x681407 in AllInchiToStructure /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichirvr7.c:787:23
    #16 0x659c40 in ReadWriteInChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:929:23
    #17 0x543f6e in GetStructFromINCHI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/inchi_dll.c:2293:16
    #18 0x518759 in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/inchi_fuzzer.cc:27:3
    #19 0x523ede in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x523ede)

SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichimap2.c:1595:10 in CheckNextSymmNeighborsAndBonds(tagAtom*, unsigned short, unsigned short, unsigned short, unsigned short, unsigned short*, unsigned short*, unsigned short*, unsigned short*, unsigned short*, unsigned short const*, unsigned short const*)
Shadow bytes around the buggy address:
  0x0c047fff81d0: fa fa fd fd fa fa fd fd fa fa 00 04 fa fa 00 fa
  0x0c047fff81e0: fa fa 00 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff81f0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8200: fa fa 04 fa fa fa 04 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8210: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa fd fa
=>0x0c047fff8220: fa fa 00 fa fa fa 00 02 fa fa 00 fa fa fa 00[fa]
  0x0c047fff8230: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8240: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa fa fa
  0x0c047fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6==ABORTING

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

1 Attachments
artifacts_122031871.zip

Discussion

Log in to post a comment.

MongoDB Logo MongoDB