You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
These are four ASAN reports that presumably belong to the same bug. The bugs were found while testing ngtcp2, but I believe they originate in wolfssl.
=================================================================
==374867==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x52900001d200 at pc 0x7ffff7814197 bp 0x7ffffffebfc0 sp 0x7ffffffebfb8
WRITE of size 1 at 0x52900001d200 thread T0
#0 0x7ffff7814196 in add_rec_header wolfssl/src/quic.c:186:17
#1 0x7ffff7814196 in quic_record_transfer wolfssl/src/quic.c:204:19
#2 0x7ffff7814196 in wolfSSL_quic_receive wolfssl/src/quic.c:776:17
#3 0x7ffff73294b8 in wolfSSLReceive wolfssl/src/internal.c:10300:16
#4 0x7ffff73294b8 in GetInputData wolfssl/src/internal.c:20452:18
#5 0x7ffff730f1c3 in ProcessReplyEx wolfssl/src/internal.c:20931:28
#6 0x7ffff7529a76 in wolfSSL_accept wolfssl/src/ssl.c:13321:36
#7 0x7ffff77e9c11 in wolfSSL_read_early_data wolfssl/src/tls13.c:14388:15
#8 0x7ffff780bac4 in wolfSSL_quic_do_handshake wolfssl/src/quic.c:609:23
#9 0x555555830146 in ngtcp2_crypto_read_write_crypto_data crypto/wolfssl/wolfssl.c:331:10
#10 0x55555583f1d5 in ngtcp2_crypto_recv_crypto_data_cb crypto/shared.c:1438:7
#11 0x7ffff7d00676 in conn_call_recv_crypto_data lib/ngtcp2_conn.c:144:8
#12 0x7ffff7d00676 in conn_recv_crypto lib/ngtcp2_conn.c:6918:10
#13 0x7ffff7ce5ecb in conn_recv_handshake_pkt lib/ngtcp2_conn.c:6571:12
#14 0x7ffff7cd943b in conn_recv_handshake_cpkt lib/ngtcp2_conn.c:6662:9
#15 0x7ffff7c4db61 in conn_read_handshake lib/ngtcp2_conn.c:9810:13
#16 0x7ffff7c4b29b in ngtcp2_conn_read_pkt_versioned lib/ngtcp2_conn.c:9987:13
#17 0x555555737e15 in Handler::feed_data(Endpoint const&, ngtcp2::Address const&, sockaddr const*, unsigned int, ngtcp2_pkt_info const*, unsigned char const*, unsigned long) examples/server.cc:1620:17
#18 0x55555573929d in Handler::on_read(Endpoint const&, ngtcp2::Address const&, sockaddr const*, unsigned int, ngtcp2_pkt_info const*, unsigned char const*, unsigned long) examples/server.cc:1653:17
#19 0x55555575b465 in Server::read_pkt(Endpoint&, ngtcp2::Address const&, sockaddr const*, unsigned int, ngtcp2_pkt_info const*, unsigned char const*, unsigned long) examples/server.cc:2667:20
#20 0x555555758bb7 in Server::on_read(Endpoint&) examples/server.cc:2504:9
#21 0x7ffff6ac0772 in ev_invoke_pending ??:0:0
#22 0x7ffff6ac4040 in ev_run ??:0:0
#23 0x555555772131 in main examples/server.cc:3887:3
#24 0x7ffff63c5a8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#25 0x7ffff63c5b48 in __libc_start_main ./csu/../csu/libc-start.c:360:3
#26 0x5555555938a4 in _start ??:0:0
0x52900001d200 is located 0 bytes after 16384-byte region [0x529000019200,0x52900001d200)
allocated by thread T0 here:
#0 0x5555556803e7 in __interceptor_malloc _asan_rtl_:3
#1 0x7ffff7288df1 in GrowInputBuffer wolfssl/src/internal.c:10649:18
SUMMARY: AddressSanitizer: heap-buffer-overflow (wolfssl/src/.libs/libwolfssl.so.42+0xd47196)
Shadow bytes around the buggy address:
0x52900001cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x52900001d200:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==374867==ABORTING
=================================================================
==1803740==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x52900001d200 at pc 0x7ffff78141a7 bp 0x7ffffffebfc0 sp 0x7ffffffebfb8
WRITE of size 1 at 0x52900001d200 thread T0
#0 0x7ffff78141a6 in c16toa wolfssl/./wolfcrypt/src/misc.c:457:10
#1 0x7ffff78141a6 in add_rec_header wolfssl/src/quic.c:187:5
#2 0x7ffff78141a6 in quic_record_transfer wolfssl/src/quic.c:204:19
#3 0x7ffff78141a6 in wolfSSL_quic_receive wolfssl/src/quic.c:776:17
#4 0x7ffff73294b8 in wolfSSLReceive wolfssl/src/internal.c:10300:16
#5 0x7ffff73294b8 in GetInputData wolfssl/src/internal.c:20452:18
#6 0x7ffff730f1c3 in ProcessReplyEx wolfssl/src/internal.c:20931:28
#7 0x7ffff7529a76 in wolfSSL_accept wolfssl/src/ssl.c:13321:36
#8 0x7ffff77e9c11 in wolfSSL_read_early_data wolfssl/src/tls13.c:14388:15
#9 0x7ffff780bac4 in wolfSSL_quic_do_handshake wolfssl/src/quic.c:609:23
#10 0x555555830146 in ngtcp2_crypto_read_write_crypto_data crypto/wolfssl/wolfssl.c:331:10
#11 0x55555583f1d5 in ngtcp2_crypto_recv_crypto_data_cb crypto/shared.c:1438:7
#12 0x7ffff7d0129b in conn_call_recv_crypto_data lib/ngtcp2_conn.c:144:8
#13 0x7ffff7d0129b in conn_emit_pending_crypto_data lib/ngtcp2_conn.c:5696:10
#14 0x7ffff7d0129b in conn_recv_crypto lib/ngtcp2_conn.c:6924:10
#15 0x7ffff7ce5ecb in conn_recv_handshake_pkt lib/ngtcp2_conn.c:6571:12
#16 0x7ffff7cd943b in conn_recv_handshake_cpkt lib/ngtcp2_conn.c:6662:9
#17 0x7ffff7c4db61 in conn_read_handshake lib/ngtcp2_conn.c:9810:13
#18 0x7ffff7c4b29b in ngtcp2_conn_read_pkt_versioned lib/ngtcp2_conn.c:9987:13
#19 0x555555737e15 in Handler::feed_data(Endpoint const&, ngtcp2::Address const&, sockaddr const*, unsigned int, ngtcp2_pkt_info const*, unsigned char const*, unsigned long) examples/server.cc:1620:17
#20 0x55555573929d in Handler::on_read(Endpoint const&, ngtcp2::Address const&, sockaddr const*, unsigned int, ngtcp2_pkt_info const*, unsigned char const*, unsigned long) examples/server.cc:1653:17
#21 0x55555575b465 in Server::read_pkt(Endpoint&, ngtcp2::Address const&, sockaddr const*, unsigned int, ngtcp2_pkt_info const*, unsigned char const*, unsigned long) examples/server.cc:2667:20
#22 0x555555758bb7 in Server::on_read(Endpoint&) examples/server.cc:2504:9
#23 0x7ffff6ac0772 in ev_invoke_pending ??:0:0
#24 0x7ffff6ac4040 in ev_run ??:0:0
#25 0x555555772131 in main examples/server.cc:3887:3
#26 0x7ffff63c5a8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#27 0x7ffff63c5b48 in __libc_start_main ./csu/../csu/libc-start.c:360:3
#28 0x5555555938a4 in _start ??:0:0
0x52900001d200 is located 0 bytes after 16384-byte region [0x529000019200,0x52900001d200)
allocated by thread T0 here:
#0 0x5555556803e7 in __interceptor_malloc _asan_rtl_:3
#1 0x7ffff7288df1 in GrowInputBuffer wolfssl/src/internal.c:10649:18
SUMMARY: AddressSanitizer: heap-buffer-overflow (wolfssl/src/.libs/libwolfssl.so.42+0xd471a6)
Shadow bytes around the buggy address:
0x52900001cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x52900001d200:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1803740==ABORTING
=================================================================
==4186026==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x52900001d200 at pc 0x7ffff781418f bp 0x7ffffffebfc0 sp 0x7ffffffebfb8
WRITE of size 1 at 0x52900001d200 thread T0
#0 0x7ffff781418e in add_rec_header wolfssl/src/quic.c:185:17
#1 0x7ffff781418e in quic_record_transfer wolfssl/src/quic.c:204:19
#2 0x7ffff781418e in wolfSSL_quic_receive wolfssl/src/quic.c:776:17
#3 0x7ffff73294b8 in wolfSSLReceive wolfssl/src/internal.c:10300:16
#4 0x7ffff73294b8 in GetInputData wolfssl/src/internal.c:20452:18
#5 0x7ffff730f1c3 in ProcessReplyEx wolfssl/src/internal.c:20931:28
#6 0x7ffff7529a76 in wolfSSL_accept wolfssl/src/ssl.c:13321:36
#7 0x7ffff77e9c11 in wolfSSL_read_early_data wolfssl/src/tls13.c:14388:15
#8 0x7ffff780bac4 in wolfSSL_quic_do_handshake wolfssl/src/quic.c:609:23
#9 0x555555830146 in ngtcp2_crypto_read_write_crypto_data crypto/wolfssl/wolfssl.c:331:10
#10 0x55555583f1d5 in ngtcp2_crypto_recv_crypto_data_cb crypto/shared.c:1438:7
#11 0x7ffff7d00676 in conn_call_recv_crypto_data lib/ngtcp2_conn.c:144:8
#12 0x7ffff7d00676 in conn_recv_crypto lib/ngtcp2_conn.c:6918:10
#13 0x7ffff7ce5ecb in conn_recv_handshake_pkt lib/ngtcp2_conn.c:6571:12
#14 0x7ffff7cd943b in conn_recv_handshake_cpkt lib/ngtcp2_conn.c:6662:9
#15 0x7ffff7c4db61 in conn_read_handshake lib/ngtcp2_conn.c:9810:13
#16 0x7ffff7c4b29b in ngtcp2_conn_read_pkt_versioned lib/ngtcp2_conn.c:9987:13
#17 0x555555737e15 in Handler::feed_data(Endpoint const&, ngtcp2::Address const&, sockaddr const*, unsigned int, ngtcp2_pkt_info const*, unsigned char const*, unsigned long) examples/server.cc:1620:17
#18 0x55555573929d in Handler::on_read(Endpoint const&, ngtcp2::Address const&, sockaddr const*, unsigned int, ngtcp2_pkt_info const*, unsigned char const*, unsigned long) examples/server.cc:1653:17
#19 0x55555575b465 in Server::read_pkt(Endpoint&, ngtcp2::Address const&, sockaddr const*, unsigned int, ngtcp2_pkt_info const*, unsigned char const*, unsigned long) examples/server.cc:2667:20
#20 0x555555758bb7 in Server::on_read(Endpoint&) examples/server.cc:2504:9
#21 0x7ffff6ac0772 in ev_invoke_pending ??:0:0
#22 0x7ffff6ac4040 in ev_run ??:0:0
#23 0x555555772131 in main examples/server.cc:3887:3
#24 0x7ffff63c5a8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#25 0x7ffff63c5b48 in __libc_start_main ./csu/../csu/libc-start.c:360:3
#26 0x5555555938a4 in _start ??:0:0
0x52900001d200 is located 0 bytes after 16384-byte region [0x529000019200,0x52900001d200)
allocated by thread T0 here:
#0 0x5555556803e7 in __interceptor_malloc _asan_rtl_:3
#1 0x7ffff7288df1 in GrowInputBuffer wolfssl/src/internal.c:10649:18
SUMMARY: AddressSanitizer: heap-buffer-overflow (wolfssl/src/.libs/libwolfssl.so.42+0xd4718e)
Shadow bytes around the buggy address:
0x52900001cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x52900001d200:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4186026==ABORTING
=================================================================
==2815840==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x52900001d200 at pc 0x7ffff781419f bp 0x7ffffffebfc0 sp 0x7ffffffebfb8
WRITE of size 1 at 0x52900001d200 thread T0
#0 0x7ffff781419e in c16toa wolfssl/./wolfcrypt/src/misc.c:456:10
#1 0x7ffff781419e in add_rec_header wolfssl/src/quic.c:187:5
#2 0x7ffff781419e in quic_record_transfer wolfssl/src/quic.c:204:19
#3 0x7ffff781419e in wolfSSL_quic_receive wolfssl/src/quic.c:776:17
#4 0x7ffff73294b8 in wolfSSLReceive wolfssl/src/internal.c:10300:16
#5 0x7ffff73294b8 in GetInputData wolfssl/src/internal.c:20452:18
#6 0x7ffff730f1c3 in ProcessReplyEx wolfssl/src/internal.c:20931:28
#7 0x7ffff7529a76 in wolfSSL_accept wolfssl/src/ssl.c:13321:36
#8 0x7ffff77e9c11 in wolfSSL_read_early_data wolfssl/src/tls13.c:14388:15
#9 0x7ffff780bac4 in wolfSSL_quic_do_handshake wolfssl/src/quic.c:609:23
#10 0x555555830146 in ngtcp2_crypto_read_write_crypto_data crypto/wolfssl/wolfssl.c:331:10
#11 0x55555583f1d5 in ngtcp2_crypto_recv_crypto_data_cb crypto/shared.c:1438:7
#12 0x7ffff7d0129b in conn_call_recv_crypto_data lib/ngtcp2_conn.c:144:8
#13 0x7ffff7d0129b in conn_emit_pending_crypto_data lib/ngtcp2_conn.c:5696:10
#14 0x7ffff7d0129b in conn_recv_crypto lib/ngtcp2_conn.c:6924:10
#15 0x7ffff7ce5ecb in conn_recv_handshake_pkt lib/ngtcp2_conn.c:6571:12
#16 0x7ffff7cd943b in conn_recv_handshake_cpkt lib/ngtcp2_conn.c:6662:9
#17 0x7ffff7c4db61 in conn_read_handshake lib/ngtcp2_conn.c:9810:13
#18 0x7ffff7c4b29b in ngtcp2_conn_read_pkt_versioned lib/ngtcp2_conn.c:9987:13
#19 0x555555737e15 in Handler::feed_data(Endpoint const&, ngtcp2::Address const&, sockaddr const*, unsigned int, ngtcp2_pkt_info const*, unsigned char const*, unsigned long) examples/server.cc:1620:17
#20 0x55555573929d in Handler::on_read(Endpoint const&, ngtcp2::Address const&, sockaddr const*, unsigned int, ngtcp2_pkt_info const*, unsigned char const*, unsigned long) examples/server.cc:1653:17
#21 0x55555575b465 in Server::read_pkt(Endpoint&, ngtcp2::Address const&, sockaddr const*, unsigned int, ngtcp2_pkt_info const*, unsigned char const*, unsigned long) examples/server.cc:2667:20
#22 0x555555758bb7 in Server::on_read(Endpoint&) examples/server.cc:2504:9
#23 0x7ffff6ac0772 in ev_invoke_pending ??:0:0
#24 0x7ffff6ac4040 in ev_run ??:0:0
#25 0x555555772131 in main examples/server.cc:3887:3
#26 0x7ffff63c5a8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#27 0x7ffff63c5b48 in __libc_start_main ./csu/../csu/libc-start.c:360:3
#28 0x5555555938a4 in _start ??:0:0
0x52900001d200 is located 0 bytes after 16384-byte region [0x529000019200,0x52900001d200)
allocated by thread T0 here:
#0 0x5555556803e7 in __interceptor_malloc _asan_rtl_:3
#1 0x7ffff7288df1 in GrowInputBuffer wolfssl/src/internal.c:10649:18
SUMMARY: AddressSanitizer: heap-buffer-overflow (wolfssl/src/.libs/libwolfssl.so.42+0xd4719e)
Shadow bytes around the buggy address:
0x52900001cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x52900001d180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x52900001d200:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x52900001d480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: CB
Reproduction steps
Unfortunately, I can not provide any reproduction instructions right now since the testing setup is quite involved. If you are unable to identify the root cause and need further assistance, please reach out, and I will do my best to provide additional information.
Relevant log output
No response
The text was updated successfully, but these errors were encountered:
Version
5.7.0
Description
These are four ASAN reports that presumably belong to the same bug. The bugs were found while testing
ngtcp2
, but I believe they originate in wolfssl.Reproduction steps
Unfortunately, I can not provide any reproduction instructions right now since the testing setup is quite involved. If you are unable to identify the root cause and need further assistance, please reach out, and I will do my best to provide additional information.
Relevant log output
No response
The text was updated successfully, but these errors were encountered: