Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stack-buffer-overflow in void FerretCOT<T>::read_pre_data128_from_file #89

Open
merlinhuahua opened this issue Apr 3, 2024 · 0 comments
Open

stack-buffer-overflow in void FerretCOT<T>::read_pre_data128_from_file #89

merlinhuahua opened this issue Apr 3, 2024 · 0 comments

Comments

@merlinhuahua
Copy link

merlinhuahua commented Apr 3, 2024
edited

Description

stack-buffer-overflow in void FerretCOT::read_pre_data128_from_file

emp-ot/emp-ot/ferret/ferret_cot.hpp:199 emp::FerretCOTemp::NetIO::read_pre_data128_from_file

image

Version

commit: eb0daf2a7a88c44b419f6d1276dc19e66f80776f

Replay

Add the following configuration in CMakeList.txt

set(CMAKE_CXX_FLAGS` "${CMAKE_CXX_FLAGS} -lrt -fsanitize=address -g -fprofile-arcs `-ftest-coverage")

Recompile

make clean
cmake .
make

Run the test in the emp-ot directory

./run ./bin/test_ot logn

ASAN

==94168==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe1879bc14 at pc 0x7f741bcc97cf bp 0x7ffe1879bb50 sp 0x7ffe1879b2f8
==94164==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcaefaca64 at pc 0x7fdd438a87cf bp 0x7ffcaefac9a0 sp 0x7ffcaefac148
WRITE of size 8 at 0x7ffe1879bc14 thread T0
WRITE of size 8 at 0x7ffcaefaca64 thread T0
    #0 0x7fdd438a87ce in __interceptor_fread ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1046
    #0 0x7f741bcc97ce in __interceptor_fread ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1046
    #1 0x564e0ec8f6f7 in fread /usr/include/x86_64-linux-gnu/bits/stdio2.h:297
    #2 0x564e0ec8f6f7 in emp::FileIO::recv_data_internal(void*, int) /usr/local/include/emp-tool/io/file_io_channel.h:50
    #3 0x564e0ecbbc34 in emp::IOChannel<emp::FileIO>::recv_data(void*, unsigned long) /usr/local/include/emp-tool/io/io_channel.h:19
    #4 0x564e0ecbbc34 in emp::FerretCOT<emp::NetIO>::read_pre_data128_from_file(void*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/zw/emp-ot/emp-ot/ferret/ferret_cot.hpp:199
    #5 0x564e0ece908f in emp::FerretCOT<emp::NetIO>::setup(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/zw/emp-ot/emp-ot/ferret/ferret_cot.hpp:114
    #6 0x564e0eced696 in emp::FerretCOT<emp::NetIO>::FerretCOT(int, int, emp::NetIO**, bool, bool, emp::PrimalLPNParameter, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/zw/emp-ot/emp-ot/ferret/ferret_cot.hpp:24
    #7 0x564e0ec79cfd in main /home/zw/emp-ot/test/ot.cpp:33
    #8 0x7fdd42d33082 in __libc_start_main ../csu/libc-start.c:308
    #9 0x564e0ec7b07d in _start (/home/zw/emp-ot/bin/test_ot+0x3607d)

Address 0x7ffcaefaca64 is located in stack of thread T0 at offset 36 in frame
    #0 0x564e0ecbb9bf in emp::FerretCOT<emp::NetIO>::read_pre_data128_from_file(void*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/zw/emp-ot/emp-ot/ferret/ferret_cot.hpp:196

  This frame has 6 object(s):
    [32, 36) 'in_party' (line 198) <== Memory access at offset 36 overflows this variable
    [48, 56) 'nin' (line 203)
    [80, 88) 'tin' (line 203)
    [112, 120) 'kin' (line 203)
    [144, 160) 'delta' (line 201)
    [176, 216) 'fio' (line 197)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1046 in __interceptor_fread
Shadow bytes around the buggy address:
  0x100015ded8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100015ded900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100015ded910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100015ded920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100015ded930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100015ded940: 00 00 00 00 00 00 00 00 f1 f1 f1 f1[04]f2 00 f2
  0x100015ded950: f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00 f2 f2 00 00
  0x100015ded960: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x100015ded970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100015ded980: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 01 f2 01 f2
  0x100015ded990: f8 f2 f8 f2 f8 f2 f2 f2 f8 f2 f2 f2 00 00 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==94164==ABORTING
    #1 0x55fbc1f376f7 in fread /usr/include/x86_64-linux-gnu/bits/stdio2.h:297
    #2 0x55fbc1f376f7 in emp::FileIO::recv_data_internal(void*, int) /usr/local/include/emp-tool/io/file_io_channel.h:50
    #3 0x55fbc1f63c34 in emp::IOChannel<emp::FileIO>::recv_data(void*, unsigned long) /usr/local/include/emp-tool/io/io_channel.h:19
    #4 0x55fbc1f63c34 in emp::FerretCOT<emp::NetIO>::read_pre_data128_from_file(void*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/zw/emp-ot/emp-ot/ferret/ferret_cot.hpp:199
    #5 0x55fbc1f9108f in emp::FerretCOT<emp::NetIO>::setup(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/zw/emp-ot/emp-ot/ferret/ferret_cot.hpp:114
    #6 0x55fbc1f943aa in emp::FerretCOT<emp::NetIO>::setup(long long __vector(2), std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/zw/emp-ot/emp-ot/ferret/ferret_cot.hpp:86
    #7 0x55fbc1f95b42 in emp::FerretCOT<emp::NetIO>::FerretCOT(int, int, emp::NetIO**, bool, bool, emp::PrimalLPNParameter, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/zw/emp-ot/emp-ot/ferret/ferret_cot.hpp:23
    #8 0x55fbc1f21cfd in main /home/zw/emp-ot/test/ot.cpp:33
    #9 0x7f741b154082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x55fbc1f2307d in _start (/home/zw/emp-ot/bin/test_ot+0x3607d)

Address 0x7ffe1879bc14 is located in stack of thread T0 at offset 36 in frame
    #0 0x55fbc1f639bf in emp::FerretCOT<emp::NetIO>::read_pre_data128_from_file(void*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/zw/emp-ot/emp-ot/ferret/ferret_cot.hpp:196

  This frame has 6 object(s):
    [32, 36) 'in_party' (line 198) <== Memory access at offset 36 overflows this variable
    [48, 56) 'nin' (line 203)
    [80, 88) 'tin' (line 203)
    [112, 120) 'kin' (line 203)
    [144, 160) 'delta' (line 201)
    [176, 216) 'fio' (line 197)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1046 in __interceptor_fread
Shadow bytes around the buggy address:
  0x1000430eb730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000430eb740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000430eb750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000430eb760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000430eb770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
=>0x1000430eb780: f1 f1[04]f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2
  0x1000430eb790: 00 00 f2 f2 00 00 00 00 00 f3 f3 f3 f3 f3 00 00
  0x1000430eb7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000430eb7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x1000430eb7c0: f1 f1 01 f2 01 f2 f8 f2 f8 f2 f8 f2 f2 f2 f8 f2
  0x1000430eb7d0: f2 f2 00 00 f2 f2 00 00 00 00 00 00 00 00 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==94168==ABORTING

Environment

Description: Ubuntu 20.04.6 LTS
gcc (Ubuntu 10.5.0-1ubuntu1~20.04) 10.5.0

Credit

Wen Zeng Fudan University DSGLAB
@merlinhuahua merlinhuahua changed the title stack-buffer-overflow in void FerretCOT<T>::write_pre_data128_to_file stack-buffer-overflow in void FerretCOT<T>::read_pre_data128_from_file Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@merlinhuahua