network_writefilter: Heap-Buffer-Overflow

[stasos24]

Title: network_writefilter: Heap-Buffer-Overflow

Description:
Hello, i've found a heap-buffer-overflow during fuzzing network_writefilter harness

Repro steps:
Run fuzzing harness wtih crash_file

Call Stack:

==3155470==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621001788d00 at pc 0x000001799cc9 bp 0x7ffded62d110 sp 0x7ffded62c8d8
READ of size 4024 at 0x621001788d00 thread T0
    #0 0x1799cc8 in __interceptor_strlen /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:389:5
    #1 0x44c94e8 in length /usr/local/bin/../include/c++/v1/__string:355:14
    #2 0x44c94e8 in basic_string<std::nullptr_t> /usr/local/bin/../include/c++/v1/string:793:19
    #3 0x44c94e8 in Envoy::Extensions::NetworkFilters::MongoProxy::Bson::BufferHelper::removeString(Envoy::Buffer::Instance&) /proc/self/cwd/source/extensions/filters/network/mongo_proxy/bson_impl.cc:101:15
    #4 0x44d12ab in Envoy::Extensions::NetworkFilters::MongoProxy::Bson::DocumentImpl::fromBuffer(Envoy::Buffer::Instance&) /proc/self/cwd/source/extensions/filters/network/mongo_proxy/bson_impl.cc:410:27
    #5 0x44a4281 in Envoy::Extensions::NetworkFilters::MongoProxy::Bson::DocumentImpl::create(Envoy::Buffer::Instance&) /proc/self/cwd/./source/extensions/filters/network/mongo_proxy/bson_impl.h:187:14
    #6 0x44aeea6 in Envoy::Extensions::NetworkFilters::MongoProxy::CommandMessageImpl::fromBuffer(unsigned int, Envoy::Buffer::Instance&) /proc/self/cwd/source/extensions/filters/network/mongo_proxy/codec_impl.cc:241:30
    #7 0x44b869b in Envoy::Extensions::NetworkFilters::MongoProxy::DecoderImpl::decode(Envoy::Buffer::Instance&) /proc/self/cwd/source/extensions/filters/network/mongo_proxy/codec_impl.cc:411:14
    #8 0x44bb339 in Envoy::Extensions::NetworkFilters::MongoProxy::DecoderImpl::onData(Envoy::Buffer::Instance&) /proc/self/cwd/source/extensions/filters/network/mongo_proxy/codec_impl.cc:433:31
    #9 0x44980cf in Envoy::Extensions::NetworkFilters::MongoProxy::ProxyFilter::doDecode(Envoy::Buffer::Instance&) /proc/self/cwd/source/extensions/filters/network/mongo_proxy/proxy.cc:339:15

    #10 0x449903a in Envoy::Extensions::NetworkFilters::MongoProxy::ProxyFilter::onWrite(Envoy::Buffer::Instance&, bool) /proc/self/cwd/source/extensions/filters/network/mongo_proxy/proxy.cc:386:3
    #11 0x191d581 in Envoy::Extensions::NetworkFilters::UberWriteFilterFuzzer::fuzz(envoy::config::listener::v3::Filter const&, google::protobuf::RepeatedPtrField<test::extensions::filters::network::WriteAction> const&) /proc/self/cwd/test/extensions/filters/network/common/fuzz/uber_writefilter.cc:99:22
    #12 0x18405d3 in TestOneProtoInput /proc/self/cwd/test/extensions/filters/network/common/fuzz/network_writefilter_fuzz_test.cc:49:12
    #13 0x18405d3 in LLVMFuzzerTestOneInput /proc/self/cwd/test/extensions/filters/network/common/fuzz/network_writefilter_fuzz_test.cc:13:1
    #14 0x1713bd3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #15 0x17133ba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
    #16 0x1714a89 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
    #17 0x1715755 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
    #18 0x1703e6f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
    #19 0x172e112 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #20 0x7f9715259082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #21 0x16f48ad in _start (/harness/network_writefilter_fuzz_test+0x16f48ad)

0x621001788d00 is located 0 bytes to the right of 4096-byte region [0x621001787d00,0x621001788d00)
allocated by thread T0 here:
    #0 0x1804f46 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x18a1c14 in operator new(unsigned long) (/harness/network_writefilter_fuzz_test+0x18a1c14)
    #2 0x4d73994 in Envoy::Buffer::OwnedImpl::addImpl(void const*, unsigned long) /proc/self/cwd/source/common/buffer/buffer_impl.cc:31:28
    #3 0x4d7626f in Envoy::Buffer::OwnedImpl::add(void const*, unsigned long) /proc/self/cwd/source/common/buffer/buffer_impl.cc:53:56
    #4 0x4d770f6 in Envoy::Buffer::OwnedImpl::add(Envoy::Buffer::Instance const&) /proc/self/cwd/source/common/buffer/buffer_impl.cc:65:5
    #5 0x449902f in Envoy::Extensions::NetworkFilters::MongoProxy::ProxyFilter::onWrite(Envoy::Buffer::Instance&, bool) /proc/self/cwd/source/extensions/filters/network/mongo_proxy/proxy.cc:385:17

    #6 0x191d581 in Envoy::Extensions::NetworkFilters::UberWriteFilterFuzzer::fuzz(envoy::config::listener::v3::Filter const&, google::protobuf::RepeatedPtrField<test::extensions::filters::network::WriteAction> const&) /proc/self/cwd/test/extensions/filters/network/common/fuzz/uber_writefilter.cc:99:22
    #7 0x18405d3 in TestOneProtoInput /proc/self/cwd/test/extensions/filters/network/common/fuzz/network_writefilter_fuzz_test.cc:49:12
    #8 0x18405d3 in LLVMFuzzerTestOneInput /proc/self/cwd/test/extensions/filters/network/common/fuzz/network_writefilter_fuzz_test.cc:13:1
    #9 0x1713bd3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #10 0x17133ba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
    #11 0x1714a89 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
    #12 0x1715755 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
    #13 0x1703e6f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
    #14 0x172e112 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0x7f9715259082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:389:5 in __interceptor_strlen
Shadow bytes around the buggy address:
Shadow bytes around the buggy address:
  0x0c42802e9150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c42802e9160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c42802e9170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c42802e9180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c42802e9190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c42802e91a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c42802e91b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c42802e91c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c42802e91d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c42802e91e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c42802e91f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3155470==ABORTING
MS: 5 Custom-Custom-CustomCrossOver-CopyPart-Custom-; base unit: 4e27d543f2ead188503681a92e8a49c7a8a06e85

[stasos24]

Crash file
crash_envoy.txt

[wbpcode]

cc @mattklein123

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.