WorryFree Computers   »   [go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FPREncodePerfSessions causes heap-buffer overflow #8849

Closed
shieldh opened this issue Oct 21, 2021 · 0 comments · Fixed by #8872
Closed

FPREncodePerfSessions causes heap-buffer overflow #8849

shieldh opened this issue Oct 21, 2021 · 0 comments · Fixed by #8872
Assignees
@visumickey @jeremyjiang-dev
Labels
api: performance

Comments

@shieldh
Copy link
shieldh commented Oct 21, 2021

[REQUIRED] Step 1: Describe your environment

  • Xcode version: 12.5.1
  • Firebase SDK version: 8.7.0
  • Installation method: CocoaPods
  • Firebase Component: Performance

[REQUIRED] Step 2: Describe the problem

Steps to reproduce:

While running an app that includes Firebase Performance with the Address Sanitizer on, a heap-buffer-overflow was reported in FPREncodePerfSessions() (FPRNanoPbUtils.m:224).

FPREncodePerfSessions() is allocating an array of size 0 and then set a value for the first element of this array.
I believe that line 226:
perfSessions[perfSessionIndex].session_verbosity_count = 1;
should be moved up to line 221, just before :
perfSessions[perfSessionIndex].session_verbosity = calloc(perfSessions[perfSessionIndex].session_verbosity_count, sizeof(firebase_perf_v1_SessionVerbosity));

What follows is a full copy of the console log:

2021-10-21 23:02:49.681735+0200 Runner[384:9452] 
2021-10-21 23:02:49.681785+0200 Runner[384:9452] Thread T1 created by T0 here:
2021-10-21 23:02:49.681846+0200 Runner[384:9452]     <empty stack>
2021-10-21 23:02:49.682064+0200 Runner[384:9452] 
2021-10-21 23:02:49.682203+0200 Runner[384:9452] SUMMARY: AddressSanitizer: heap-buffer-overflow (/private/var/containers/Bundle/Application/A73A6C74-6EC4-4778-9796-85F93E8084F1/Runner.app/Frameworks/FirebasePerformance.framework/FirebasePerformance:arm64+0x45eb8) in __FPREncodePerfSessions_block_invoke+0x77c
2021-10-21 23:02:49.682353+0200 Runner[384:9452] Shadow bytes around the buggy address:
2021-10-21 23:02:49.682551+0200 Runner[384:9452]   0x000139362f00: fa fa fa fa fa fa 00 03 fa fa 00 01 fa fa 00 00
2021-10-21 23:02:49.682695+0200 Runner[384:9452]   0x000139362f10: fa fa 00 06 fa fa 00 04 fa fa 00 fa fa fa 00 00
2021-10-21 23:02:49.682908+0200 Runner[384:9452]   0x000139362f20: fa fa 00 00 fa fa fa fa fa fa 07 fa fa fa fa fa
2021-10-21 23:02:49.683024+0200 Runner[384:9452]   0x000139362f30: fa fa 00 00 fa fa 05 fa fa fa fa fa fa fa 05 fa
2021-10-21 23:02:49.683179+0200 Runner[384:9452]   0x000139362f40: fa fa fa fa fa fa 05 fa fa fa fa fa fa fa fa fa
2021-10-21 23:02:49.683343+0200 Runner[384:9452] =>0x000139362f50: fa fa[01]fa fa fa fa fa fa fa 00 00 fa fa fa fa
2021-10-21 23:02:49.683449+0200 Runner[384:9452]   0x000139362f60: fa fa 00 00 fa fa 00 00 fa fa 05 fa fa fa fa fa
2021-10-21 23:02:49.683545+0200 Runner[384:9452]   0x000139362f70: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa fd fd
2021-10-21 23:02:49.683637+0200 Runner[384:9452]   0x000139362f80: fa fa 04 fa fa fa 00 00 fa fa fd fd fa fa 00 00
2021-10-21 23:02:49.683731+0200 Runner[384:9452]   0x000139362f90: fa fa 00 04 fa fa fd fd fa fa 00 00 fa fa 00 00
2021-10-21 23:02:49.684046+0200 Runner[384:9452]   0x000139362fa0: fa fa 00 06 fa fa 00 fa fa fa 00 00 fa fa fd fd
2021-10-21 23:02:49.684177+0200 Runner[384:9452] Shadow byte legend (one shadow byte represents 8 application bytes):
2021-10-21 23:02:49.684367+0200 Runner[384:9452]   Addressable:           00
2021-10-21 23:02:49.684467+0200 Runner[384:9452]   Partially addressable: 01 02 03 04 05 06 07
2021-10-21 23:02:49.684664+0200 Runner[384:9452]   Heap left redzone:       fa
2021-10-21 23:02:49.684779+0200 Runner[384:9452]   Freed heap region:       fd
2021-10-21 23:02:49.684954+0200 Runner[384:9452]   Stack left redzone:      f1
2021-10-21 23:02:49.685186+0200 Runner[384:9452]   Stack mid redzone:       f2
2021-10-21 23:02:49.685262+0200 Runner[384:9452]   Stack right redzone:     f3
2021-10-21 23:02:49.685424+0200 Runner[384:9452]   Stack after return:      f5
2021-10-21 23:02:49.685527+0200 Runner[384:9452]   Stack use after scope:   f8
2021-10-21 23:02:49.685636+0200 Runner[384:9452]   Global redzone:          f9
2021-10-21 23:02:49.685773+0200 Runner[384:9452]   Global init order:       f6
2021-10-21 23:02:49.686026+0200 Runner[384:9452]   Poisoned by user:        f7
2021-10-21 23:02:49.686118+0200 Runner[384:9452]   Container overflow:      fc
2021-10-21 23:02:49.686242+0200 Runner[384:9452]   Array cookie:            ac
2021-10-21 23:02:49.686355+0200 Runner[384:9452]   Intra object redzone:    bb
2021-10-21 23:02:49.686447+0200 Runner[384:9452]   ASan internal:           fe
2021-10-21 23:02:49.686771+0200 Runner[384:9452]   Left alloca redzone:     ca
2021-10-21 23:02:49.687040+0200 Runner[384:9452]   Right alloca redzone:    cb
2021-10-21 23:02:49.687124+0200 Runner[384:9452]   Shadow gap:              cc
==384==ABORTING
Warning: hit breakpoint while running function, skipping commands and conditions to prevent recursion.
AddressSanitizer report breakpoint hit. Use 'thread info -s' to get extended information about the report.
(lldb) thread info -s
thread #2: tid = 0x24ec, 0x0000000100c10b10 libclang_rt.asan_ios_dynamic.dylib`__asan::AsanDie(), queue = 'com.google.perf.FPREventsQueue', stop reason = Heap buffer overflow

{
  "access_size": 4,
  "access_type": 1,
  "address": 6082886288,
  "description": "heap-buffer-overflow",
  "instrumentation_class": "AddressSanitizer",
  "pc": 4371455676,
  "stop_type": "fatal_error"
}
(lldb)

Screenshot
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@visumickey visumickey

@jeremyjiang-dev jeremyjiang-dev

Labels
api: performance
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix heap-buffer overflow in FPREncodePerfSessions firebase/firebase-ios-sdk
5 participants
@visumickey @morganchen12 @google-oss-bot @jeremyjiang-dev @shieldh