Bug 1652634 - There is a memory exhausted vulnerabiliy at slibxsmm_sparse_csc_reader src/generator_spgemm_csc_reader.c:123 in libxsmm that will cause dos attack.
Summary: There is a memory exhausted vulnerabiliy at slibxsmm_sparse_csc_reader src/ge...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: libxsmm
Version: rawhide
Hardware: All
OS: All
unspecified
urgent
Target Milestone: ---
Assignee: Dave Love
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-22 13:43 UTC by shuitao gan
Modified: 2018-11-22 15:37 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-22 15:37:17 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
../../libxsmm-master/bin/libxsmm_gemm_generator sparse b a 10 10 10 1 1 1 1 1 1 0 wsm nopf SP POC2 (24 bytes, text/plain)
2018-11-22 13:43 UTC, shuitao gan 		no flags Details
View All

Description shuitao gan 2018-11-22 13:43:42 UTC 
Created attachment 1507970 [details]
../../libxsmm-master/bin/libxsmm_gemm_generator  sparse b a 10 10 10 1 1 1 1 1 1 0 wsm nopf SP POC2

version: libxsmm release-1.10
summary: 

There is a memory exhausted vulnerabiliy at slibxsmm_sparse_csc_reader src/generator_spgemm_csc_reader.c:123  in libxsmm that will cause dos attack. 

Description:

The asan debug is as follows:
$ ../../libxsmm-master/bin/libxsmm_gemm_generator  sparse b a 10 10 10 1 1 1 1 1 1 0 wsm nopf SP POC2
Killed


The asan debug is as follows:

$./libxsmm_gemm_generator_asan sparse b a 10 10 10 1 1 1 1 1 1 0 wsm nopf SP POC2

==52205==ERROR: AddressSanitizer failed to allocate 0x12c8c6000 (5042364416) bytes of LargeMmapAllocator (errno: 12)
==52205==Process memory map follows:
	0x000000400000-0x000000466000	/home/company/real_sanitize/poc_check/libxsmm/libxsmm_gemm_generator_asan
	0x000000665000-0x000000666000	/home/company/real_sanitize/poc_check/libxsmm/libxsmm_gemm_generator_asan
	0x000000666000-0x000000670000	/home/company/real_sanitize/poc_check/libxsmm/libxsmm_gemm_generator_asan
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x606000000000	
	0x606000000000-0x606000010000	
	0x606000010000-0x616000000000	
	0x616000000000-0x616000020000	
	0x616000020000-0x619000000000	
	0x619000000000-0x619000020000	
	0x619000020000-0x62a000000000	
	0x62a000000000-0x62a000010000	
	0x62a000010000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7f2cb4300000-0x7f2cb4400000	
	0x7f2cb4500000-0x7f2cb4600000	
	0x7f2cb4652000-0x7f2cb69a4000	
	0x7f2cb69a4000-0x7f2cb69ba000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7f2cb69ba000-0x7f2cb6bb9000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7f2cb6bb9000-0x7f2cb6bba000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7f2cb6bba000-0x7f2cb6bbb000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7f2cb6bbb000-0x7f2cb6cc2000	/lib/x86_64-linux-gnu/libm-2.21.so
	0x7f2cb6cc2000-0x7f2cb6ec1000	/lib/x86_64-linux-gnu/libm-2.21.so
	0x7f2cb6ec1000-0x7f2cb6ec2000	/lib/x86_64-linux-gnu/libm-2.21.so
	0x7f2cb6ec2000-0x7f2cb6ec3000	/lib/x86_64-linux-gnu/libm-2.21.so
	0x7f2cb6ec3000-0x7f2cb6ec6000	/lib/x86_64-linux-gnu/libdl-2.21.so
	0x7f2cb6ec6000-0x7f2cb70c5000	/lib/x86_64-linux-gnu/libdl-2.21.so
	0x7f2cb70c5000-0x7f2cb70c6000	/lib/x86_64-linux-gnu/libdl-2.21.so
	0x7f2cb70c6000-0x7f2cb70c7000	/lib/x86_64-linux-gnu/libdl-2.21.so
	0x7f2cb70c7000-0x7f2cb7287000	/lib/x86_64-linux-gnu/libc-2.21.so
	0x7f2cb7287000-0x7f2cb7487000	/lib/x86_64-linux-gnu/libc-2.21.so
	0x7f2cb7487000-0x7f2cb748b000	/lib/x86_64-linux-gnu/libc-2.21.so
	0x7f2cb748b000-0x7f2cb748d000	/lib/x86_64-linux-gnu/libc-2.21.so
	0x7f2cb748d000-0x7f2cb7491000	
	0x7f2cb7491000-0x7f2cb74a9000	/lib/x86_64-linux-gnu/libpthread-2.21.so
	0x7f2cb74a9000-0x7f2cb76a9000	/lib/x86_64-linux-gnu/libpthread-2.21.so
	0x7f2cb76a9000-0x7f2cb76aa000	/lib/x86_64-linux-gnu/libpthread-2.21.so
	0x7f2cb76aa000-0x7f2cb76ab000	/lib/x86_64-linux-gnu/libpthread-2.21.so
	0x7f2cb76ab000-0x7f2cb76af000	
	0x7f2cb76af000-0x7f2cb77a7000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7f2cb77a7000-0x7f2cb79a6000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7f2cb79a6000-0x7f2cb79a9000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7f2cb79a9000-0x7f2cb79aa000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7f2cb79aa000-0x7f2cb861f000	
	0x7f2cb861f000-0x7f2cb8643000	/lib/x86_64-linux-gnu/ld-2.21.so
	0x7f2cb87f1000-0x7f2cb8828000	
	0x7f2cb8828000-0x7f2cb8842000	
	0x7f2cb8842000-0x7f2cb8843000	/lib/x86_64-linux-gnu/ld-2.21.so
	0x7f2cb8843000-0x7f2cb8844000	/lib/x86_64-linux-gnu/ld-2.21.so
	0x7f2cb8844000-0x7f2cb8845000	
	0x7ffca4d0a000-0x7ffca4d2b000	[stack]
	0x7ffca4ded000-0x7ffca4def000	[vvar]
	0x7ffca4def000-0x7ffca4df1000	[vdso]
	0xffffffffff600000-0xffffffffff601000	[vsyscall]
==52205==End of process memory map.
==52205==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0x7f2cb774f9c1  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa09c1)
    #1 0x7f2cb7754973 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa5973)
    #2 0x7f2cb775c981  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xad981)
    #3 0x7f2cb76d206c  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x2306c)
    #4 0x7f2cb7747977 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98977)
    #5 0x443fc9 in libxsmm_sparse_csc_reader src/generator_spgemm_csc_reader.c:123
    #6 0x405751 in libxsmm_generator_spgemm src/generator_spgemm.c:279
    #7 0x40225a in main src/libxsmm_generator_gemm_driver.c:318
    #8 0x7f2cb70e7a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #9 0x402ea8 in _start (/home/company/real_sanitize/poc_check/libxsmm/libxsmm_gemm_generator_asan+0x402ea8)
Comment 1 Dave Love 2018-11-22 15:37:17 UTC 
Exhausting memory in a development program can't be a DoS attack regardless of whether this is something in Fedora.
Note You need to log in before you can comment on or make changes to this bug.