bug-recutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-recutils] Double free and Invalid free in rec_comment_destroy funct

From: wcventure
Subject: [bug-recutils] Double free and Invalid free in rec_comment_destroy function in rec-comment.c
Date: Wed, 27 Mar 2019 16:09:31 +0800 (GMT+08:00)
Hi there, 

Our fuzzer found some double free and invalid free issue in rec_comment_destroy function in rec-comment.c, the recent release version. A crafted rec file can cause segment faults and I have confirmed them with address sanitizer too.

Please use the "./recfix $POC" to reproduce the bug.

For double free, ASAN dumps the backtrace as follow:

==86921==ERROR: AddressSanitizer: attempting double-free on 0x602000001630 in thread T0:
    #0 0x4dc1d0 in __interceptor_free.localalias.0 /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68
    #1 0x7fcdc0077a9a in rec_comment_destroy /home/wencheng/FuzzingObject/recutils-1.8/src/rec-comment.c:49:3
    #2 0x7fcdc008374a in rec_rset_comment_disp_fn /home/wencheng/FuzzingObject/recutils-1.8/src/rec-rset.c:1031:3
    #3 0x7fcdc0066e88 in rec_mset_elem_destroy /home/wencheng/FuzzingObject/recutils-1.8/src/rec-mset.c:905:11
    #4 0x7fcdc0066e88 in rec_mset_elem_dispose_fn /home/wencheng/FuzzingObject/recutils-1.8/src/rec-mset.c:814
    #5 0x7fcdc011084d in gl_array_list_free /home/wencheng/FuzzingObject/recutils-1.8/lib/gl_array_list.c:436:17
    #6 0x7fcdc00671e5 in gl_list_free /home/wencheng/FuzzingObject/recutils-1.8/src/../lib/gl_list.h:760:3
    #7 0x7fcdc00671e5 in rec_mset_destroy /home/wencheng/FuzzingObject/recutils-1.8/src/rec-mset.c:152
    #8 0x7fcdc00832d4 in rec_rset_destroy /home/wencheng/FuzzingObject/recutils-1.8/src/rec-rset.c:263:7
    #9 0x7fcdc00a5538 in rec_parse_rset /home/wencheng/FuzzingObject/recutils-1.8/src/rec-parser.c:612:7
    #10 0x515d85 in recutl_parse_db_from_file /home/wencheng/FuzzingObject/recutils-1.8/utils/recutl.c:246:10
    #11 0x516b00 in recutl_read_db_from_file /home/wencheng/FuzzingObject/recutils-1.8/utils/recutl.c:376:8
    #12 0x51a167 in recfix_do_check /home/wencheng/FuzzingObject/recutils-1.8/utils/recfix.c:362:8
    #13 0x51a167 in main /home/wencheng/FuzzingObject/recutils-1.8/utils/recfix.c:548
    #14 0x7fcdbee5d82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #15 0x41c478 in _start (/home/wencheng/FuzzingObject/recutils-1.8/build/bin/recfix+0x41c478)

0x602000001630 is located 0 bytes inside of 1-byte region [0x602000001630,0x602000001631)
freed by thread T0 here:
    #0 0x4dc1d0 in __interceptor_free.localalias.0 /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68
    #1 0x7fcdc0077a9a in rec_comment_destroy /home/wencheng/FuzzingObject/recutils-1.8/src/rec-comment.c:49:3

previously allocated by thread T0 here:
    #0 0x439040 in __strdup /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_interceptors.cc:423
    #1 0x7fcdc007799f in rec_comment_new /home/wencheng/FuzzingObject/recutils-1.8/src/rec-comment.c:43:10
    #2 0x7fcdc00a4c29 in rec_parse_rset /home/wencheng/FuzzingObject/recutils-1.8/src/rec-parser.c:549:11
    #3 0x515d85 in recutl_parse_db_from_file /home/wencheng/FuzzingObject/recutils-1.8/utils/recutl.c:246:10
    #4 0x516b00 in recutl_read_db_from_file /home/wencheng/FuzzingObject/recutils-1.8/utils/recutl.c:376:8
    #5 0x7fcdbee5d82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: double-free /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68 in __interceptor_free.localalias.0
==86921==ABORTING
Aborted


For Invalid free, ASAN dumps the backtrace as follow:

==106947==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000421d33 bp 0x7ffdb3f5f8e0 sp 0x7ffdb3f5f890 T0)
==106947==The signal is caused by a READ memory access.
==106947==Hint: address points to the zero page.
    #0 0x421d32 in bool __sanitizer::atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t volatile*, __sanitizer::atomic_uint8_t::Type*, __sanitizer::atomic_uint8_t::Type, __sanitizer::memory_order) /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81
    #1 0x421d32 in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_allocator.cc:540
    #2 0x421d32 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_allocator.cc:617
    #3 0x421d32 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_allocator.cc:847
    #4 0x4dc1aa in __interceptor_free.localalias.0 /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71
    #5 0x7f2659701a9a in rec_comment_destroy /home/wencheng/FuzzingObject/recutils-1.8/src/rec-comment.c:49:3
    #6 0x7f265970d74a in rec_rset_comment_disp_fn /home/wencheng/FuzzingObject/recutils-1.8/src/rec-rset.c:1031:3
    #7 0x7f26596f0e88 in rec_mset_elem_destroy /home/wencheng/FuzzingObject/recutils-1.8/src/rec-mset.c:905:11
    #8 0x7f26596f0e88 in rec_mset_elem_dispose_fn /home/wencheng/FuzzingObject/recutils-1.8/src/rec-mset.c:814
    #9 0x7f265979a84d in gl_array_list_free /home/wencheng/FuzzingObject/recutils-1.8/lib/gl_array_list.c:436:17
    #10 0x7f26596f11e5 in gl_list_free /home/wencheng/FuzzingObject/recutils-1.8/src/../lib/gl_list.h:760:3
    #11 0x7f26596f11e5 in rec_mset_destroy /home/wencheng/FuzzingObject/recutils-1.8/src/rec-mset.c:152
    #12 0x7f265970d2d4 in rec_rset_destroy /home/wencheng/FuzzingObject/recutils-1.8/src/rec-rset.c:263:7
    #13 0x7f265972f538 in rec_parse_rset /home/wencheng/FuzzingObject/recutils-1.8/src/rec-parser.c:612:7
    #14 0x515d85 in recutl_parse_db_from_file /home/wencheng/FuzzingObject/recutils-1.8/utils/recutl.c:246:10
    #15 0x516b00 in recutl_read_db_from_file /home/wencheng/FuzzingObject/recutils-1.8/utils/recutl.c:376:8
    #16 0x51a167 in recfix_do_check /home/wencheng/FuzzingObject/recutils-1.8/utils/recfix.c:362:8
    #17 0x51a167 in main /home/wencheng/FuzzingObject/recutils-1.8/utils/recfix.c:548
    #18 0x7f26584e782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #19 0x41c478 in _start (/home/wencheng/FuzzingObject/recutils-1.8/build/bin/recfix+0x41c478)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in bool __sanitizer::atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t volatile*, __sanitizer::atomic_uint8_t::Type*, __sanitizer::atomic_uint8_t::Type, __sanitizer::memory_order)
==106947==ABORTING
Aborted

Attachment: POC.zip
Description: Zip compressed data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]