[gnugo-devel] [patch] fix use after free bug in mkpat

gnugo-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[gnugo-devel] [patch] fix use after free bug in mkpat

From:	Hanno Böck
Subject:	[gnugo-devel] [patch] fix use after free bug in mkpat
Date:	Fri, 24 Jun 2016 23:17:19 +0200

Hi,

There is a use after free bug in the mkpat tool which is used during
compilation of gnu go.

This is the code in dfa.c:
  gpout->states[state].att = union_att(gpout, gpleft,
                gpleft->states[l].att, gpright, gpright->states[r].att);

The problem is that union_att calls realloc on gpout->states. Therefore
at the time the value is returned the gpout->states variable is no
longer valid and may point to unallocated memory.
The fix is to store the output of union_att into a temporary variable
and thenn set gpout->states[state].att to that. See attached patch.

Use after free bugs are often security issues, but in this case I don't
think this is the case, as this tool is only used during compilation
and probably not meant to be used on any untrusted input. Anyway, I'd
still consider this a bug that should be fixed, as it might cause
random compilation failures.

This bug was detected with address sanitizer (can be enabled by adding
"-fsanitize=address" to CFLAGS with gcc or clang). I'll paste the stack
trace from address sanitizer below.


==23183==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f7a0b8e372c 
at pc 0x418c9c bp 0x7ffcd3afa430 sp 0x7ffcd3afa428
WRITE of size 4 at 0x7f7a0b8e372c thread T0
    #0 0x418c9b in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:682
    #1 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #2 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #3 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #4 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #5 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #6 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #7 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #8 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #9 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #10 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #11 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #12 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #13 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #14 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #15 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #16 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #17 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #18 0x419455 in sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:741
    #19 0x41ab6f in dfa_finalize /mnt/ram/gnugo-3.9.1/patterns/dfa.c:958
    #20 0x4133bb in main /mnt/ram/gnugo-3.9.1/patterns/mkpat.c:2941
    #21 0x7f7a0e67078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #22 0x401ae8 in _start (/mnt/ram/gnugo-3.9.1/patterns/mkpat+0x401ae8)

0x7f7a0b8e372c is located 69420 bytes inside of 405000-byte region 
[0x7f7a0b8d2800,0x7f7a0b935608)
freed by thread T0 here:
    #0 0x7f7a0ef97c66 in __interceptor_realloc 
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x54c66)
    #1 0x415c97 in resize_dfa /mnt/ram/gnugo-3.9.1/patterns/dfa.c:258
    #2 0x41497b in union_att /mnt/ram/gnugo-3.9.1/patterns/dfa.c:125
    #3 0x418c62 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:682
    #4 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #5 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #6 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #7 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #8 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #9 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #10 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #11 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #12 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #13 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #14 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #15 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #16 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #17 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #18 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #19 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #20 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #21 0x419455 in sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:741
    #22 0x41ab6f in dfa_finalize /mnt/ram/gnugo-3.9.1/patterns/dfa.c:958
    #23 0x4133bb in main /mnt/ram/gnugo-3.9.1/patterns/mkpat.c:2941
    #24 0x7f7a0e67078f in __libc_start_main (/lib64/libc.so.6+0x2078f)

previously allocated by thread T0 here:
    #0 0x7f7a0ef97c66 in __interceptor_realloc 
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x54c66)
    #1 0x415c97 in resize_dfa /mnt/ram/gnugo-3.9.1/patterns/dfa.c:258
    #2 0x41903e in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:699
    #3 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #4 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #5 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #6 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #7 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #8 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #9 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #10 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #11 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #12 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #13 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
    #14 0x419455 in sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:741
    #15 0x41add7 in dfa_add_string /mnt/ram/gnugo-3.9.1/patterns/dfa.c:998
    #16 0x402b7f in write_to_dfa /mnt/ram/gnugo-3.9.1/patterns/mkpat.c:704
    #17 0x412ba7 in main /mnt/ram/gnugo-3.9.1/patterns/mkpat.c:2825
    #18 0x7f7a0e67078f in __libc_start_main (/lib64/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: heap-use-after-free 
/mnt/ram/gnugo-3.9.1/patterns/dfa.c:682 do_sync_product


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: address@hidden
GPG: BBB51E42

gnugo-3.9.1-uaf.diff
Description: Text Data

pgpu2mctgrNEY.pgp
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[gnugo-devel] [patch] fix use after free bug in mkpat, Hanno Böck <=

Prev by Date: [gnugo-devel] board.c:1190 - stackp == 0 near PASS******assertion failure:
Previous by thread: [gnugo-devel] board.c:1190 - stackp == 0 near PASS******assertion failure:
Index(es):
- Date
- Thread