[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lynx-dev] use-after-free bug in cookie handling

From: Thorsten Glaser
Subject: [Lynx-dev] use-after-free bug in cookie handling
Date: Thu, 13 Aug 2015 22:56:47 +0000 (UTC)

Hi again,

I disabled the fatal signal handler because I recently got a lot
of core dumps and wanted to get rid of them.

#0  scan_cookie_sublist (hostname=0xa6c88b20 "",
    path=0xa8c2c9c0 "/s/8396246/15", port=443, sublist=0x9d0c6e50, header=0x0, 
    at /usr/src/gnu/usr.bin/lynx/src/LYCookie.c:726
726             co = (cookie *) hl->object;
(gdb) print hl
$1 = (HTList *) 0xdfdfdfdf
(gdb) bt
#0  scan_cookie_sublist (hostname=0xa6c88b20 "",
    path=0xa8c2c9c0 "/s/8396246/15", port=443, sublist=0x9d0c6e50, header=0x0, 
    at /usr/src/gnu/usr.bin/lynx/src/LYCookie.c:726
#1  0x1c079cfb in LYAddCookieHeader (hostname=0xa6c88b20 "",
    path=0xa8c2c9c0 "/s/8396246/15", port=443, secure=1)
    at /usr/src/gnu/usr.bin/lynx/src/LYCookie.c:1886
#2  0x1c08fb41 in HTLoadHTTP (arg=0xa8c08b40 
    anAnchor=0xa1869d00, format_out=0xab102290, sink=0x0)
    at /usr/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTP.c:1360
#3  0x1c08d214 in HTLoad (addr=0xa9954b40 
    anchor=0xa1869d00, format_out=0xab102290, sink=0x0)
    at /usr/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTAccess.c:706
#4  0x1c08d695 in HTLoadDocument (
    full_address=0xa9954b40 "";,
    anchor=0xa1869d00, format_out=0xab102290, sink=0x0)
    at /usr/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTAccess.c:939
#5  0x1c08dc9d in HTLoadAbsolute (docaddr=0xcfbf9254)
    at /usr/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTAccess.c:1121
#6  0x1c025331 in getfile (doc=0x3c063000, target=0x2f8f8690)
    at /usr/src/gnu/usr.bin/lynx/src/LYGetFile.c:806
#7  0x1c03291f in mainloop () at /usr/src/gnu/usr.bin/lynx/src/LYMainLoop.c:5842
#8  0x1c027a4d in main (argc=1, argv=0xcfbf9710)
    at /usr/src/gnu/usr.bin/lynx/src/LYMain.c:2248

From man malloc:

     J       "Junk". Fill some junk into the area allocated. Currently junk is
             bytes of 0xd0 when allocating; this is pronounced "Duh". :-)
             Freed chunks are filled with 0xdf.

So this is a classical use-after-free.

Interestingly enough… “where does this come from?”

(gdb) print sublist
$2 = (HTList *) 0x9d0c6e50
(gdb) print *sublist
$3 = {object = 0x0, next = 0xa75cd480}
(gdb) print *sublist->next
$4 = {object = 0x9c548b80, next = 0xab1027c0}
(gdb) print *sublist->next->next
$5 = {object = 0x9da46840, next = 0x0}

This looks like the classical “object removed from list, free’d,
then used to continue traversing the list” bug. And, indeed, there
is a call to HTList_removeObject() in the loop!

I believe I’m seeing those crashes more oftenly because more of
the servers expire their cookies earlier now.

“The final straw, to be honest, was probably my amazement at the volume of
petty, peevish whingeing certain of your peers are prone to dish out on
d-devel, telling each other how to talk more like a pretty princess, as though
they were performing some kind of public service.” (someone to me, privately)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]