|
From: | wcventure |
Subject: | [bug-cflow] [Bug report] Use-after-free in reference function in /src/parser.c in cflow 1.6 |
Date: | Mon, 1 Apr 2019 14:10:02 +0800 (CST) |
Hi there,
I have found a use-after-free problem in reference function in /src/parser.c in cflow 1.6 the lastest release version. This bug can also reproduce in cflow 1.5. A crafted input can cause segment faults and I have confirmed them with address sanitizer too.
Here are the POC files. Please use the "./cflow $POC" to reproduce the bug.
The ASAN dumps the stack trace as follows:
=================================================================
==61274==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0000078b0 at pc 0x0000005534f9 bp 0x7fffd7c405b0 sp 0x7fffd7c405a8
READ of size 8 at 0x60e0000078b0 thread T0
#0 0x5534f8 in reference /cflow-1.6/src/parser.c:1298:34
#1 0x5534f8 in _expression_ /cflow-1.6/src/parser.c:621
#2 0x55d012 in func_body /cflow-1.6/src/parser.c:1051:9
#3 0x54ea79 in parse_declaration /cflow-1.6/src/parser.c:578:4
#4 0x54de68 in yyparse /cflow-1.6/src/parser.c:528:9
#5 0x53b254 in main /cflow-1.6/src/main.c:812:7
#6 0x7f2ee8ad982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x41a978 in _start (/cflow-1.6/build/bin/cflow+0x41a978)
0x60e0000078b0 is located 144 bytes inside of 152-byte region [0x60e000007820,0x60e0000078b8)
freed by thread T0 here:
#0 0x4da6d0 in __interceptor_free.localalias.0 /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68
#1 0x538e68 in linked_list_destroy /cflow-1.6/src/linked-list.c:87:7
previously allocated by thread T0 here:
#0 0x4da8a0 in __interceptor_malloc /home/wencheng/Documents/llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
#1 0x5bdc80 in xmalloc /cflow-1.6/gnu/xmalloc.c:43:13
SUMMARY: AddressSanitizer: heap-use-after-free /cflow-1.6/src/parser.c:1298:34 in reference
Shadow bytes around the buggy address:
0x0c1c7fff8ec0: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff8ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1c7fff8ee0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c7fff8ef0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c1c7fff8f00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1c7fff8f10: fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa
0x0c1c7fff8f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff8f30: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff8f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1c7fff8f50: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c7fff8f60: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==61274==ABORTING
Aborted
If you have any question, please let me know.
POC.zip
Description: Zip compressed data
[Prev in Thread] | Current Thread | [Next in Thread] |