Re: Potential double free in asn1_delete

help-libtasn1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential double free in asn1_delete_structure2

From:	Nikos Mavrogiannopoulos
Subject:	Re: Potential double free in asn1_delete_structure2
Date:	Wed, 29 Mar 2017 16:35:48 +0200

Could you please provide a reproducer? The easiest to create it would
be following decoding-invalid-pkcs7 lines in tests/

On Wed, Mar 29, 2017 at 3:39 PM, Brandon Perry
<address@hidden> wrote:
> Hi, while fuzzing another piece of software (FreeTDS), I came across a crash 
> that was in libtasn1, not the software I was fuzzing. It looks like a double 
> free.
>
>
> Faulting Frame:
>    None @ 0x00007ffff512e22a: in /usr/lib/x86_64-linux-gnu/libtasn1.so.6.5.1
> Disassembly:
> Stack Head (13 entries):
>    __GI_raise                @ 0x00007ffff6530428: in 
> /lib/x86_64-linux-gnu/libc-2.23.so (BL)
>    __GI_abort                @ 0x00007ffff653202a: in 
> /lib/x86_64-linux-gnu/libc-2.23.so (BL)
>    __libc_message            @ 0x00007ffff65727ea: in 
> /lib/x86_64-linux-gnu/libc-2.23.so (BL)
>    malloc_printerr           @ 0x00007ffff657b477: in 
> /lib/x86_64-linux-gnu/libc-2.23.so (BL)
>    _int_free                 @ 0x00007ffff657b477: in 
> /lib/x86_64-linux-gnu/libc-2.23.so (BL)
>    __GI___libc_free          @ 0x00007ffff657e98c: in 
> /lib/x86_64-linux-gnu/libc-2.23.so (BL)
>    None                      @ 0x00007ffff512e22a: in 
> /usr/lib/x86_64-linux-gnu/libtasn1.so.6.5.1
>    asn1_delete_structure2    @ 0x00007ffff512f418: in 
> /usr/lib/x86_64-linux-gnu/libtasn1.so.6.5.1
>    None                      @ 0x00007ffff720e27c: in 
> /usr/lib/x86_64-linux-gnu/libgnutls.so.30.6.2
>    _dl_fini                  @ 0x00007ffff7de7c17: in 
> /lib/x86_64-linux-gnu/ld-2.23.so
>    __run_exit_handlers       @ 0x00007ffff6534ff8: in 
> /lib/x86_64-linux-gnu/libc-2.23.so (BL)
>    __GI_exit                 @ 0x00007ffff6535045: in 
> /lib/x86_64-linux-gnu/libc-2.23.so (BL)
>    main                      @ 0x00000000004070bd: in 
> /root/freetds/build/src/apps/tsql
> Registers:
> rax=0x0000000000000000 rbx=0x0000000000000067 rcx=0x00007ffff6530428 
> rdx=0x0000000000000006
> rsi=0x0000000000003221 rdi=0x0000000000003221 rbp=0x00007fffffffdb30 
> rsp=0x00007fffffffd798
>  r8=0x0000000000000004  r9=0x0000000000000000 r10=0x0000000000000008 
> r11=0x0000000000000206
> r12=0x0000000000000067 r13=0x00007fffffffd948 r14=0x00007fffffffd948 
> r15=0x0000000000000002
> rip=0x00007ffff6530428 efl=0x0000000000000206  cs=0x0000000000000033  
> ss=0x000000000000002b
>  ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000  
> gs=0x0000000000000000
>
>
> Since this is potentially security sensitive, how can I get the details to 
> the proper person/people?

[Prev in Thread]

Current Thread

[Next in Thread]

Potential double free in asn1_delete_structure2, Brandon Perry, 2017/03/29
- Re: Potential double free in asn1_delete_structure2, Nikos Mavrogiannopoulos <=
  - Re: Potential double free in asn1_delete_structure2, Brandon Perry, 2017/03/29
    - Re: Potential double free in asn1_delete_structure2, Nikos Mavrogiannopoulos, 2017/03/29
    - Re: Potential double free in asn1_delete_structure2, Brandon Perry, 2017/03/29

Prev by Date: Potential double free in asn1_delete_structure2
Next by Date: Re: Potential double free in asn1_delete_structure2
Previous by thread: Potential double free in asn1_delete_structure2
Next by thread: Re: Potential double free in asn1_delete_structure2
Index(es):
- Date
- Thread