[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-cflow] heap-use-after-free in reference
From: |
GwanYeong Kim |
Subject: |
[bug-cflow] heap-use-after-free in reference |
Date: |
Sun, 3 Dec 2017 09:40:19 +0900 |
Hello.
I found a heap-use-after-free bug in cflow.
Please confirm.
Thanks.
Version: cflow (GNU cflow) 1.5
OS: Ubuntu 16.04.2 32bit
Steps to reproduce:
1.Download the PoC files.
2.Execute the following command
: ./cflow $FILE
---CRASH SUMMARY---
Faulting Frame:
data_in_list @ 0x0000000008057fd0: in /home/karas/cflow/src/cflow
Disassembly:
Stack Head (8 entries):
data_in_list @ 0x0000000008057fd0: in /home/karas/cflow/src/cflow
reference @ 0x0000000008067299: in /home/karas/cflow/src/cflow
_expression_ @ 0x0000000008067299: in /home/karas/cflow/src/cflow
func_body @ 0x000000000806a8e1: in /home/karas/cflow/src/cflow
parse_function_declaratio @ 0x000000000806fcd8: in /home/karas/cflow/src/cflow
parse_declaration @ 0x000000000806991d: in /home/karas/cflow/src/cflow
yyparse @ 0x0000000008070ceb: in /home/karas/cflow/src/cflow
main @ 0x000000000804a1a5: in /home/karas/cflow/src/cflow
Registers:
eax=0x0000000000005160 ecx=0x0000000000000000 edx=0x00000000080db978 ebx=0x0000000000000000
esp=0x00000000bffff0bc ebp=0x00000000080db978 esi=0x00000000080d8df0 edi=0x0000000000000004
eip=0x0000000008057fd0 efl=0x0000000000010206 cs=0x0000000000000073 ss=0x000000000000007b
ds=0x000000000000007b es=0x000000000000007b fs=0x0000000000000000 gs=0x0000000000000033
---END SUMMARY---
```
=================================================================
==17350==ERROR: AddressSanitizer: heap-use-after-free on address 0xb4a01070 at pc 0x08077f45 bp 0xbff5d638 sp 0xbff5d628
READ of size 4 at 0xb4a01070 thread T0
#0 0x8077f44 in reference /home/karas/cflow/src/parser.c:1275
#1 0x8077f44 in _expression_ /home/karas/cflow/src/parser.c:601
#2 0x807b8ab in func_body /home/karas/cflow/src/parser.c:1029
#3 0x807a633 in parse_declaration /home/karas/cflow/src/parser.c:558
#4 0x808445b in yyparse /home/karas/cflow/src/parser.c:508
#5 0x804acc4 in main /home/karas/cflow/src/main.c:792
#6 0xb703f636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#7 0x804b7d5 (/home/karas/cflow/src/cflow+0x804b7d5)
0xb4a01070 is located 80 bytes inside of 84-byte region [0xb4a01020,0xb4a01074)
freed by thread T0 here:
#0 0xb7273a84 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x96a84)
#1 0x806406f in linked_list_destroy /home/karas/cflow/src/linked-list.c:87
previously allocated by thread T0 here:
#0 0xb7273dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
#1 0x80c0dbd in xmalloc /home/karas/cflow/gnu/xmalloc.c:43
SUMMARY: AddressSanitizer: heap-use-after-free /home/karas/cflow/src/parser.c:1275 reference
Shadow bytes around the buggy address:
0x369401b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369401c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369401d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369401e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369401f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 04 fa
=>0x36940200: fa fa fa fa fd fd fd fd fd fd fd fd fd fd[fd]fa
0x36940210: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x36940220: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 04 fa
0x36940230: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 04 fa
0x36940240: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 04 fa
0x36940250: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==17350==ABORTING
```
reference_crash
Description: Binary data
- [bug-cflow] heap-use-after-free in reference,
GwanYeong Kim <=