help-libtasn1
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential double free in asn1_delete_structure2

From: Brandon Perry
Subject: Re: Potential double free in asn1_delete_structure2
Date: Wed, 29 Mar 2017 09:42:47 -0500

On Mar 29, 2017, at 9:35 AM, Nikos Mavrogiannopoulos <address@hidden> wrote:

Could you please provide a reproducer? The easiest to create it would
be following decoding-invalid-pkcs7 lines in tests/

Let me see what I can do. It is easy to reproduce with FreeTDS, though.


You then use the preeny desock.so to force the FreeTDS binary tsql to read data from stdin instead of network IO.

export LD_PRELOAD=~/preeny/x86_64-linux-gnu/desock.so

~/tsql  -S 127.0.0.1 -U fdsa -P fdsa < file_to_repro_crash

Perhaps you could compile FreeTDS with a debug copy of GnuTLS/libtasn1 to make it easier to track down? I can also work on a reproducible test case in the mean time, but I am not sure at all how long this could take.

Do you want the file that reproduces the crash to be sent here on the list or separately?


On Wed, Mar 29, 2017 at 3:39 PM, Brandon Perry
<address@hidden> wrote:
Hi, while fuzzing another piece of software (FreeTDS), I came across a crash that was in libtasn1, not the software I was fuzzing. It looks like a double free.


Faulting Frame:
  None @ 0x00007ffff512e22a: in /usr/lib/x86_64-linux-gnu/libtasn1.so.6.5.1
Disassembly:
Stack Head (13 entries):
  __GI_raise                @ 0x00007ffff6530428: in /lib/x86_64-linux-gnu/libc-2.23.so (BL)
  __GI_abort                @ 0x00007ffff653202a: in /lib/x86_64-linux-gnu/libc-2.23.so (BL)
  __libc_message            @ 0x00007ffff65727ea: in /lib/x86_64-linux-gnu/libc-2.23.so (BL)
  malloc_printerr           @ 0x00007ffff657b477: in /lib/x86_64-linux-gnu/libc-2.23.so (BL)
  _int_free                 @ 0x00007ffff657b477: in /lib/x86_64-linux-gnu/libc-2.23.so (BL)
  __GI___libc_free          @ 0x00007ffff657e98c: in /lib/x86_64-linux-gnu/libc-2.23.so (BL)
  None                      @ 0x00007ffff512e22a: in /usr/lib/x86_64-linux-gnu/libtasn1.so.6.5.1
  asn1_delete_structure2    @ 0x00007ffff512f418: in /usr/lib/x86_64-linux-gnu/libtasn1.so.6.5.1
  None                      @ 0x00007ffff720e27c: in /usr/lib/x86_64-linux-gnu/libgnutls.so.30.6.2
  _dl_fini                  @ 0x00007ffff7de7c17: in /lib/x86_64-linux-gnu/ld-2.23.so
  __run_exit_handlers       @ 0x00007ffff6534ff8: in /lib/x86_64-linux-gnu/libc-2.23.so (BL)
  __GI_exit                 @ 0x00007ffff6535045: in /lib/x86_64-linux-gnu/libc-2.23.so (BL)
  main                      @ 0x00000000004070bd: in /root/freetds/build/src/apps/tsql
Registers:
rax=0x0000000000000000 rbx=0x0000000000000067 rcx=0x00007ffff6530428 rdx=0x0000000000000006
rsi=0x0000000000003221 rdi=0x0000000000003221 rbp=0x00007fffffffdb30 rsp=0x00007fffffffd798
r8=0x0000000000000004  r9=0x0000000000000000 r10=0x0000000000000008 r11=0x0000000000000206
r12=0x0000000000000067 r13=0x00007fffffffd948 r14=0x00007fffffffd948 r15=0x0000000000000002
rip=0x00007ffff6530428 efl=0x0000000000000206  cs=0x0000000000000033  ss=0x000000000000002b
ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000  gs=0x0000000000000000


Since this is potentially security sensitive, how can I get the details to the proper person/people?

Attachment: signature.asc
Description: Message signed with OpenPGP

reply via email to
[Prev in Thread] Current Thread [Next in Thread]