bug-cflow
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug Report for cflow

From: 1360434810
Subject: Bug Report for cflow
Date: Thu, 20 Oct 2022 11:25:32 +0800
Hi, developers of cflow:
When I tested cflow, I found bugs. I have provided all the POC files in the email attachment.

1. Step To Reproduce: ./cflow $POC /dev/null 

2. Environment: Ubuntu 18.04 (docker) and cflow 1.7

3.BUGS
(1) BUG1
(base) ./cflow POC1 /dev/null 

=================================================================

==104844==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000008a30 at pc 0x55b47427d2f4 bp 0x7ffe07697390 sp 0x7ffe07697388

READ of size 8 at 0x60e000008a30 thread T0

    #0 0x55b47427d2f3 in reference /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1328:34

    #1 0x55b47427c774 in _expression_ /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:629:7

    #2 0x55b474280d3f in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1072:9

    #3 0x55b474280ca2 in parse_declaration /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:578:4

    #4 0x55b474280ca2 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1086:9

    #5 0x55b474280cf1 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c

    #6 0x55b474280cf1 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c

    #7 0x55b474280cf1 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c

    #8 0x55b474280cf1 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c

    #9 0x55b474280cf1 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c

    #10 0x55b474280cf1 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c

    #11 0x55b47427afc7 in yyparse /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c

    #12 0x55b474272772 in main /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/main.c:855:7

    #13 0x7f54cb9edd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 89c3cb85f9e55046776471fed05ec441581d1969)

    #14 0x7f54cb9ede3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 89c3cb85f9e55046776471fed05ec441581d1969)

    #15 0x55b4741a3514 in _start (/AFLplusplus/aflplusplus_pro/version_10_17/programs/unibench_asan/cflow+0x32514) (BuildId: 01c5c0b93d3a5898be0c681efadec989ae210f6b)


0x60e000008a30 is located 144 bytes inside of 152-byte region [0x60e0000089a0,0x60e000008a38)

freed by thread T0 here:

    #0 0x55b4742260b2 in free (/AFLplusplus/aflplusplus_pro/version_10_17/programs/unibench_asan/cflow+0xb50b2) (BuildId: 01c5c0b93d3a5898be0c681efadec989ae210f6b)

    #1 0x55b474285ddc in delete_symbol /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/symbol.c:215:4

    #2 0x55b474285ddc in delete_level_autos /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/symbol.c:273:4


previously allocated by thread T0 here:

    #0 0x55b47422635e in __interceptor_malloc (/AFLplusplus/aflplusplus_pro/version_10_17/programs/unibench_asan/cflow+0xb535e) (BuildId: 01c5c0b93d3a5898be0c681efadec989ae210f6b)

    #1 0x55b4742bad82 in xmalloc /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/gnu/xmalloc.c:55:13


(1) BUG2
(base) ./cflow POC2 /dev/null 

=================================================================

==71571==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000010ad0 at pc 0x55b1f81eb1b5 bp 0x7ffd2b65c8f0 sp 0x7ffd2b65c8e8

READ of size 8 at 0x60e000010ad0 thread T0

    #0 0x55b1f81eb1b4 in call /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1314:34

    #1 0x55b1f81ea570 in _expression_ /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:626:7

    #2 0x55b1f81eed3f in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1072:9

    #3 0x55b1f81eecf1 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c

    #4 0x55b1f81eeca2 in parse_declaration /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:578:4

    #5 0x55b1f81eeca2 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1086:9

    #6 0x55b1f81eeca2 in parse_declaration /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:578:4

    #7 0x55b1f81eeca2 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1086:9

    #8 0x55b1f81eeca2 in parse_declaration /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:578:4

    #9 0x55b1f81eeca2 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1086:9

    #10 0x55b1f81eeca2 in parse_declaration /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:578:4

    #11 0x55b1f81eeca2 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1086:9

    #12 0x55b1f81eeca2 in parse_declaration /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:578:4

    #13 0x55b1f81eeca2 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1086:9

    #14 0x55b1f81eeca2 in parse_declaration /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:578:4

    #15 0x55b1f81eeca2 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1086:9

    #16 0x55b1f81eeca2 in parse_declaration /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:578:4

    #17 0x55b1f81eeca2 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1086:9

    #18 0x55b1f81eeca2 in parse_declaration /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:578:4

    #19 0x55b1f81eeca2 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1086:9

    #20 0x55b1f81eeca2 in parse_declaration /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:578:4

    #21 0x55b1f81eeca2 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1086:9

    #22 0x55b1f81eecf1 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c

    #23 0x55b1f81eeca2 in parse_declaration /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:578:4

    #24 0x55b1f81eeca2 in func_body /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1086:9

    #25 0x55b1f81e8f9a in yyparse /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c

    #26 0x55b1f81e0772 in main /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/main.c:855:7

    #27 0x7f248fab1d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 89c3cb85f9e55046776471fed05ec441581d1969)

    #28 0x7f248fab1e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 89c3cb85f9e55046776471fed05ec441581d1969)

    #29 0x55b1f8111514 in _start (/AFLplusplus/aflplusplus_pro/version_10_17/programs/unibench_asan/cflow+0x32514) (BuildId: 01c5c0b93d3a5898be0c681efadec989ae210f6b)


0x60e000010ad0 is located 144 bytes inside of 152-byte region [0x60e000010a40,0x60e000010ad8)

freed by thread T0 here:

    #0 0x55b1f81940b2 in free (/AFLplusplus/aflplusplus_pro/version_10_17/programs/unibench_asan/cflow+0xb50b2) (BuildId: 01c5c0b93d3a5898be0c681efadec989ae210f6b)

    #1 0x55b1f81f3ddc in delete_symbol /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/symbol.c:215:4

    #2 0x55b1f81f3ddc in delete_level_autos /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/symbol.c:273:4


previously allocated by thread T0 here:

    #0 0x55b1f819435e in __interceptor_malloc (/AFLplusplus/aflplusplus_pro/version_10_17/programs/unibench_asan/cflow+0xb535e) (BuildId: 01c5c0b93d3a5898be0c681efadec989ae210f6b)

    #1 0x55b1f8228d82 in xmalloc /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/gnu/xmalloc.c:55:13


SUMMARY: AddressSanitizer: heap-use-after-free /AFLplusplus/aflplusplus_pro/version_10_17/programs_10_17/unibench/cflow-1.7/src/parser.c:1314:34 in call

1360434810
1360434810@qq.com
 

Attachment: cflow_POC.zip
Description: Binary data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]