[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PSPP-BUG: [bug #58592] Use after free in printf_common
|
From: |
Andrea Fioraldi |
|
Subject: |
PSPP-BUG: [bug #58592] Use after free in printf_common |
|
Date: |
Wed, 17 Jun 2020 04:02:17 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0 |
URL:
<https://savannah.gnu.org/bugs/?58592>
Summary: Use after free in printf_common
Project: PSPP
Submitted by: andreafioraldi
Submitted on: Wed 17 Jun 2020 08:02:15 AM UTC
Category: Syntax Parser
Severity: 5 - Average
Status: None
Assigned to: None
Open/Closed: Open
Release: None
Discussion Lock: Any
Effort: 0.00
_______________________________________________________
Details:
Seems that cmd_vector() tries to print freed memory.
./pspp -O format=txt -o /dev/null -b uaf1
+vebratim+
=================================================================
==116286==ERROR: AddressSanitizer: heap-use-after-free on address
0x602000027070 at pc 0x00000043fd3b bp 0x7fffffffca00 sp 0x7fffffffc188
READ of size 2 at 0x602000027070 thread T0
#0 0x43fd3a in printf_common(void*, char const*, __va_list_tag*)
(/home/andreaf/real/pspp/pspp_afl+0x43fd3a)
#1 0x4415c0 in snprintf (/home/andreaf/real/pspp/pspp_afl+0x4415c0)
#2 0xc754e7 in vasnprintf /home/andreaf/real/pspp/gl/vasnprintf.c
#3 0xca88f4 in rpl_vasprintf /home/andreaf/real/pspp/gl/vasprintf.c:36:18
#4 0xc85089 in xvasprintf /home/andreaf/real/pspp/gl/xvasprintf.c:102:7
#5 0xb800ef in vmsg /home/andreaf/real/pspp/src/libpspp/message.c:58:13
#6 0xb800ef in msg /home/andreaf/real/pspp/src/libpspp/message.c:71:3
#7 0x7afaff in cmd_vector
/home/andreaf/real/pspp/src/language/dictionary/vector.c:171:9
#8 0x4d048b in do_parse_command
/home/andreaf/real/pspp/src/language/command.c:233:16
#9 0x4d048b in cmd_parse_in_state
/home/andreaf/real/pspp/src/language/command.c:148:12
#10 0x4c9df6 in main
/home/andreaf/real/pspp/src/ui/terminal/main.c:138:20
#11 0x7ffff61a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x421499 in _start (/home/andreaf/real/pspp/pspp_afl+0x421499)
0x602000027070 is located 0 bytes inside of 5-byte region
[0x602000027070,0x602000027075)
freed by thread T0 here:
#0 0x49995d in free (/home/andreaf/real/pspp/pspp_afl+0x49995d)
#1 0x7af092 in cmd_vector
/home/andreaf/real/pspp/src/language/dictionary/vector.c
#2 0x4d048b in do_parse_command
/home/andreaf/real/pspp/src/language/command.c:233:16
#3 0x4d048b in cmd_parse_in_state
/home/andreaf/real/pspp/src/language/command.c:148:12
#4 0x4c9df6 in main /home/andreaf/real/pspp/src/ui/terminal/main.c:138:20
#5 0x7ffff61a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
previously allocated by thread T0 here:
#0 0x499ef9 in realloc (/home/andreaf/real/pspp/pspp_afl+0x499ef9)
#1 0xc79352 in vasnprintf /home/andreaf/real/pspp/gl/vasnprintf.c:5579:30
#2 0xca88f4 in rpl_vasprintf /home/andreaf/real/pspp/gl/vasprintf.c:36:18
#3 0xc85089 in xvasprintf /home/andreaf/real/pspp/gl/xvasprintf.c:102:7
#4 0xc82ab2 in xasprintf /home/andreaf/real/pspp/gl/xasprintf.c:30:12
#5 0x7af016 in cmd_vector
/home/andreaf/real/pspp/src/language/dictionary/vector.c:162:32
#6 0x4d048b in do_parse_command
/home/andreaf/real/pspp/src/language/command.c:233:16
#7 0x4d048b in cmd_parse_in_state
/home/andreaf/real/pspp/src/language/command.c:148:12
#8 0x4c9df6 in main /home/andreaf/real/pspp/src/ui/terminal/main.c:138:20
#9 0x7ffff61a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-use-after-free
(/home/andreaf/real/pspp/pspp_afl+0x43fd3a) in printf_common(void*, char
const*, __va_list_tag*)
Shadow bytes around the buggy address:
0x0c047fffcdb0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fffcdc0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fffcdd0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fffcde0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fffcdf0: fa fa fd fd fa fa fd fa fa fa 07 fa fa fa fd fa
=>0x0c047fffce00: fa fa fd fa fa fa fd fd fa fa fd fd fa fa[fd]fa
0x0c047fffce10: fa fa fd fa fa fa 00 04 fa fa fa fa fa fa fa fa
0x0c047fffce20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffce30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffce40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffce50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==116286==ABORTING
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Wed 17 Jun 2020 08:02:15 AM UTC Name: uaf1 Size: 3KiB By:
andreafioraldi
<http://savannah.gnu.org/bugs/download.php?file_id=49286>
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?58592>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
- PSPP-BUG: [bug #58592] Use after free in printf_common,
Andrea Fioraldi <=