PSPP-BUG: [bug #58595] Use after free in fh_get

bug-gnu-pspp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #58595] Use after free in fh_get_referent

From:	Andrea Fioraldi
Subject:	PSPP-BUG: [bug #58595] Use after free in fh_get_referent
Date:	Wed, 17 Jun 2020 04:17:24 -0400 (EDT)
User-agent:	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0

URL:
  <https://savannah.gnu.org/bugs/?58595>

                 Summary: Use after free in fh_get_referent
                 Project: PSPP
            Submitted by: andreafioraldi
            Submitted on: Wed 17 Jun 2020 08:17:22 AM UTC
                Category: Syntax Parser
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
                 Release: None
         Discussion Lock: Any
                  Effort: 0.00

    _______________________________________________________

Details:

This UAF seems a more severe bug than the ones that I previously reported. 

./pspp -O format=txt -o /dev/null -b uaf2


=================================================================
==118050==ERROR: AddressSanitizer: heap-use-after-free on address
0x60b000000c18 at pc 0x0000009fe5e3 bp 0x7fffffffdcb0 sp 0x7fffffffdca8
READ of size 4 at 0x60b000000c18 thread T0
    #0 0x9fe5e2 in fh_get_referent
/home/andreaf/real/pspp/src/data/file-handle-def.c:323:18
    #1 0x9fe5e2 in make_key
/home/andreaf/real/pspp/src/data/file-handle-def.c:629:20
    #2 0x9ff137 in fh_is_locked
/home/andreaf/real/pspp/src/data/file-handle-def.c:604:3
    #3 0x545b18 in cmd_begin_data
/home/andreaf/real/pspp/src/language/data-io/data-reader.c:731:8
    #4 0x4d048b in do_parse_command
/home/andreaf/real/pspp/src/language/command.c:233:16
    #5 0x4d048b in cmd_parse_in_state
/home/andreaf/real/pspp/src/language/command.c:148:12
    #6 0x4c9df6 in main /home/andreaf/real/pspp/src/ui/terminal/main.c:138:20
    #7 0x7ffff61a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #8 0x421499 in _start (/home/andreaf/real/pspp/pspp_afl+0x421499)

0x60b000000c18 is located 40 bytes inside of 104-byte region
[0x60b000000bf0,0x60b000000c58)
freed by thread T0 here:
    #0 0x49995d in free (/home/andreaf/real/pspp/pspp_afl+0x49995d)
    #1 0x9f88e5 in free_handle
/home/andreaf/real/pspp/src/data/file-handle-def.c:134:3
    #2 0x9f88e5 in fh_unref
/home/andreaf/real/pspp/src/data/file-handle-def.c:170:9

previously allocated by thread T0 here:
    #0 0x499bdd in malloc (/home/andreaf/real/pspp/pspp_afl+0x499bdd)
    #1 0xc8427b in xmalloc /home/andreaf/real/pspp/gl/xmalloc.c:41:13
    #2 0xc8427b in xzalloc /home/andreaf/real/pspp/gl/xmalloc.c:86:18
    #3 0x7ffff61a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free
/home/andreaf/real/pspp/src/data/file-handle-def.c:323:18 in fh_get_referent
Shadow bytes around the buggy address:
  0x0c167fff8130: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c167fff8140: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c167fff8150: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c167fff8160: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c167fff8170: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fd fd
=>0x0c167fff8180: fd fd fd[fd]fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c167fff8190: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c167fff81a0: 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c167fff81b0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c167fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c167fff81d0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==118050==ABORTING




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Wed 17 Jun 2020 08:17:22 AM UTC  Name: uaf2  Size: 4KiB   By:
andreafioraldi

<http://savannah.gnu.org/bugs/download.php?file_id=49289>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?58595>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

PSPP-BUG: [bug #58595] Use after free in fh_get_referent, Andrea Fioraldi <=
- PSPP-BUG: [bug #58595] Use after free in fh_get_referent, Friedrich Beckmann, 2020/06/17
  - PSPP-BUG: [bug #58595] Use after free in fh_get_referent, Andrea Fioraldi, 2020/06/17
    - PSPP-BUG: [bug #58595] Use after free in fh_get_referent, Andrea Fioraldi, 2020/06/17
    - PSPP-BUG: [bug #58595] Use after free in fh_get_referent, Friedrich Beckmann, 2020/06/17
    - PSPP-BUG: [bug #58595] Use after free in fh_get_referent, Friedrich Beckmann, 2020/06/17
    - PSPP-BUG: [bug #58595] Use after free in fh_get_referent, Andrea Fioraldi, 2020/06/18
    - PSPP-BUG: [bug #58595] Use after free in fh_get_referent, John Darrington, 2020/06/20

Prev by Date: PSPP-BUG: [bug #58594] Assertion error var_set_get_var
Next by Date: PSPP-BUG: [bug #58595] Use after free in fh_get_referent
Previous by thread: PSPP-BUG: [bug #58594] Assertion error var_set_get_var
Next by thread: PSPP-BUG: [bug #58595] Use after free in fh_get_referent
Index(es):
- Date
- Thread