[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PSPP-BUG: [bug #58598] Use after free in read in dict_get_encoding
|
From: |
Andrea Fioraldi |
|
Subject: |
PSPP-BUG: [bug #58598] Use after free in read in dict_get_encoding |
|
Date: |
Wed, 17 Jun 2020 04:46:54 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0 |
URL:
<https://savannah.gnu.org/bugs/?58598>
Summary: Use after free in read in dict_get_encoding
Project: PSPP
Submitted by: andreafioraldi
Submitted on: Wed 17 Jun 2020 08:46:52 AM UTC
Category: Syntax Parser
Severity: 5 - Average
Status: None
Assigned to: None
Open/Closed: Open
Release: None
Discussion Lock: Any
Effort: 0.00
_______________________________________________________
Details:
./pspp -O format=txt -o /dev/null -b uaf3
=================================================================
==121469==ERROR: AddressSanitizer: heap-use-after-free on address
0x612000000420 at pc 0x0000009dc963 bp 0x7fffffffd620 sp 0x7fffffffd618
READ of size 8 at 0x612000000420 thread T0
#0 0x9dc962 in dict_get_encoding
/home/andreaf/real/pspp/src/data/dictionary.c:101:13
#1 0x53a303 in parse_fixed
/home/andreaf/real/pspp/src/language/data-io/data-parser.c:521:33
#2 0x53a303 in data_parser_parse
/home/andreaf/real/pspp/src/language/data-io/data-parser.c:396:14
#3 0x53efeb in data_parser_casereader_read
/home/andreaf/real/pspp/src/language/data-io/data-parser.c:808:7
#4 0x9a3a5b in casereader_read
/home/andreaf/real/pspp/src/data/casereader.c:71:11
#5 0xc860cd in buffer_case
/home/andreaf/real/pspp/src/data/casereader-shim.c:88:9
#6 0xc860cd in casereader_shim_read
/home/andreaf/real/pspp/src/data/casereader-shim.c:111:10
#7 0x9a837f in random_reader_read
/home/andreaf/real/pspp/src/data/casereader.c:513:21
#8 0x9a3a5b in casereader_read
/home/andreaf/real/pspp/src/data/casereader.c:71:11
#9 0x9da9e5 in proc_casereader_read
/home/andreaf/real/pspp/src/data/dataset.c:522:11
#10 0x9a3a5b in casereader_read
/home/andreaf/real/pspp/src/data/casereader.c:71:11
#11 0xc860cd in buffer_case
/home/andreaf/real/pspp/src/data/casereader-shim.c:88:9
#12 0xc860cd in casereader_shim_read
/home/andreaf/real/pspp/src/data/casereader-shim.c:111:10
#13 0x9a4fed in casereader_peek
/home/andreaf/real/pspp/src/data/casereader.c:157:11
#14 0x9a4fed in casereader_is_empty
/home/andreaf/real/pspp/src/data/casereader.c:180:25
#15 0x99238a in casegrouper_get_next_group
/home/andreaf/real/pspp/src/data/casegrouper.c:115:16
#16 0x6400ea in list_execute
/home/andreaf/real/pspp/src/language/data-io/list.c:86:10
#17 0x6400ea in cmd_list
/home/andreaf/real/pspp/src/language/data-io/list.c:253:10
#18 0x4d048b in do_parse_command
/home/andreaf/real/pspp/src/language/command.c:233:16
#19 0x4d048b in cmd_parse_in_state
/home/andreaf/real/pspp/src/language/command.c:148:12
#20 0x4c9df6 in main
/home/andreaf/real/pspp/src/ui/terminal/main.c:138:20
#21 0x7ffff61a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#22 0x421499 in _start (/home/andreaf/real/pspp/pspp_afl+0x421499)
0x612000000420 is located 224 bytes inside of 264-byte region
[0x612000000340,0x612000000448)
freed by thread T0 here:
#0 0x49995d in free (/home/andreaf/real/pspp/pspp_afl+0x49995d)
#1 0x9e6331 in _dict_destroy
/home/andreaf/real/pspp/src/data/dictionary.c:313:3
#2 0x9e6331 in dict_unref
/home/andreaf/real/pspp/src/data/dictionary.c:324:5
previously allocated by thread T0 here:
#0 0x499bdd in malloc (/home/andreaf/real/pspp/pspp_afl+0x499bdd)
#1 0xc8427b in xmalloc /home/andreaf/real/pspp/gl/xmalloc.c:41:13
#2 0xc8427b in xzalloc /home/andreaf/real/pspp/gl/xmalloc.c:86:18
#3 0x4d048b in do_parse_command
/home/andreaf/real/pspp/src/language/command.c:233:16
#4 0x4d048b in cmd_parse_in_state
/home/andreaf/real/pspp/src/language/command.c:148:12
#5 0x4c9df6 in main /home/andreaf/real/pspp/src/ui/terminal/main.c:138:20
#6 0x7ffff61a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-use-after-free
/home/andreaf/real/pspp/src/data/dictionary.c:101:13 in dict_get_encoding
Shadow bytes around the buggy address:
0x0c247fff8030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fff8060: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fff8070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c247fff8080: fd fd fd fd[fd]fd fd fd fd fa fa fa fa fa fa fa
0x0c247fff8090: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff80b0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c247fff80c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==121469==ABORTING
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Wed 17 Jun 2020 08:46:52 AM UTC Name: uaf3 Size: 3KiB By:
andreafioraldi
<http://savannah.gnu.org/bugs/download.php?file_id=49293>
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?58598>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
- PSPP-BUG: [bug #58598] Use after free in read in dict_get_encoding,
Andrea Fioraldi <=