Potential double free in asn1_delete

help-libtasn1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Potential double free in asn1_delete_structure2

From:	Brandon Perry
Subject:	Potential double free in asn1_delete_structure2
Date:	Wed, 29 Mar 2017 08:39:38 -0500

Hi, while fuzzing another piece of software (FreeTDS), I came across a crash 
that was in libtasn1, not the software I was fuzzing. It looks like a double 
free.


Faulting Frame:
   None @ 0x00007ffff512e22a: in /usr/lib/x86_64-linux-gnu/libtasn1.so.6.5.1
Disassembly:
Stack Head (13 entries):
   __GI_raise                @ 0x00007ffff6530428: in 
/lib/x86_64-linux-gnu/libc-2.23.so (BL)
   __GI_abort                @ 0x00007ffff653202a: in 
/lib/x86_64-linux-gnu/libc-2.23.so (BL)
   __libc_message            @ 0x00007ffff65727ea: in 
/lib/x86_64-linux-gnu/libc-2.23.so (BL)
   malloc_printerr           @ 0x00007ffff657b477: in 
/lib/x86_64-linux-gnu/libc-2.23.so (BL)
   _int_free                 @ 0x00007ffff657b477: in 
/lib/x86_64-linux-gnu/libc-2.23.so (BL)
   __GI___libc_free          @ 0x00007ffff657e98c: in 
/lib/x86_64-linux-gnu/libc-2.23.so (BL)
   None                      @ 0x00007ffff512e22a: in 
/usr/lib/x86_64-linux-gnu/libtasn1.so.6.5.1
   asn1_delete_structure2    @ 0x00007ffff512f418: in 
/usr/lib/x86_64-linux-gnu/libtasn1.so.6.5.1
   None                      @ 0x00007ffff720e27c: in 
/usr/lib/x86_64-linux-gnu/libgnutls.so.30.6.2
   _dl_fini                  @ 0x00007ffff7de7c17: in 
/lib/x86_64-linux-gnu/ld-2.23.so
   __run_exit_handlers       @ 0x00007ffff6534ff8: in 
/lib/x86_64-linux-gnu/libc-2.23.so (BL)
   __GI_exit                 @ 0x00007ffff6535045: in 
/lib/x86_64-linux-gnu/libc-2.23.so (BL)
   main                      @ 0x00000000004070bd: in 
/root/freetds/build/src/apps/tsql
Registers:
rax=0x0000000000000000 rbx=0x0000000000000067 rcx=0x00007ffff6530428 
rdx=0x0000000000000006
rsi=0x0000000000003221 rdi=0x0000000000003221 rbp=0x00007fffffffdb30 
rsp=0x00007fffffffd798
 r8=0x0000000000000004  r9=0x0000000000000000 r10=0x0000000000000008 
r11=0x0000000000000206
r12=0x0000000000000067 r13=0x00007fffffffd948 r14=0x00007fffffffd948 
r15=0x0000000000000002
rip=0x00007ffff6530428 efl=0x0000000000000206  cs=0x0000000000000033  
ss=0x000000000000002b
 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000  
gs=0x0000000000000000


Since this is potentially security sensitive, how can I get the details to the 
proper person/people?

signature.asc
Description: Message signed with OpenPGP

[Prev in Thread]

Current Thread

[Next in Thread]

Potential double free in asn1_delete_structure2, Brandon Perry <=
- Re: Potential double free in asn1_delete_structure2, Nikos Mavrogiannopoulos, 2017/03/29
  - Re: Potential double free in asn1_delete_structure2, Brandon Perry, 2017/03/29
    - Re: Potential double free in asn1_delete_structure2, Nikos Mavrogiannopoulos, 2017/03/29
    - Re: Potential double free in asn1_delete_structure2, Brandon Perry, 2017/03/29

Next by Date: Re: Potential double free in asn1_delete_structure2
Next by thread: Re: Potential double free in asn1_delete_structure2
Index(es):
- Date
- Thread