Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
double-free-poc-1
heap-buffer-overflow-poc-5
memory-leak-poc-3
null-pointer-dereference-poc-2
null-pointer-dereference-poc-4
readme.md

readme.md

target

GNU Recutils is a set of tools and libraries to access human-editable, plain text databases called recfiles. The data is stored as a sequence of records, each record containing an arbitrary number of named fields. The picture below shows a sample database containing information about GNU packages, along with the main features provided by recutils.

version

1.8

others

This bug is reported by fish@360TeamSeri0us, please send email to teamSeri0us360@gmail.com if you have any question.

details

  1. There is a double-free problem in function rec_mset_elem_destroy() in file src/rec-mset.c.

fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ ./debug/bin/rec2csv data/double-free-poc-1
double free or corruption (fasttop) Aborted (core dumped)

asan report

=================================================================
==6397==ERROR: AddressSanitizer: attempting double-free on 0x602000009df0 in thread T0:
    #0 0x4cdb78 in __interceptor_free.localalias.0 (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdb78)
    #1 0x7f31ac47c7c0 in rec_mset_elem_destroy /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:905:11
    #2 0x7f31ac47c7c0 in rec_mset_elem_dispose_fn /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:814
    #3 0x7f31ac4eb213 in gl_array_list_free /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:436:17
    #4 0x7f31ac47ca18 in gl_list_free /home/fish/Desktop/dumb/archive/recutils-1.8/src/../lib/gl_list.h:760:3
    #5 0x7f31ac47ca18 in rec_mset_destroy /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:152
    #6 0x7f31ac48cb9a in rec_rset_destroy /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:263:7
    #7 0x7f31ac4a6208 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:612:7
    #8 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #9 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
    #10 0x509204 in main /home/fish/Desktop/dumb/archive/recutils-1.8/utils/rec2csv.c:342:8
    #11 0x7f31ab314b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41e759 in _start (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x41e759)

0x602000009df0 is located 0 bytes inside of 16-byte region [0x602000009df0,0x602000009e00)
freed by thread T0 here:
    #0 0x4cdb78 in __interceptor_free.localalias.0 (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdb78)
    #1 0x7f31ac47c7c0 in rec_mset_elem_destroy /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:905:11
    #2 0x7f31ac47c7c0 in rec_mset_elem_dispose_fn /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:814

previously allocated by thread T0 here:
    #0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
    #1 0x7f31ac485c79 in rec_comment_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-comment.c:43:10
    #2 0x7f31ac4a5fd2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:549:11
    #3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

SUMMARY: AddressSanitizer: double-free (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdb78) in __interceptor_free.localalias.0
==6397==ABORTING

gdb debug info

fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ gdb -q --args ./debug/bin/rec2csv data/double-free-poc-1 

gef➤  bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff727a801 in __GI_abort () at abort.c:79
#2  0x00007ffff72c3897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff73f0b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff72ca90a in malloc_printerr (str=str@entry=0x7ffff73f2828 "double free or corruption (fasttop)") at malloc.c:5350
#4  0x00007ffff72d2004 in _int_free (have_lock=0x0, p=0x55555577c300, av=0x7ffff7625c40 <main_arena>) at malloc.c:4230
#5  __GI___libc_free (mem=0x55555577c310) at malloc.c:3124
#6  0x00007ffff7b76792 in rec_comment_destroy (comment=0x55555577c310 " \302wUUU") at rec-comment.c:49
#7  0x00007ffff7b79e51 in rec_rset_comment_disp_fn (data=0x55555577c310) at rec-rset.c:1031
#8  0x00007ffff7b75a93 in rec_mset_elem_destroy (elem=0x55555579ca30) at rec-mset.c:905
#9  0x00007ffff7b75844 in rec_mset_elem_dispose_fn (e=0x55555579ca30) at rec-mset.c:814
#10 0x00007ffff7b92fc0 in gl_array_list_free (list=0x55555579aec0) at gl_array_list.c:436
#11 0x00007ffff7b958f9 in gl_list_free (list=0x55555579aec0) at gl_list.h:760
#12 0x00007ffff7b74381 in rec_mset_destroy (mset=0x55555579ade0) at rec-mset.c:152
#13 0x00007ffff7b78b4d in rec_rset_destroy (rset=0x55555579ad80) at rec-rset.c:263
#14 0x00007ffff7b7eca5 in rec_parse_rset (parser=0x55555579ad30, rset=0x7fffffffdbc0) at rec-parser.c:612
#15 0x00005555555586cf in recutl_parse_db_from_file (in=0x555555798330, file_name=0x7fffffffe19d "data/double-free-poc-1", db=0x55555577bc30) at recutl.c:246
#16 0x00005555555587fc in recutl_build_db (argc=0x2, argv=0x7fffffffdda8) at recutl.c:332
#17 0x000055555555996d in main (argc=0x2, argv=0x7fffffffdda8) at rec2csv.c:342

  1. There is a null-pointer-dereference problem in function rec_fex_size() in file src/rec-fex.c.

fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ ./debug/bin/rec2csv data/null-pointer-dereference-poc-2 Segmentation fault (core dumped)

asan report

ASAN:DEADLYSIGNAL
=================================================================
==6373==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fef5bfd18d2 bp 0x7ffddef54bf0 sp 0x7ffddef54890 T0)
==6373==The signal is caused by a READ memory access.
==6373==Hint: address points to the zero page.
    #0 0x7fef5bfd18d1 in rec_fex_size /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-fex.c:257:15
    #1 0x7fef5bf89df4 in rec_rset_update_field_props /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:1243:31
    #2 0x7fef5bf88b85 in rec_rset_set_descriptor /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:354:3
    #3 0x7fef5bfa0f02 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:578:23
    #4 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #5 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
    #6 0x509204 in main /home/fish/Desktop/dumb/archive/recutils-1.8/utils/rec2csv.c:342:8
    #7 0x7fef5ae0fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #8 0x41e759 in _start (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x41e759)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-fex.c:257:15 in rec_fex_size
==6373==ABORTING

gdb debug info

fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ gdb -q --args ./debug/bin/rec2csv data/null-pointer-dereference-poc-2

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:rec-fex.c+257 ]────
    252	 }
    253	 
    254	 size_t
    255	 rec_fex_size (rec_fex_t fex)
    256	 {
 →  257	   return fex->num_elems;
    258	 }
    259	 
    260	 rec_fex_elem_t
    261	 rec_fex_get (rec_fex_t fex,
    262	              size_t position)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "rec2csv", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff7b8d46b → Name: rec_fex_size(fex=0x0)
[#1] 0x7ffff7b7a5fb → Name: rec_rset_update_field_props(rset=0x55555579ade0)
[#2] 0x7ffff7b78d83 → Name: rec_rset_set_descriptor(rset=0x55555579ade0, record=0x55555579cb90)
[#3] 0x7ffff7b7ebce → Name: rec_parse_rset(parser=0x55555579ad30, rset=0x7fffffffdb80)
[#4] 0x5555555586cf → Name: recutl_parse_db_from_file(in=0x555555798330, file_name=0x7fffffffe15d "data/null-pointer-dereference-poc-2", db=0x55555577bc30)
[#5] 0x5555555587fc → Name: recutl_build_db(argc=0x2, argv=0x7fffffffdd68)
[#6] 0x55555555996d → Name: main(argc=0x2, argv=0x7fffffffdd68)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x00007ffff7b8d46b in rec_fex_size (fex=0x0) at rec-fex.c:257
257	  return fex->num_elems;
gef➤  bt
#0  0x00007ffff7b8d46b in rec_fex_size (fex=0x0) at rec-fex.c:257
#1  0x00007ffff7b7a5fb in rec_rset_update_field_props (rset=0x55555579ade0) at rec-rset.c:1243
#2  0x00007ffff7b78d83 in rec_rset_set_descriptor (rset=0x55555579ade0, record=0x55555579cb90) at rec-rset.c:354
#3  0x00007ffff7b7ebce in rec_parse_rset (parser=0x55555579ad30, rset=0x7fffffffdb80) at rec-parser.c:578
#4  0x00005555555586cf in recutl_parse_db_from_file (in=0x555555798330, file_name=0x7fffffffe15d "data/null-pointer-dereference-poc-2", db=0x55555577bc30) at recutl.c:246
#5  0x00005555555587fc in recutl_build_db (argc=0x2, argv=0x7fffffffdd68) at recutl.c:332
#6  0x000055555555996d in main (argc=0x2, argv=0x7fffffffdd68) at rec2csv.c:342
gef➤  p *fex
Cannot access memory at address 0x0
  1. There are multiple memory leak problems in recutils-1.8.

fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ ASAN_OPTIONS=detect_odr_violation=0 ./fast/bin/rec2csv  data/memory-leak-poc-3 
data/memory-leak-poc-3: 56: error: expected a record

=================================================================
==8363==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 648 byte(s) in 1 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa2c160a in rec_aggregate_reg_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-aggregate.c:117:9
    #2 0x7fbaf90f5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Direct leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa2c79e7 in gl_array_nx_create_empty /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:60:29

Direct leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa2c0be5 in rec_buf_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-buf.c:55:9
    #2 0x7fbafa286fd2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:549:11
    #3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

Direct leak of 5 byte(s) in 1 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa264522 in rec_extract_type /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-utils.c:159:18
    #2 0x7fbafa272263 in rec_rset_type /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:420:17
    #3 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

Indirect leak of 624 byte(s) in 3 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa25cf82 in rec_mset_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:109:9
    #2 0x7fbafa286de2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:560:15
    #3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

Indirect leak of 512 byte(s) in 1 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa2c0c5a in rec_buf_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-buf.c:61:19
    #2 0x7fbafa286fd2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:549:11
    #3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

Indirect leak of 256 byte(s) in 4 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa2c79e7 in gl_array_nx_create_empty /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:60:29

Indirect leak of 208 byte(s) in 1 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa25cf82 in rec_mset_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:109:9
    #2 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #3 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

Indirect leak of 192 byte(s) in 6 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa260c6a in rec_mset_elem_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:882:9
    #2 0x7fbafa260c6a in rec_mset_insert_at /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:434

Indirect leak of 192 byte(s) in 3 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa268752 in rec_record_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-record.c:81:12
    #2 0x7fbafa286de2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:560:15
    #3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

Indirect leak of 192 byte(s) in 3 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa2675a7 in rec_field_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:103:11
    #2 0x7fbafa283dbd in rec_parse_record /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:436:7
    #3 0x7fbafa286de2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:560:15
    #4 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #5 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa26d490 in rec_rset_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:169:10
    #2 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #3 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

Indirect leak of 69 byte(s) in 3 object(s) allocated from:
    #0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
    #1 0x7fbafa26b52c in rec_record_set_source /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-record.c:497:20
    #2 0x7fbafa286de2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:560:15
    #3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

Indirect leak of 69 byte(s) in 3 object(s) allocated from:
    #0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
    #1 0x7fbafa26829b in rec_field_set_source /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:236:19
    #2 0x7fbafa283dbd in rec_parse_record /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:436:7
    #3 0x7fbafa286de2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:560:15
    #4 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #5 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

Indirect leak of 57 byte(s) in 8 object(s) allocated from:
    #0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
    #1 0x7fbafa25f867 in rec_mset_register_type /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:303:26

Indirect leak of 48 byte(s) in 4 object(s) allocated from:
    #0 0x4ce155 in realloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4ce155)
    #1 0x7fbafa2c9430 in grow /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:261:28
    #2 0x7fbafa2c9430 in gl_array_nx_add_last /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:294

Indirect leak of 43 byte(s) in 3 object(s) allocated from:
    #0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
    #1 0x7fbafa26766b in rec_field_set_value /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:93:18
    #2 0x7fbafa26766b in rec_field_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:116

Indirect leak of 30 byte(s) in 12 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbaf915c61f in vasprintf /build/glibc-OTsEL5/glibc-2.27/libio/vasprintf.c:73

Indirect leak of 22 byte(s) in 5 object(s) allocated from:
    #0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
    #1 0x7fbafa2c1f74 in rec_aggregate_reg_add /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-aggregate.c:162:59
    #2 0x7fbafa2c1f74 in rec_aggregate_reg_add_standard /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-aggregate.c:193

Indirect leak of 16 byte(s) in 1 object(s) allocated from:
    #0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
    #1 0x7fbafa266c79 in rec_comment_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-comment.c:43:10
    #2 0x7fbafa286fd2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:549:11
    #3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

Indirect leak of 16 byte(s) in 1 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa2be0ba in rec_type_reg_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-types.c:707:9
    #2 0x7fbafa286f02 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:578:23
    #3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

Indirect leak of 14 byte(s) in 3 object(s) allocated from:
    #0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
    #1 0x7fbafa2675f4 in rec_field_set_name /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:78:17
    #2 0x7fbafa2675f4 in rec_field_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:109
    #3 0x7fbafa283dbd in rec_parse_record /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:436:7
    #4 0x7fbafa286de2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:560:15
    #5 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #6 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

Indirect leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x4ce155 in realloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4ce155)
    #1 0x7fbafa2c8d42 in grow /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:261:28
    #2 0x7fbafa2c8d42 in gl_array_nx_add_first /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:278

Indirect leak of 1 byte(s) in 1 object(s) allocated from:
    #0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
    #1 0x7fbafa26f05c in rec_rset_update_sex_constraints /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:1091:25
    #2 0x7fbafa26f05c in rec_rset_set_descriptor /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:356
    #3 0x7fbafa286f02 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:578:23
    #4 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
    #5 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20

SUMMARY: AddressSanitizer: 3414 byte(s) leaked in 71 allocation(s).


  1. There is a null-pointer-dereference problem in function rec_field_set_name() in file src/rec-field.c.

fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ ./debug/bin/csv2rec data/null-pointer-dereference-poc-4 Segmentation fault (core dumped)

asan report

ASAN:DEADLYSIGNAL
=================================================================
==8402==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8ad54655c7 bp 0x7fff9c74b850 sp 0x7fff9c74afd8 T0)
==8402==The signal is caused by a READ memory access.
==8402==Hint: address points to the zero page.
    #0 0x7f8ad54655c6  /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:92
    #1 0x46e36f in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/csv2rec+0x46e36f)
    #2 0x7f8ad646a5f4 in rec_field_set_name /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:78:17
    #3 0x7f8ad646a5f4 in rec_field_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:109
    #4 0x509aa5 in field_cb /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:264:19
    #5 0x57571d in csv_parse /home/fish/Desktop/dumb/archive/recutils-1.8/libcsv/libcsv.c:395:13
    #6 0x5090a6 in process_csv /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:374:11
    #7 0x5090a6 in main /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:395
    #8 0x7f8ad52f8b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41e3e9 in _start (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/csv2rec+0x41e3e9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:92 
==8402==ABORTING

gdb debug info

gef➤  bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:62
#1  0x00007ffff72d79ae in __GI___strdup (s=0x0) at strdup.c:41
#2  0x00007ffff7b76a12 in rec_field_set_name (field=0x5555557a1a50, name=0x0) at rec-field.c:78
#3  0x00007ffff7b76ac8 in rec_field_new (name=0x0, value=0x55555577db10 "e\350\003\"\"") at rec-field.c:109
#4  0x0000555555559195 in field_cb (s=0x55555579ba60, len=0x5, data=0x7fffffffd790) at csv2rec.c:264
#5  0x0000555555573a09 in csv_parse (p=0x7fffffffd7d0, s=0x7fffffffd830, len=0x9a, cb1=0x555555558f2c <field_cb>, cb2=0x5555555591e2 <record_cb>, data=0x7fffffffd790) at libcsv.c:395
#6  0x00005555555594ce in process_csv () at csv2rec.c:374
#7  0x000055555555959a in main (argc=0x2, argv=0x7fffffffdd78) at csv2rec.c:395

gef➤  p field->name
$1 = 0x0

  1. There is a heap-buffer-overflow problem in function field_cb() in file utils/csv2rec.c.

fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ ./debug/bin/csv2rec data/heap-buffer-overflow-poc-5 Segmentation fault (core dumped)

asan report

=================================================================
==8780==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001f280 at pc 0x000000509c79 bp 0x7ffdc361ebd0 sp 0x7ffdc361ebc8
READ of size 8 at 0x61d00001f280 thread T0
    #0 0x509c78 in field_cb /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:264:34
    #1 0x57521e in csv_parse /home/fish/Desktop/dumb/archive/recutils-1.8/libcsv/libcsv.c:361:11
    #2 0x5090a6 in process_csv /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:374:11
    #3 0x5090a6 in main /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:395
    #4 0x7ff3e2d38b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41e3e9 in _start (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/csv2rec+0x41e3e9)

0x61d00001f280 is located 0 bytes to the right of 2048-byte region [0x61d00001ea80,0x61d00001f280)
allocated by thread T0 here:
    #0 0x4cdde5 in realloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/csv2rec+0x4cdde5)
    #1 0x509608 in field_cb /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:214:11

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:264:34 in field_cb
Shadow bytes around the buggy address:
  0x0c3a7fffbe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffbe50:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8780==ABORTING