GNU Recutils is a set of tools and libraries to access human-editable, plain text databases called recfiles. The data is stored as a sequence of records, each record containing an arbitrary number of named fields. The picture below shows a sample database containing information about GNU packages, along with the main features provided by recutils.
This bug is reported by fish@360TeamSeri0us, please send email to teamSeri0us360@gmail.com if you have any question.
- There is a double-free problem in function rec_mset_elem_destroy() in file src/rec-mset.c.
fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ ./debug/bin/rec2csv data/double-free-poc-1
double free or corruption (fasttop)
Aborted (core dumped)
=================================================================
==6397==ERROR: AddressSanitizer: attempting double-free on 0x602000009df0 in thread T0:
#0 0x4cdb78 in __interceptor_free.localalias.0 (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdb78)
#1 0x7f31ac47c7c0 in rec_mset_elem_destroy /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:905:11
#2 0x7f31ac47c7c0 in rec_mset_elem_dispose_fn /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:814
#3 0x7f31ac4eb213 in gl_array_list_free /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:436:17
#4 0x7f31ac47ca18 in gl_list_free /home/fish/Desktop/dumb/archive/recutils-1.8/src/../lib/gl_list.h:760:3
#5 0x7f31ac47ca18 in rec_mset_destroy /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:152
#6 0x7f31ac48cb9a in rec_rset_destroy /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:263:7
#7 0x7f31ac4a6208 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:612:7
#8 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#9 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
#10 0x509204 in main /home/fish/Desktop/dumb/archive/recutils-1.8/utils/rec2csv.c:342:8
#11 0x7f31ab314b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41e759 in _start (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x41e759)
0x602000009df0 is located 0 bytes inside of 16-byte region [0x602000009df0,0x602000009e00)
freed by thread T0 here:
#0 0x4cdb78 in __interceptor_free.localalias.0 (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdb78)
#1 0x7f31ac47c7c0 in rec_mset_elem_destroy /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:905:11
#2 0x7f31ac47c7c0 in rec_mset_elem_dispose_fn /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:814
previously allocated by thread T0 here:
#0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
#1 0x7f31ac485c79 in rec_comment_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-comment.c:43:10
#2 0x7f31ac4a5fd2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:549:11
#3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
SUMMARY: AddressSanitizer: double-free (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdb78) in __interceptor_free.localalias.0
==6397==ABORTING
fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ gdb -q --args ./debug/bin/rec2csv data/double-free-poc-1
gef➤ bt
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff727a801 in __GI_abort () at abort.c:79
#2 0x00007ffff72c3897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff73f0b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff72ca90a in malloc_printerr (str=str@entry=0x7ffff73f2828 "double free or corruption (fasttop)") at malloc.c:5350
#4 0x00007ffff72d2004 in _int_free (have_lock=0x0, p=0x55555577c300, av=0x7ffff7625c40 <main_arena>) at malloc.c:4230
#5 __GI___libc_free (mem=0x55555577c310) at malloc.c:3124
#6 0x00007ffff7b76792 in rec_comment_destroy (comment=0x55555577c310 " \302wUUU") at rec-comment.c:49
#7 0x00007ffff7b79e51 in rec_rset_comment_disp_fn (data=0x55555577c310) at rec-rset.c:1031
#8 0x00007ffff7b75a93 in rec_mset_elem_destroy (elem=0x55555579ca30) at rec-mset.c:905
#9 0x00007ffff7b75844 in rec_mset_elem_dispose_fn (e=0x55555579ca30) at rec-mset.c:814
#10 0x00007ffff7b92fc0 in gl_array_list_free (list=0x55555579aec0) at gl_array_list.c:436
#11 0x00007ffff7b958f9 in gl_list_free (list=0x55555579aec0) at gl_list.h:760
#12 0x00007ffff7b74381 in rec_mset_destroy (mset=0x55555579ade0) at rec-mset.c:152
#13 0x00007ffff7b78b4d in rec_rset_destroy (rset=0x55555579ad80) at rec-rset.c:263
#14 0x00007ffff7b7eca5 in rec_parse_rset (parser=0x55555579ad30, rset=0x7fffffffdbc0) at rec-parser.c:612
#15 0x00005555555586cf in recutl_parse_db_from_file (in=0x555555798330, file_name=0x7fffffffe19d "data/double-free-poc-1", db=0x55555577bc30) at recutl.c:246
#16 0x00005555555587fc in recutl_build_db (argc=0x2, argv=0x7fffffffdda8) at recutl.c:332
#17 0x000055555555996d in main (argc=0x2, argv=0x7fffffffdda8) at rec2csv.c:342
- There is a null-pointer-dereference problem in function rec_fex_size() in file src/rec-fex.c.
fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ ./debug/bin/rec2csv data/null-pointer-dereference-poc-2 Segmentation fault (core dumped)
ASAN:DEADLYSIGNAL
=================================================================
==6373==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fef5bfd18d2 bp 0x7ffddef54bf0 sp 0x7ffddef54890 T0)
==6373==The signal is caused by a READ memory access.
==6373==Hint: address points to the zero page.
#0 0x7fef5bfd18d1 in rec_fex_size /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-fex.c:257:15
#1 0x7fef5bf89df4 in rec_rset_update_field_props /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:1243:31
#2 0x7fef5bf88b85 in rec_rset_set_descriptor /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:354:3
#3 0x7fef5bfa0f02 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:578:23
#4 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#5 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
#6 0x509204 in main /home/fish/Desktop/dumb/archive/recutils-1.8/utils/rec2csv.c:342:8
#7 0x7fef5ae0fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#8 0x41e759 in _start (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x41e759)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-fex.c:257:15 in rec_fex_size
==6373==ABORTING
fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ gdb -q --args ./debug/bin/rec2csv data/null-pointer-dereference-poc-2
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:rec-fex.c+257 ]────
252 }
253
254 size_t
255 rec_fex_size (rec_fex_t fex)
256 {
→ 257 return fex->num_elems;
258 }
259
260 rec_fex_elem_t
261 rec_fex_get (rec_fex_t fex,
262 size_t position)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "rec2csv", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff7b8d46b → Name: rec_fex_size(fex=0x0)
[#1] 0x7ffff7b7a5fb → Name: rec_rset_update_field_props(rset=0x55555579ade0)
[#2] 0x7ffff7b78d83 → Name: rec_rset_set_descriptor(rset=0x55555579ade0, record=0x55555579cb90)
[#3] 0x7ffff7b7ebce → Name: rec_parse_rset(parser=0x55555579ad30, rset=0x7fffffffdb80)
[#4] 0x5555555586cf → Name: recutl_parse_db_from_file(in=0x555555798330, file_name=0x7fffffffe15d "data/null-pointer-dereference-poc-2", db=0x55555577bc30)
[#5] 0x5555555587fc → Name: recutl_build_db(argc=0x2, argv=0x7fffffffdd68)
[#6] 0x55555555996d → Name: main(argc=0x2, argv=0x7fffffffdd68)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x00007ffff7b8d46b in rec_fex_size (fex=0x0) at rec-fex.c:257
257 return fex->num_elems;
gef➤ bt
#0 0x00007ffff7b8d46b in rec_fex_size (fex=0x0) at rec-fex.c:257
#1 0x00007ffff7b7a5fb in rec_rset_update_field_props (rset=0x55555579ade0) at rec-rset.c:1243
#2 0x00007ffff7b78d83 in rec_rset_set_descriptor (rset=0x55555579ade0, record=0x55555579cb90) at rec-rset.c:354
#3 0x00007ffff7b7ebce in rec_parse_rset (parser=0x55555579ad30, rset=0x7fffffffdb80) at rec-parser.c:578
#4 0x00005555555586cf in recutl_parse_db_from_file (in=0x555555798330, file_name=0x7fffffffe15d "data/null-pointer-dereference-poc-2", db=0x55555577bc30) at recutl.c:246
#5 0x00005555555587fc in recutl_build_db (argc=0x2, argv=0x7fffffffdd68) at recutl.c:332
#6 0x000055555555996d in main (argc=0x2, argv=0x7fffffffdd68) at rec2csv.c:342
gef➤ p *fex
Cannot access memory at address 0x0
- There are multiple memory leak problems in recutils-1.8.
fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ ASAN_OPTIONS=detect_odr_violation=0 ./fast/bin/rec2csv data/memory-leak-poc-3
data/memory-leak-poc-3: 56: error: expected a record
=================================================================
==8363==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 648 byte(s) in 1 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa2c160a in rec_aggregate_reg_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-aggregate.c:117:9
#2 0x7fbaf90f5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa2c79e7 in gl_array_nx_create_empty /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:60:29
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa2c0be5 in rec_buf_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-buf.c:55:9
#2 0x7fbafa286fd2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:549:11
#3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
Direct leak of 5 byte(s) in 1 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa264522 in rec_extract_type /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-utils.c:159:18
#2 0x7fbafa272263 in rec_rset_type /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:420:17
#3 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
Indirect leak of 624 byte(s) in 3 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa25cf82 in rec_mset_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:109:9
#2 0x7fbafa286de2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:560:15
#3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
Indirect leak of 512 byte(s) in 1 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa2c0c5a in rec_buf_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-buf.c:61:19
#2 0x7fbafa286fd2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:549:11
#3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
Indirect leak of 256 byte(s) in 4 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa2c79e7 in gl_array_nx_create_empty /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:60:29
Indirect leak of 208 byte(s) in 1 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa25cf82 in rec_mset_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:109:9
#2 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#3 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
Indirect leak of 192 byte(s) in 6 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa260c6a in rec_mset_elem_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:882:9
#2 0x7fbafa260c6a in rec_mset_insert_at /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:434
Indirect leak of 192 byte(s) in 3 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa268752 in rec_record_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-record.c:81:12
#2 0x7fbafa286de2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:560:15
#3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
Indirect leak of 192 byte(s) in 3 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa2675a7 in rec_field_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:103:11
#2 0x7fbafa283dbd in rec_parse_record /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:436:7
#3 0x7fbafa286de2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:560:15
#4 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#5 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
Indirect leak of 88 byte(s) in 1 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa26d490 in rec_rset_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:169:10
#2 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#3 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
Indirect leak of 69 byte(s) in 3 object(s) allocated from:
#0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
#1 0x7fbafa26b52c in rec_record_set_source /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-record.c:497:20
#2 0x7fbafa286de2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:560:15
#3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
Indirect leak of 69 byte(s) in 3 object(s) allocated from:
#0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
#1 0x7fbafa26829b in rec_field_set_source /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:236:19
#2 0x7fbafa283dbd in rec_parse_record /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:436:7
#3 0x7fbafa286de2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:560:15
#4 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#5 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
Indirect leak of 57 byte(s) in 8 object(s) allocated from:
#0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
#1 0x7fbafa25f867 in rec_mset_register_type /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-mset.c:303:26
Indirect leak of 48 byte(s) in 4 object(s) allocated from:
#0 0x4ce155 in realloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4ce155)
#1 0x7fbafa2c9430 in grow /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:261:28
#2 0x7fbafa2c9430 in gl_array_nx_add_last /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:294
Indirect leak of 43 byte(s) in 3 object(s) allocated from:
#0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
#1 0x7fbafa26766b in rec_field_set_value /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:93:18
#2 0x7fbafa26766b in rec_field_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:116
Indirect leak of 30 byte(s) in 12 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbaf915c61f in vasprintf /build/glibc-OTsEL5/glibc-2.27/libio/vasprintf.c:73
Indirect leak of 22 byte(s) in 5 object(s) allocated from:
#0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
#1 0x7fbafa2c1f74 in rec_aggregate_reg_add /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-aggregate.c:162:59
#2 0x7fbafa2c1f74 in rec_aggregate_reg_add_standard /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-aggregate.c:193
Indirect leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
#1 0x7fbafa266c79 in rec_comment_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-comment.c:43:10
#2 0x7fbafa286fd2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:549:11
#3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
Indirect leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa2be0ba in rec_type_reg_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-types.c:707:9
#2 0x7fbafa286f02 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:578:23
#3 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#4 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
Indirect leak of 14 byte(s) in 3 object(s) allocated from:
#0 0x46e820 in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x46e820)
#1 0x7fbafa2675f4 in rec_field_set_name /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:78:17
#2 0x7fbafa2675f4 in rec_field_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:109
#3 0x7fbafa283dbd in rec_parse_record /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:436:7
#4 0x7fbafa286de2 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:560:15
#5 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#6 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
Indirect leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x4ce155 in realloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4ce155)
#1 0x7fbafa2c8d42 in grow /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:261:28
#2 0x7fbafa2c8d42 in gl_array_nx_add_first /home/fish/Desktop/dumb/archive/recutils-1.8/lib/gl_array_list.c:278
Indirect leak of 1 byte(s) in 1 object(s) allocated from:
#0 0x4cdd30 in __interceptor_malloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/rec2csv+0x4cdd30)
#1 0x7fbafa26f05c in rec_rset_update_sex_constraints /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:1091:25
#2 0x7fbafa26f05c in rec_rset_set_descriptor /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-rset.c:356
#3 0x7fbafa286f02 in rec_parse_rset /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-parser.c:578:23
#4 0x506d81 in recutl_parse_db_from_file /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:246:10
#5 0x5073fe in recutl_build_db /home/fish/Desktop/dumb/archive/recutils-1.8/utils/recutl.c:332:20
SUMMARY: AddressSanitizer: 3414 byte(s) leaked in 71 allocation(s).
- There is a null-pointer-dereference problem in function rec_field_set_name() in file src/rec-field.c.
fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ ./debug/bin/csv2rec data/null-pointer-dereference-poc-4 Segmentation fault (core dumped)
ASAN:DEADLYSIGNAL
=================================================================
==8402==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8ad54655c7 bp 0x7fff9c74b850 sp 0x7fff9c74afd8 T0)
==8402==The signal is caused by a READ memory access.
==8402==Hint: address points to the zero page.
#0 0x7f8ad54655c6 /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:92
#1 0x46e36f in strdup (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/csv2rec+0x46e36f)
#2 0x7f8ad646a5f4 in rec_field_set_name /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:78:17
#3 0x7f8ad646a5f4 in rec_field_new /home/fish/Desktop/dumb/archive/recutils-1.8/src/rec-field.c:109
#4 0x509aa5 in field_cb /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:264:19
#5 0x57571d in csv_parse /home/fish/Desktop/dumb/archive/recutils-1.8/libcsv/libcsv.c:395:13
#6 0x5090a6 in process_csv /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:374:11
#7 0x5090a6 in main /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:395
#8 0x7f8ad52f8b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#9 0x41e3e9 in _start (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/csv2rec+0x41e3e9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:92
==8402==ABORTING
gef➤ bt
#0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:62
#1 0x00007ffff72d79ae in __GI___strdup (s=0x0) at strdup.c:41
#2 0x00007ffff7b76a12 in rec_field_set_name (field=0x5555557a1a50, name=0x0) at rec-field.c:78
#3 0x00007ffff7b76ac8 in rec_field_new (name=0x0, value=0x55555577db10 "e\350\003\"\"") at rec-field.c:109
#4 0x0000555555559195 in field_cb (s=0x55555579ba60, len=0x5, data=0x7fffffffd790) at csv2rec.c:264
#5 0x0000555555573a09 in csv_parse (p=0x7fffffffd7d0, s=0x7fffffffd830, len=0x9a, cb1=0x555555558f2c <field_cb>, cb2=0x5555555591e2 <record_cb>, data=0x7fffffffd790) at libcsv.c:395
#6 0x00005555555594ce in process_csv () at csv2rec.c:374
#7 0x000055555555959a in main (argc=0x2, argv=0x7fffffffdd78) at csv2rec.c:395
gef➤ p field->name
$1 = 0x0
- There is a heap-buffer-overflow problem in function field_cb() in file utils/csv2rec.c.
fish@ubuntu:~/Desktop/dumb/archive/recutils-1.8$ ./debug/bin/csv2rec data/heap-buffer-overflow-poc-5 Segmentation fault (core dumped)
=================================================================
==8780==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001f280 at pc 0x000000509c79 bp 0x7ffdc361ebd0 sp 0x7ffdc361ebc8
READ of size 8 at 0x61d00001f280 thread T0
#0 0x509c78 in field_cb /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:264:34
#1 0x57521e in csv_parse /home/fish/Desktop/dumb/archive/recutils-1.8/libcsv/libcsv.c:361:11
#2 0x5090a6 in process_csv /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:374:11
#3 0x5090a6 in main /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:395
#4 0x7ff3e2d38b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#5 0x41e3e9 in _start (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/csv2rec+0x41e3e9)
0x61d00001f280 is located 0 bytes to the right of 2048-byte region [0x61d00001ea80,0x61d00001f280)
allocated by thread T0 here:
#0 0x4cdde5 in realloc (/home/fish/Desktop/dumb/archive/recutils-1.8/fast/bin/csv2rec+0x4cdde5)
#1 0x509608 in field_cb /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:214:11
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fish/Desktop/dumb/archive/recutils-1.8/utils/csv2rec.c:264:34 in field_cb
Shadow bytes around the buggy address:
0x0c3a7fffbe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffbe10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffbe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffbe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffbe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffbe50:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbe60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbe70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbe80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbe90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffbea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8780==ABORTING