Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Double free via TNEFSubjectHandler #85

Closed
jasperla opened this issue Jan 30, 2021 · 1 comment · Fixed by #87
Closed

Double free via TNEFSubjectHandler #85

jasperla opened this issue Jan 30, 2021 · 1 comment · Fixed by #87

Comments

@jasperla
Copy link

jasperla commented Jan 30, 2021

While it seems there are many checks which ought to prevent various memory corruption situations it seems there's a double free that can be triggered still as of ecc9d87. With ASAN and some crafted input:

=================================================================
==2678633==ERROR: AddressSanitizer: attempting double-free on 0x6020000000d0 in thread T0:
    #0 0x4991ad in free (/home/kali/ytnef/ytnef/.libs/ytnef+0x4991ad)
    #1 0x7f0741856e4c in TNEFFree /home/kali/ytnef/lib/ytnef.c:979:3
    #2 0x4c934b in main /home/kali/ytnef/ytnef/main.c:146:5
    #3 0x7f07414f9d09 in __libc_start_main csu/../csu/libc-start.c:308:16
    #4 0x41f3b9 in _start (/home/kali/ytnef/ytnef/.libs/ytnef+0x41f3b9)

0x6020000000d0 is located 0 bytes inside of 2-byte region [0x6020000000d0,0x6020000000d2)
freed by thread T0 here:
    #0 0x4991ad in free (/home/kali/ytnef/ytnef/.libs/ytnef+0x4991ad)
    #1 0x7f074184d701 in TNEFSubjectHandler /home/kali/ytnef/lib/ytnef.c:306:5
    #2 0x7f07418590fb in TNEFParseFile /home/kali/ytnef/lib/ytnef.c:1075:10
    #3 0x4c958a in main /home/kali/ytnef/ytnef/main.c:140:9
    #4 0x7f07414f9d09 in __libc_start_main csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4995a2 in calloc (/home/kali/ytnef/ytnef/.libs/ytnef+0x4995a2)
    #1 0x7f074184d740 in TNEFSubjectHandler /home/kali/ytnef/lib/ytnef.c:310:24
    #2 0x7f07418590fb in TNEFParseFile /home/kali/ytnef/lib/ytnef.c:1075:10
    #3 0x4c958a in main /home/kali/ytnef/ytnef/main.c:140:9
    #4 0x7f07414f9d09 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: double-free (/home/kali/ytnef/ytnef/.libs/ytnef+0x4991ad) in free
==2678633==ABORTING

Manually instrumenting the code shows that indeed the same memory is freed twice:

=> TNEFSubjectHandler: freeing TNEF->subect.data (1 byte(s)) at 0x559159ed65a0
ERROR: invalid alloc size 255 at ytnef.c : 309, suspected corruption (exceeded 100 bytes)
=> TNEFFree: freeing memory at 0x559159ed65a0 of 1 byte(s)
double free or corruption (fasttop)

I have attached a minimal reproducer of this crash: doublefree.zip

ohwgiles added a commit to ohwgiles/ytnef that referenced this issue Jan 31, 2021
If TNEFSubjectHandler is called multiple times, but the last time
failed due to the PREALLOCCHECK, the subject.data member will be
a freed, but invalid pointer. To prevent a double-free next time
TNEFSubjectHandler is entered, set it to zero after freeing.

Resolves: Yeraze#85
Reported-by: jasperla
@carnil
Copy link

carnil commented Feb 10, 2021

This issue appears to have been assigned CVE-2021-3403

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants