Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-use-after-free with ASAN in mp42ts #937

Open
zhangteng0526 opened this issue Mar 24, 2024 · 0 comments
Open

heap-use-after-free with ASAN in mp42ts #937

zhangteng0526 opened this issue Mar 24, 2024 · 0 comments

Comments

@zhangteng0526
Copy link

zhangteng0526 commented Mar 24, 2024
edited

Dear Bento4 developers, I used AFL++ to fuzz test Bento4 and found some problems.
To debug a program built with ASan, here is some output

BUG1

=================================================================
==2611989==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000010 at pc 0x0000004d43d9 bp 0x7fff45dd24e0 sp 0x7fff45dd24d8
READ of size 8 at 0x604000000010 thread T0
    #0 0x4d43d8 in AP4_SubStream::~AP4_SubStream() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ByteStream.cpp:428:17
    #1 0x4d43d8 in AP4_SubStream::~AP4_SubStream() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ByteStream.cpp:427:1
    #2 0x5840b0 in AP4_DataAtom::~AP4_DataAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/MetaData/Ap4MetaData.cpp:1454:5
    #3 0x5840b0 in AP4_DataAtom::~AP4_DataAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/MetaData/Ap4MetaData.cpp:1453:1
    #4 0x59b000 in AP4_List<AP4_Atom>::DeleteReferences() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4List.h:476:9
    #5 0x59b000 in AP4_AtomParent::~AP4_AtomParent() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:516:16
    #6 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #7 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #8 0x59b000 in AP4_List<AP4_Atom>::DeleteReferences() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4List.h:476:9
    #9 0x59b000 in AP4_AtomParent::~AP4_AtomParent() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:516:16
    #10 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #11 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #12 0x59b000 in AP4_List<AP4_Atom>::DeleteReferences() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4List.h:476:9
    #13 0x59b000 in AP4_AtomParent::~AP4_AtomParent() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:516:16
    #14 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #15 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #16 0x59b000 in AP4_List<AP4_Atom>::DeleteReferences() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4List.h:476:9
    #17 0x59b000 in AP4_AtomParent::~AP4_AtomParent() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:516:16
    #18 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #19 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #20 0x59b000 in AP4_List<AP4_Atom>::DeleteReferences() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4List.h:476:9
    #21 0x59b000 in AP4_AtomParent::~AP4_AtomParent() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:516:16
    #22 0x4df821 in AP4_File::~AP4_File() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4File.cpp:88:1
    #23 0x4df821 in AP4_File::~AP4_File() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4File.cpp:85:1
    #24 0x4c84d5 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:519:9
    #25 0x7f20b83c5082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #26 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x41c8fd)

0x604000000010 is located 0 bytes inside of 48-byte region [0x604000000010,0x604000000040)
freed by thread T0 here:
    #0 0x4c500d in operator delete(void*) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x4c500d)
    #1 0x4c842a in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:518:9
    #2 0x7f20b83c5082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4c47ad in operator new(unsigned long) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x4c47ad)
    #1 0x589178 in AP4_StdcFileByteStream::Create(AP4_FileByteStream*, char const*, AP4_FileByteStream::Mode, AP4_ByteStream*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:279:14

SUMMARY: AddressSanitizer: heap-use-after-free /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ByteStream.cpp:428:17 in AP4_SubStream::~AP4_SubStream()
Shadow bytes around the buggy address:
  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c087fff8000: fa fa[fd]fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8010: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8020: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8030: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8040: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2611989==ABORTING

BUG2

=================================================================
==3677656==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000010 at pc 0x000000598dee bp 0x7ffd22a2a640 sp 0x7ffd22a2a638
READ of size 8 at 0x604000000010 thread T0
    #0 0x598ded in AP4_UnknownAtom::~AP4_UnknownAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:408:25
    #1 0x598ded in AP4_UnknownAtom::~AP4_UnknownAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:405:1
    #2 0x59b000 in AP4_List<AP4_Atom>::DeleteReferences() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4List.h:476:9
    #3 0x59b000 in AP4_AtomParent::~AP4_AtomParent() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:516:16
    #4 0x4df821 in AP4_File::~AP4_File() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4File.cpp:88:1
    #5 0x4df821 in AP4_File::~AP4_File() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4File.cpp:85:1
    #6 0x4c84d5 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:519:9
    #7 0x7f3aff20b082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x41c8fd)

0x604000000010 is located 0 bytes inside of 48-byte region [0x604000000010,0x604000000040)
freed by thread T0 here:
    #0 0x4c500d in operator delete(void*) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x4c500d)
    #1 0x4c842a in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:518:9
    #2 0x7f3aff20b082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4c47ad in operator new(unsigned long) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x4c47ad)
    #1 0x589178 in AP4_StdcFileByteStream::Create(AP4_FileByteStream*, char const*, AP4_FileByteStream::Mode, AP4_ByteStream*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:279:14

SUMMARY: AddressSanitizer: heap-use-after-free /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:408:25 in AP4_UnknownAtom::~AP4_UnknownAtom()
Shadow bytes around the buggy address:
  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c087fff8000: fa fa[fd]fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3677656==ABORTING

BUG3

=================================================================
==3972313==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000002b18 at pc 0x0000004f35b1 bp 0x7fff7428d660 sp 0x7fff7428d658
READ of size 8 at 0x604000002b18 thread T0
    #0 0x4f35b0 in AP4_Sample::GetOffset() const /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Sample.h:99:48
    #1 0x4f35b0 in AP4_LinearReader::Advance(bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4LinearReader.cpp:434:54
    #2 0x4f42a2 in AP4_LinearReader::ReadNextSample(unsigned int, AP4_Sample&, AP4_DataBuffer&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4LinearReader.cpp:530:29
    #3 0x4cb0b0 in ReadSample(SampleReader&, AP4_Track&, AP4_Sample&, AP4_DataBuffer&, double&, bool&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:181:32
    #4 0x4cb0b0 in WriteSamples(AP4_Mpeg2TsWriter&, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:306:22
    #5 0x4cb0b0 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:640:14
    #6 0x7fa64720d082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x41c8fd)

0x604000002b18 is located 8 bytes inside of 48-byte region [0x604000002b10,0x604000002b40)
freed by thread T0 here:
    #0 0x4c500d in operator delete(void*) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x4c500d)
    #1 0x4f2dff in AP4_LinearReader::SampleBuffer::~SampleBuffer() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4LinearReader.h:104:26
    #2 0x4f2dff in AP4_LinearReader::Advance(bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4LinearReader.cpp:462:17

previously allocated by thread T0 here:
    #0 0x4c47ad in operator new(unsigned long) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x4c47ad)
    #1 0x4f2360 in AP4_LinearReader::Advance(bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4LinearReader.cpp:422:41

SUMMARY: AddressSanitizer: heap-use-after-free /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Sample.h:99:48 in AP4_Sample::GetOffset() const
Shadow bytes around the buggy address:
  0x0c087fff8510: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8520: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff8530: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff8540: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8550: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
=>0x0c087fff8560: fa fa fd[fd]fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff8570: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8580: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff8590: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c087fff85a0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff85b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3972313==ABORTING

Validation steps

git clone https://github.com/axiomatic-systems/Bento4
cd Bento4/
mkdir check_build && cd check_build
cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
make -j$(nproc)
./mp42ts input /dev/null

Version

Ubuntu 20.04 LTS
Bento v1.6.0-641 
master date:2024.3.24

Crash input:

poc.zip
poc1.zip
poc2.zip
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zhangteng0526