Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: 1 memory leaks of fill_buffer() #198

Closed
Clingto opened this issue May 19, 2021 · 3 comments
Closed

AddressSanitizer: 1 memory leaks of fill_buffer() #198

Clingto opened this issue May 19, 2021 · 3 comments

Comments

@Clingto
Copy link

Clingto commented May 19, 2021

System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, lrzip (latest master 465afe8)
Compile Command:

$ chmod a+x mkinstalldirs
make distclean
./autogen.sh

mkdir -p build/bin
CC="gcc -fsanitize=address -fno-omit-frame-pointer -g" CXX="g++ -fsanitize=address -fno-omit-frame-pointer -g" ./configure --enable-static-bin --disable-shared
make -j

Run Command:

$ lrzip -t $POC

POC file:
https://github.com/Clingto/POC/blob/master/MSA/lrzip/lrzip-561-fill_buffer-memory-leak

ASAN info:

Failed to decompress buffer - lzmaerr=1
Invalid data compressed len 1285 uncompressed 1285 last_head 1285
No such file or directory

=================================================================
==21958==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x7fdb9148d602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42790f in fill_buffer  test/lrzip-uaf/git/build_asan/stream.c:1706
    #2 0x42790f in read_stream  test/lrzip-uaf/git/build_asan/stream.c:1799

SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).
@ckolivas
Copy link
Owner

Unable to reproduce on latest master.

@Clingto
Copy link
Author

Clingto commented Jul 23, 2022

Unable to reproduce on latest master.
It seems that I can still reproduce the issue in lrzip (master 465afe8 and the latest 7bd6253)

Decompressing...
Failed to decompress buffer - lzmaerr=1
Invalid data compressed len 1285 uncompressed 1285 last_head 1285
No such file or directory
Fatal error - exiting
Failed to decompress buffer - lzerr=-6

=================================================================
==15175==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48 byte(s) in 2 object(s) allocated from:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42978b in fill_buffer test_cve/lrzip-latest/SRC_asan/stream.c:1719
    #2 0x42978b in read_stream test_cve/lrzip-latest/SRC_asan/stream.c:1812
    #3 0x41e1d6 in unzip_literal test_cve/lrzip-latest/SRC_asan/runzip.c:162
    #4 0x41e1d6 in runzip_chunk test_cve/lrzip-latest/SRC_asan/runzip.c:325
    #5 0x41e1d6 in runzip_fdtest_cve/lrzip-latest/SRC_asan/runzip.c:387
    #6 0x40e86a in decompress_file test_cve/lrzip-latest/SRC_asan/lrzip.c:951
    #7 0x4059ac in main test_cve/lrzip-latest/SRC_asan/main.c:720
    #8 0x7ffff579e83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: 48 byte(s) leaked in 2 allocation(s).

@ffontaine
Copy link
Contributor

FYI, this issue has been assigned CVE-2021-33451

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants