Closed
Description
System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, lrzip (latest master 465afe8)
I think it is probably due to an imcomplete fix of #164 (imcomplete patch)
Compile Command:
$ chmod a+x mkinstalldirs
make distclean
./autogen.sh
mkdir -p build/bin
CC="gcc -fsanitize=address -fno-omit-frame-pointer -g" CXX="g++ -fsanitize=address -fno-omit-frame-pointer -g" ./configure --enable-static-bin --disable-shared
make -j
Run Command:
$ lrzip -t $POC
POC file:
https://github.com/Clingto/POC/blob/master/MSA/lrzip/lrzip-602-ucompthread-UAF
https://github.com/Clingto/POC/blob/master/MSA/lrzip/uaf-110-561
https://github.com/Clingto/POC/blob/master/MSA/lrzip/uaf-147-449
ASAN info:
==17630==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b00001f200 at pc 0x000000420cbf bp 0x7f61990fdd60 sp 0x7f61990fdd50
READ of size 1 at 0x61b00001f200 thread T3
#0 0x420cbe in ucompthread test/lrzip-uaf/git/build_asan/stream.c:1538
#1 0x7f619cddf6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#2 0x7f619c27441c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x61b00001f200 is located 128 bytes inside of 1632-byte region [0x61b00001f180,0x61b00001f7e0)
freed by thread T0 here:
#0 0x7f619d8f12ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x41d2ca in clear_rulist test/lrzip-uaf/git/build_asan/runzip.c:255
#2 0x41d2ca in runzip_chunk test/lrzip-uaf/git/build_asan/runzip.c:383
#3 0x41d2ca in runzip_fd test/lrzip-uaf/git/build_asan/runzip.c:403
previously allocated by thread T0 here:
#0 0x7f619d8f179a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x425afd in open_stream_in test/lrzip-uaf/git/build_asan/stream.c:1083
Thread T3 created by T0 here:
#0 0x7f619d88f253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x420df4 in create_pthread test/lrzip-uaf/git/build_asan/stream.c:125
SUMMARY: AddressSanitizer: heap-use-after-free test/lrzip-uaf/git/build_asan/stream.c:1538 ucompthread
Shadow bytes around the buggy address:
0x0c367fffbdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbe00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbe10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbe20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbe30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c367fffbe40:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fffbe50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fffbe60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fffbe70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fffbe80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fffbe90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==17630==ABORTINGMetadata
Assignees
Labels
No labels