Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use after free detected #125

Open
fCorleone opened this Issue Jul 24, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@fCorleone
Copy link

fCorleone commented Jul 24, 2018

When I ran the program pattern. A issue occurred, it's a heap use after free issue.
Details:

=================================================================
==16823==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000002219 at pc 0x7f115cdc32d5 bp 0x7ffc43fae170 sp 0x7ffc43fad918
READ of size 16 at 0x619000002219 thread T0
    #0 0x7f115cdc32d4  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x472d4)
    #1 0x41f8f4 in _pbcM_sp_query src/map.c:391
    #2 0x417e53 in _pbcP_get_message src/proto.c:21
    #3 0x4131fa in pbc_pattern_new src/pattern.c:1070
    #4 0x402b8a in main ../test/pattern.c:149
    #5 0x7f115c9d282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x401678 in _start (/home/mfc_fuzz/pbc/build/pattern+0x401678)

0x619000002219 is located 921 bytes inside of 1032-byte region [0x619000001e80,0x619000002288)
freed by thread T0 here:
    #0 0x7f115ce142ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x4210d2 in _pbcM_free src/alloc.c:14
    #2 0x42151e in _pbcH_delete src/alloc.c:55
    #3 0x4268b3 in pbc_rmessage_delete src/rmessage.c:333
    #4 0x41778f in pbc_register src/register.c:337
    #5 0x402b43 in main ../test/pattern.c:145
    #6 0x7f115c9d282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f115ce14602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42102e in _pbcM_malloc src/alloc.c:8
    #2 0x4216dc in _pbcH_alloc src/alloc.c:70
    #3 0x4227ff in read_string src/rmessage.c:53
    #4 0x4237b7 in read_value src/rmessage.c:140
    #5 0x425da7 in _pbc_rmessage_new src/rmessage.c:297
    #6 0x424b6f in push_value_array src/rmessage.c:228
    #7 0x425ba2 in _pbc_rmessage_new src/rmessage.c:290
    #8 0x424b6f in push_value_array src/rmessage.c:228
    #9 0x425ba2 in _pbc_rmessage_new src/rmessage.c:290
    #10 0x424b6f in push_value_array src/rmessage.c:228
    #11 0x425ba2 in _pbc_rmessage_new src/rmessage.c:290
    #12 0x4265a6 in pbc_rmessage_new src/rmessage.c:319
    #13 0x41734e in pbc_register src/register.c:307
    #14 0x402b43 in main ../test/pattern.c:145
    #15 0x7f115c9d282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c327fff83f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8410: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c327fff8440: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8450: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==16823==ABORTING

The command line I used is just: ./pattern testcase.
The testcase of this issue has been put at:https://github.com/fCorleone/fuzz_programs/blob/master/pbc/testcase3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.