Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
doh: memory leak in conjunction with proxy use #4463
I am running a modified version of the existing TLV http fuzzer (available here: https://github.com/pauldreik/curl-fuzzer/tree/paul/localfuzz_public0/intree_fuzzer/src/networkfuzzers).
The fuzzer sets the following options:
The fuzzer (server) replies with the following garbage (the snipped tail is probably irrelevant):
and I get a leak report at the bottom of the message.
This reproduces well (tested two different machines, several times).
To reproduce, build the fuzzers according to https://github.com/pauldreik/curl-fuzzer/tree/paul/localfuzz_public0/intree_fuzzer#building and run (the provoking file is base64 encoded in the bottom of this report)
The test case file (läcka):
I got blocked by this when trying to get the fuzzers running again. Here is a smaller testcase, as displayed by (a modified version of) read_corpus.py:
Here is the base64 encoded data:
Any modification of the following makes it not reproduce:
I guess it is not a coincidence that 127.0.1.127 is also set in https://github.com/pauldreik/curl-fuzzer/blob/c602bc13788fa88b7f93933b4e996aa1045c9dfd/curl_fuzzer.cc#L161
Any modification of the following, still reproduces the leak:
Hopefully that can assist in explaining this. I tried to understand where to clean up the doh structure, but I failed. I guess all this is related to to some reuse, and the old doh data structure is not cleared before settting a new one. Or something along those lines.
I need to pass on sanitize options to my linker as well so I had to do this patch (I'll submit a fix for the leak in a minute):
diff --git a/intree_fuzzer/scripts/build.sh b/intree_fuzzer/scripts/build.sh index 871986f..fba2e02 100755 --- a/intree_fuzzer/scripts/build.sh +++ b/intree_fuzzer/scripts/build.sh @@ -73,11 +73,11 @@ case $tcname in ;; clang6-asan-ubsan) export CC=clang-6.0 CXX=clang++-6.0 CFLAGS="-fsanitize=address,undefined" CXXFLAGS="-fsanitize=address,undefined" ;; clang7-asan-ubsan) - export CC=clang-7 CXX=clang++-7 CFLAGS="-fsanitize=address,undefined" CXXFLAGS="-fsanitize=address,undefined" + export CC=clang-7 CXX=clang++-7 CFLAGS="-fsanitize=address,undefined" CXXFLAGS="-fsanitize=address,undefined" LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=undefined,integer" ;; clang8-asan-ubsan) export CC=clang-8 CXX=clang++-8 CFLAGS="-fsanitize=address,undefined" CXXFLAGS="-fsanitize=address,undefined" ;; clang7-asan-ubsan-O3)
Thanks for the fix! It fixes the leak, but unfortunately it introduces a use after free. Here is the use after free test case base64 encoded:
Hmm your build script change looks obviously needed, how can the build have worked for me? I use Debian Buster, were you use Debian testing for this test?
... or risk DoH memory leaks. Reported-by: Paul Dreik Fixes #4463