Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] double free in _dwarf_exec_frame_instr #132

Closed
kdsjZh opened this issue Aug 27, 2022 · 1 comment
Closed

[BUG] double free in _dwarf_exec_frame_instr #132

kdsjZh opened this issue Aug 27, 2022 · 1 comment

Comments

@kdsjZh
Copy link

kdsjZh commented Aug 27, 2022

Hello, I was testing my fuzzer and found a double free in dwarfdump, _dwarf_exec_frame_instr bug. A double free will be triggered when parsing a crafted file, when running ./dwarfdump -vv -a $POC, as shown in the attachment

Environment

Ubuntu 22.04
gcc 11.2.0
libdwarf latest commit 271cc04

step to reproduce

export CC="gcc -fsanitize=address -g"
./autogen.sh && ./configure --disable-shared && make -j8
./src/bin/dwarfdump/dwarfdump -vv -a $POC

ASan Output

=================================================================
==4097834==ERROR: AddressSanitizer: attempting double-free on 0x60c000000a00 in thread T0:
    #0 0x7fe56d032517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x55c03cd25761 in _dwarf_exec_frame_instr /validate/libdwarf-code/src/lib/libdwarf/dwarf_frame.c:1501
    #2 0x55c03cd2c801 in dwarf_expand_frame_instructions /validate/libdwarf-code/src/lib/libdwarf/dwarf_frame.c:2547
    #3 0x55c03ccd8db4 in print_one_fde /validate/libdwarf-code/src/bin/dwarfdump/print_frames.c:1356
    #4 0x55c03ccd8db4 in print_all_fdes /validate/libdwarf-code/src/bin/dwarfdump/print_frames.c:2147
    #5 0x55c03ccd8db4 in print_frames /validate/libdwarf-code/src/bin/dwarfdump/print_frames.c:2367
    #6 0x55c03cc8db9a in process_one_file /validate/libdwarf-code/src/bin/dwarfdump/dwarfdump.c:1176
    #7 0x55c03cc782a4 in main /validate/libdwarf-code/src/bin/dwarfdump/dwarfdump.c:503
    #8 0x7fe56cd63d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7fe56cd63e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #10 0x55c03cc798c4 in _start (/validate/libdwarf-code/src/bin/dwarfdump/dwarfdump+0x618c4)

0x60c000000a00 is located 0 bytes inside of 128-byte region [0x60c000000a00,0x60c000000a80)
freed by thread T0 here:
    #0 0x7fe56d032517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x55c03cd257b3 in _dwarf_free_dfi_list /validate/libdwarf-code/src/lib/libdwarf/dwarf_frame.c:225
    #2 0x55c03cd257b3 in _dwarf_exec_frame_instr /validate/libdwarf-code/src/lib/libdwarf/dwarf_frame.c:1501

previously allocated by thread T0 here:
    #0 0x7fe56d032a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x55c03cd21dc2 in _dwarf_exec_frame_instr /validate/libdwarf-code/src/lib/libdwarf/dwarf_frame.c:447

SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 in __interceptor_free
==4097834==ABORTING

POC

poc.zip

Credit

Han Zheng (NCNIPC of China, Hexhive)
@davea42
Copy link
Owner

davea42 commented Aug 29, 2022

Yes, you are corrrect.
Thanks for the report and the fuzzed object file inside poc.zip.
I assigned this libdwarf vulnerability DW202208-001 and have
pushed the one-line (important) fix to github.
Closing this because it is fixed.
Thanks again for the report.

@davea42 davea42 closed this as completed Aug 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davea42 @kdsjZh