Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap Use-After-Free Notification when compiling with ASAN on Ubuntu 16 GCC 5.4 #15

Closed
ghost opened this issue May 17, 2019 · 5 comments

Comments

Projects
None yet
2 participants
@ghost
Copy link

commented May 17, 2019

Steps to reproduce:

Compile GoHTTP Server (GCC and ASAN flags/LIBS).

Screen -S server
cd GoHTTP
./GoHTTP
CTRL-A, D (Detach from session)
Screen -S Request
curl 127.0.0.1:$runningport/hi.html
CTRL-A, D
Screen -R server

Dump:
==9215==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000009dc0 at pc 0x7ff1c4d5620b bp 0x7f
fe6d5acce0 sp 0x7ffe6d5ac488
READ of size 2 at 0x611000009dc0 thread T0
#0 0x7ff1c4d5620a in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7020a)
#1 0x401d9c in sendHeader (/root/GoHttp/GoHTTP+0x401d9c)
#2 0x4032bc in handleHttpGET (/root/GoHttp/GoHTTP+0x4032bc)
#3 0x4035b7 in receive (/root/GoHttp/GoHTTP+0x4035b7)
#4 0x4037da in handle (/root/GoHttp/GoHTTP+0x4037da)
#5 0x403881 in acceptConnection (/root/GoHttp/GoHTTP+0x403881)
#6 0x4038db in start (/root/GoHttp/GoHTTP+0x4038db)
#7 0x40406d in main (/root/GoHttp/GoHTTP+0x40406d)
#8 0x7ff1c3c2f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x401808 in _start (/root/GoHttp/GoHTTP+0x401808)

0x611000009dc0 is located 0 bytes inside of 200-byte region [0x611000009dc0,0x611000009e88)
freed by thread T0 here:
#0 0x7ff1c4d7e2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x40289d in checkMime (/root/GoHttp/GoHTTP+0x40289d)
#2 0x4030f2 in handleHttpGET (/root/GoHttp/GoHTTP+0x4030f2)
#3 0x4035b7 in receive (/root/GoHttp/GoHTTP+0x4035b7)
#4 0x4037da in handle (/root/GoHttp/GoHTTP+0x4037da)
#5 0x403881 in acceptConnection (/root/GoHttp/GoHTTP+0x403881)
#6 0x4038db in start (/root/GoHttp/GoHTTP+0x4038db)
#7 0x40406d in main (/root/GoHttp/GoHTTP+0x40406d)
#8 0x7ff1c3c2f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
#0 0x7ff1c4d7e602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x402f3a in handleHttpGET (/root/GoHttp/GoHTTP+0x402f3a)
#2 0x4035b7 in receive (/root/GoHttp/GoHTTP+0x4035b7)
#3 0x4037da in handle (/root/GoHttp/GoHTTP+0x4037da)
#4 0x403881 in acceptConnection (/root/GoHttp/GoHTTP+0x403881)
#5 0x4038db in start (/root/GoHttp/GoHTTP+0x4038db)
#6 0x40406d in main (/root/GoHttp/GoHTTP+0x40406d)
#7 0x7ff1c3c2f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
0x0c227fff9360: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff9370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff9380: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff93a0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
=>0x0c227fff93b0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x0c227fff93c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff93d0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

uname -ar
Linux 4.4.0-148-generic #174-Ubuntu SMP Tue May 7 12:20:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
root@:~/GoHttp# cat httpd.conf
wwwroot /home/frw/public_html/
port 4000

@fekberg

This comment has been minimized.

Copy link
Owner

commented May 20, 2019

FYI this project isn't maintained. I only wrote it as a part of a university course years ago.

Don't use the code for anything but playing around

@ghost

This comment has been minimized.

Copy link
Author

commented May 20, 2019

Totally understand. It got some attention (30+) forks and I was curious what other projects it may have been integrated in to.

@fekberg

This comment has been minimized.

Copy link
Owner

commented May 20, 2019

That's very true! I haven't kept an eye on it.. Thanks for submitting the issues!

@ghost

This comment has been minimized.

Copy link
Author

commented May 24, 2019

Closing.

@ghost ghost closed this May 24, 2019

@johnsec

This comment has been minimized.

Copy link

commented May 29, 2019

$ ./protect_your_reto
Segmentation Fault (core dumped)

This issue was closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.