AddressSanitizer: multiple double-free in box_code_base.c #1090

hongxuchen · 2018-07-01T12:42:06Z

We found with our fuzzer multiple double-free errors when gpac bceb03f is compiled with address sanitizer. These crashes can be triggered with ./MP4Box -diso $POC.

gdb backtrace is like:

Undefined command: "".  Try "help".
�[33m[iso file] Box "vmhd" is invalid in container mdia
�[0m�[33m[iso file] Unknown box type u...
�[0m�[33m[iso file] Box "dref" is invalid in container mdia
�[0m�[33m[iso file] extra box hdlr found in mdia, deleting
�[0m�[33m[iso file] Unknown box type 
�[0m=================================================================
==11007==ERROR: AddressSanitizer: attempting double-free on 0x603000000580 in thread T0:
    #0 0x4e4670  (/home/hongxu/FOT/gpac/install/bin/MP4Box+0x4e4670)
    #1 0x7ffff7620844  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x4f844)
    #2 0x7ffff77b3e1f  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x1e2e1f)
    #3 0x7ffff77f2736  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221736)
    #4 0x7ffff77f2c2e  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221c2e)
    #5 0x7ffff77f2770  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221770)
    #6 0x7ffff77f2cf0  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221cf0)
    #7 0x7ffff77f2c86  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221c86)
    #8 0x7ffff77c59db  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x1f49db)
    #9 0x7ffff77f2b8a  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221b8a)
    #10 0x7ffff77f2412  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221412)
    #11 0x7ffff77f2ccf  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221ccf)
    #12 0x7ffff77f2c86  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221c86)
    #13 0x7ffff77ba4d3  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x1e94d3)
    #14 0x7ffff77f2b8a  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221b8a)
    #15 0x7ffff77f2412  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221412)
    #16 0x7ffff77f1d77  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x220d77)
    #17 0x7ffff77fac68  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x229c68)
    #18 0x7ffff77fc25a  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x22b25a)
    #19 0x7ffff77fec66  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x22dc66)
    #20 0x52cac6  (/home/hongxu/FOT/gpac/install/bin/MP4Box+0x52cac6)
    #21 0x5326a1  (/home/hongxu/FOT/gpac/install/bin/MP4Box+0x5326a1)
    #22 0x7ffff6620b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #23 0x424989  (/home/hongxu/FOT/gpac/install/bin/MP4Box+0x424989)

0x603000000580 is located 0 bytes inside of 20-byte region [0x603000000580,0x603000000594)
freed by thread T0 here:
    #0 0x4e4670  (/home/hongxu/FOT/gpac/install/bin/MP4Box+0x4e4670)
    #1 0x7ffff7620844  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x4f844)
    #2 0x7ffff77b3e1f  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x1e2e1f)
    #3 0x7ffff77f2736  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221736)
    #4 0x7ffff77b7b57  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x1e6b57)
    #5 0x7ffff77f2f92  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221f92)
    #6 0x7ffff77f2c86  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221c86)
    #7 0x7ffff77b7c73  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x1e6c73)
    #8 0x7ffff77f2b8a  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221b8a)
    #9 0x7ffff77f2412  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221412)
    #10 0x7ffff77f2ccf  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221ccf)
    #11 0x7ffff77f2c86  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221c86)
    #12 0x7ffff77c59db  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x1f49db)
    #13 0x7ffff77f2b8a  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221b8a)
    #14 0x7ffff77f2412  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221412)
    #15 0x7ffff77f2ccf  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221ccf)
    #16 0x7ffff77f2c86  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221c86)
    #17 0x7ffff77ba4d3  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x1e94d3)
    #18 0x7ffff77f2b8a  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221b8a)
    #19 0x7ffff77f2412  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221412)
    #20 0x7ffff77f1d77  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x220d77)
    #21 0x7ffff77fac68  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x229c68)
    #22 0x7ffff77fc25a  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x22b25a)
    #23 0x7ffff77fec66  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x22dc66)
    #24 0x52cac6  (/home/hongxu/FOT/gpac/install/bin/MP4Box+0x52cac6)
    #25 0x5326a1  (/home/hongxu/FOT/gpac/install/bin/MP4Box+0x5326a1)
    #26 0x7ffff6620b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x4e4840  (/home/hongxu/FOT/gpac/install/bin/MP4Box+0x4e4840)
    #1 0x7ffff76207c4  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x4f7c4)
    #2 0x7ffff77b3f3a  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x1e2f3a)
    #3 0x7ffff77f2b8a  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221b8a)
    #4 0x7ffff77f2412  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221412)
    #5 0x7ffff77f2ccf  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221ccf)
    #6 0x7ffff77f2c86  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221c86)
    #7 0x7ffff77b7c73  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x1e6c73)
    #8 0x7ffff77f2b8a  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221b8a)
    #9 0x7ffff77f2412  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221412)
    #10 0x7ffff77f2ccf  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221ccf)
    #11 0x7ffff77f2c86  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221c86)
    #12 0x7ffff77c59db  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x1f49db)
    #13 0x7ffff77f2b8a  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221b8a)
    #14 0x7ffff77f2412  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221412)
    #15 0x7ffff77f2ccf  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221ccf)
    #16 0x7ffff77f2c86  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221c86)
    #17 0x7ffff77ba4d3  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x1e94d3)
    #18 0x7ffff77f2b8a  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221b8a)
    #19 0x7ffff77f2412  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x221412)
    #20 0x7ffff77f1d77  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x220d77)
    #21 0x7ffff77fac68  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x229c68)
    #22 0x7ffff77fc25a  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x22b25a)
    #23 0x7ffff77fec66  (/home/hongxu/FOT/gpac/install/bin/../lib/libgpac.so.7+0x22dc66)
    #24 0x52cac6  (/home/hongxu/FOT/gpac/install/bin/MP4Box+0x52cac6)
    #25 0x5326a1  (/home/hongxu/FOT/gpac/install/bin/MP4Box+0x5326a1)
    #26 0x7ffff6620b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: double-free (/home/hongxu/FOT/gpac/install/bin/MP4Box+0x4e4670) 
==11007==ABORTING
51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

Starting program: /home/hongxu/FOT/gpac/install/bin/MP4Box -diso ALL/gpac-bceb03f/crashes/df_box_code_base.c:1618_1.mp4
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff663f801 in __GI_abort () at abort.c:79
#2  0x000000000050debb in __sanitizer::Abort() ()
#3  0x000000000050b1e8 in __sanitizer::Die() ()
#4  0x00000000004ea7ec in __asan::ReportDoubleFree(unsigned long, __sanitizer::BufferedStackTrace*) ()
#5  0x000000000043018d in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) ()
#6  0x00000000004e464b in free ()
#7  0x00007ffff7620845 in gf_free (ptr=0x603000000580) at utils/alloc.c:165
#8  0x00007ffff77b3e20 in hdlr_del (s=0x6070000005d0) at isomedia/box_code_base.c:1618
#9  0x00007ffff77f2737 in gf_isom_box_del (a=0x6070000005d0) at isomedia/box_funcs.c:1329
#10 0x00007ffff77f2c2f in gf_isom_box_array_del (other_boxes=0x602000000290) at isomedia/box_funcs.c:254
#11 0x00007ffff77f2771 in gf_isom_box_del (a=0x6070000003a0) at isomedia/box_funcs.c:1337
#12 0x00007ffff77f2cf1 in gf_isom_box_array_read_ex (parent=0x60f000000040, bs=0x6070000001e0, add_box=0x7ffff77c5300 <trak_AddBox>, parent_type=0x0) at isomedia/box_funcs.c:1243
#13 0x00007ffff77f2c87 in gf_isom_box_array_read (parent=0x60f000000040, bs=0x6070000001e0, add_box=0x7ffff77c5300 <trak_AddBox>) at isomedia/box_funcs.c:262
#14 0x00007ffff77c59dc in trak_Read (s=0x60f000000040, bs=0x6070000001e0) at isomedia/box_code_base.c:7041
#15 0x00007ffff77f2b8b in gf_isom_box_read (a=0x60f000000040, bs=0x6070000001e0) at isomedia/box_funcs.c:1349
#16 0x00007ffff77f2413 in gf_isom_box_parse_ex (outBox=0x7ffffffefbb0, bs=0x6070000001e0, parent_type=0x0, is_root_box=GF_FALSE) at isomedia/box_funcs.c:199
#17 0x00007ffff77f2cd0 in gf_isom_box_array_read_ex (parent=0x608000000020, bs=0x6070000001e0, add_box=0x7ffff77b9fd0 <moov_AddBox>, parent_type=0x0) at isomedia/box_funcs.c:1241
#18 0x00007ffff77f2c87 in gf_isom_box_array_read (parent=0x608000000020, bs=0x6070000001e0, add_box=0x7ffff77b9fd0 <moov_AddBox>) at isomedia/box_funcs.c:262
#19 0x00007ffff77ba4d4 in moov_Read (s=0x608000000020, bs=0x6070000001e0) at isomedia/box_code_base.c:3750
#20 0x00007ffff77f2b8b in gf_isom_box_read (a=0x608000000020, bs=0x6070000001e0) at isomedia/box_funcs.c:1349
#21 0x00007ffff77f2413 in gf_isom_box_parse_ex (outBox=0x7ffffffefe18, bs=0x6070000001e0, parent_type=0x0, is_root_box=GF_TRUE) at isomedia/box_funcs.c:199
#22 0x00007ffff77f1d78 in gf_isom_parse_root_box (outBox=0x7ffffffefe18, bs=0x6070000001e0, bytesExpected=0x7ffffffefe70, progressive_mode=GF_FALSE) at isomedia/box_funcs.c:42
#23 0x00007ffff77fac69 in gf_isom_parse_movie_boxes (mov=0x611000000040, bytesMissing=0x7ffffffefe70, progressive_mode=GF_FALSE) at isomedia/isom_intern.c:206
#24 0x00007ffff77fc25b in gf_isom_open_file (fileName=0x7fffffffc9c0 "ALL/gpac-bceb03f/crashes/df_box_code_base.c:1618_1.mp4", OpenMode=0x0, tmp_dir=0x0) at isomedia/isom_intern.c:615
#25 0x00007ffff77fec67 in gf_isom_open (fileName=0x7fffffffc9c0 "ALL/gpac-bceb03f/crashes/df_box_code_base.c:1618_1.mp4", OpenMode=0x0, tmp_dir=0x0) at isomedia/isom_read.c:414
#26 0x000000000052cac7 in mp4boxMain (argc=0x3, argv=0x7fffffffc438) at main.c:4339
#27 0x00000000005326a2 in main (argc=0x3, argv=0x7fffffffc438) at main.c:5489

A nullity check inside gf_free may work but I'm not sure whether that's your preferred way.

The text was updated successfully, but these errors were encountered:

aureliendavid · 2018-07-02T15:34:38Z

This one is trickier than the others.

It's the same issue as #1077

Unfortunately there are no easy solutions. A nullity check wouldn't be enough because we only nullify a copy of the pointer so the check would fail. Fixing this would require changing the signature of a massive amount of functions, which is not great.

We'll have to take some time to think of a proper solution for this one.

aureliendavid · 2018-07-06T17:24:11Z

as a reminder for future reference:

most of these come from the use of ERROR_ON_DUPLICATED_BOX

another case, reported in #1104 with this file : https://github.com/ntu-sec/pocs/blob/master/gpac-776dd7b6c/crashes/read_box_code_meta.c:854_1.txt comes from gf_isom_box_add_for_dump_mode when we add to other_boxes boxes that are added elsewhere (in meta -> item_refs for example) and then trying to delete both leads to double free

applies to #1090, #1077, #1080, #1166

aureliendavid · 2019-06-24T09:26:55Z

this should now (finally) be fixed as of 10c1f03 (the actual fix is in e762660)

reopen if needed

aureliendavid added a commit that referenced this issue Jul 5, 2018

prevent segfault on incomplete box (#1103) but problem #1090 persists

776dd7b

aureliendavid mentioned this issue Jul 5, 2018

AddressSanitizer: invalid WRITE at descriptors.c:537 #1103

Closed

aureliendavid mentioned this issue Jul 6, 2018

AddressSanitizer: multiple invalid READ/WRITE errors #1104

Closed

Marsman1996 mentioned this issue Dec 17, 2018

AddressSanitizer: heap-buffer-overflow in audio_sample_entry_AddBox() at box_code_base.c:3934 #1180

Closed

aureliendavid added a commit that referenced this issue Jun 24, 2019

fix for duplicated boxes in dump mode

e762660

applies to #1090, #1077, #1080, #1166

aureliendavid added a commit that referenced this issue Jun 24, 2019

fix memleak when manually creating stbl (#1090)

2a2dd52

aureliendavid closed this as completed Jun 24, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AddressSanitizer: multiple double-free in box_code_base.c #1090

AddressSanitizer: multiple double-free in box_code_base.c #1090

hongxuchen commented Jul 1, 2018 •

edited

aureliendavid commented Jul 2, 2018

aureliendavid commented Jul 6, 2018

aureliendavid commented Jun 24, 2019

AddressSanitizer: multiple double-free in box_code_base.c #1090

AddressSanitizer: multiple double-free in box_code_base.c #1090

Comments

hongxuchen commented Jul 1, 2018 • edited

aureliendavid commented Jul 2, 2018

aureliendavid commented Jul 6, 2018

aureliendavid commented Jun 24, 2019

hongxuchen commented Jul 1, 2018 •

edited