Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potentially security-sensitive crashes, best way to get them to you? #235

Closed
brandonprry opened this issue May 22, 2016 · 1 comment

Comments

Projects
None yet
1 participant
@brandonprry
Copy link

commented May 22, 2016

Hello,

I have been fuzzing libical for a while, I have a handful of use-after-frees (might be all the same root bug) I would like to provide, but these are potentially security-sensitive and not appropriate for a github comment.

An example asan trace (tested against 1.0, 1.0.1?, and master from 20 minutes ago):

=================================================================
==19414==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000e8f5 at pc 0x7fc4d2ffc649 bp 0x7ffda2a4b8c0 sp 0x7ffda2a4b038
READ of size 1 at 0x60200000e8f5 thread T0
    #0 0x7fc4d2ffc648  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x60648)
    #1 0x7fc4d2ffd5a5 in __interceptor_vsnprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x615a5)
    #2 0x7fc4d2ffd811 in snprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x61811)
    #3 0x7fc4d2d6fb30 in icalreqstattype_as_string_r (/root/libical_asan/build/lib/libical.so.2+0x4fb30)
    #4 0x7fc4d2d7247b in icalvalue_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x5247b)
    #5 0x7fc4d2d6108c in icalproperty_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x4108c)
    #6 0x7fc4d2d57132 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x37132)
    #7 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #8 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #9 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #10 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #11 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #12 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #13 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #14 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #15 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #16 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #17 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #18 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #19 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #20 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #21 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #22 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #23 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #24 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #25 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #26 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #27 0x7fc4d2d56fd1 in icalcomponent_as_ical_string (/root/libical_asan/build/lib/libical.so.2+0x36fd1)
    #28 0x400cd4 in main (/root/libical_asan/build/src/test/parser+0x400cd4)
    #29 0x7fc4d2976a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #30 0x400ae8 in _start (/root/libical_asan/build/src/test/parser+0x400ae8)

0x60200000e8f5 is located 5 bytes inside of 6-byte region [0x60200000e8f0,0x60200000e8f6)
freed by thread T0 here:
    #0 0x7fc4d30346aa in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x986aa)
    #1 0x7fc4d2d5c667 in icalmemory_free_buffer (/root/libical_asan/build/lib/libical.so.2+0x3c667)
    #2 0x7fc4d2d600d7 in icalparser_add_line (/root/libical_asan/build/lib/libical.so.2+0x400d7)
    #3 0x400cbd in main (/root/libical_asan/build/src/test/parser+0x400cbd)
    #4 0x7fc4d2976a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

previously allocated by thread T0 here:
    #0 0x7fc4d30349aa in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
    #1 0x7fc4d2d5c5d3 in icalmemory_new_buffer (/root/libical_asan/build/lib/libical.so.2+0x3c5d3)
    #2 0x7fc4d2d5e44c in make_segment (/root/libical_asan/build/lib/libical.so.2+0x3e44c)
    #3 0x7fc4d2d5e82d in icalparser_get_value (/root/libical_asan/build/lib/libical.so.2+0x3e82d)
    #4 0x7fc4d2d5feb6 in icalparser_add_line (/root/libical_asan/build/lib/libical.so.2+0x3feb6)
    #5 0x400cbd in main (/root/libical_asan/build/src/test/parser+0x400cbd)
    #6 0x7fc4d2976a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c047fff9cc0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9cd0: fa fa 00 06 fa fa fd fd fa fa 00 05 fa fa fd fd
  0x0c047fff9ce0: fa fa 00 06 fa fa fd fd fa fa fd fd fa fa 00 00
  0x0c047fff9cf0: fa fa fd fd fa fa 00 03 fa fa fd fd fa fa 00 03
  0x0c047fff9d00: fa fa fd fd fa fa 00 fa fa fa 00 07 fa fa fd fd
=>0x0c047fff9d10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa[fd]fa
  0x0c047fff9d20: fa fa fd fd fa fa 03 fa fa fa fd fa fa fa fd fd
  0x0c047fff9d30: fa fa 05 fa fa fa fd fa fa fa fd fd fa fa 02 fa
  0x0c047fff9d40: fa fa fd fa fa fa 06 fa fa fa fd fd fa fa fd fa
  0x0c047fff9d50: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9d60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==19414==ABORTING

What's the best way to get the test cases to reproduce the issues to you? My email is bperry.volatile@gmail.com if you would like to hit me up directly at your convenience.

@brandonprry

This comment has been minimized.

Copy link
Author

commented May 25, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.