Skip to content

Potentially security-sensitive crashes, best way to get them to you? #235

Closed
@brandonprry

Description

@brandonprry

Hello,

I have been fuzzing libical for a while, I have a handful of use-after-frees (might be all the same root bug) I would like to provide, but these are potentially security-sensitive and not appropriate for a github comment.

An example asan trace (tested against 1.0, 1.0.1?, and master from 20 minutes ago):

=================================================================
==19414==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000e8f5 at pc 0x7fc4d2ffc649 bp 0x7ffda2a4b8c0 sp 0x7ffda2a4b038
READ of size 1 at 0x60200000e8f5 thread T0
    #0 0x7fc4d2ffc648  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x60648)
    #1 0x7fc4d2ffd5a5 in __interceptor_vsnprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x615a5)
    #2 0x7fc4d2ffd811 in snprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x61811)
    #3 0x7fc4d2d6fb30 in icalreqstattype_as_string_r (/root/libical_asan/build/lib/libical.so.2+0x4fb30)
    #4 0x7fc4d2d7247b in icalvalue_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x5247b)
    #5 0x7fc4d2d6108c in icalproperty_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x4108c)
    #6 0x7fc4d2d57132 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x37132)
    #7 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #8 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #9 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #10 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #11 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #12 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #13 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #14 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #15 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #16 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #17 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #18 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #19 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #20 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #21 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #22 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #23 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #24 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #25 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #26 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
    #27 0x7fc4d2d56fd1 in icalcomponent_as_ical_string (/root/libical_asan/build/lib/libical.so.2+0x36fd1)
    #28 0x400cd4 in main (/root/libical_asan/build/src/test/parser+0x400cd4)
    #29 0x7fc4d2976a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #30 0x400ae8 in _start (/root/libical_asan/build/src/test/parser+0x400ae8)

0x60200000e8f5 is located 5 bytes inside of 6-byte region [0x60200000e8f0,0x60200000e8f6)
freed by thread T0 here:
    #0 0x7fc4d30346aa in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x986aa)
    #1 0x7fc4d2d5c667 in icalmemory_free_buffer (/root/libical_asan/build/lib/libical.so.2+0x3c667)
    #2 0x7fc4d2d600d7 in icalparser_add_line (/root/libical_asan/build/lib/libical.so.2+0x400d7)
    #3 0x400cbd in main (/root/libical_asan/build/src/test/parser+0x400cbd)
    #4 0x7fc4d2976a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

previously allocated by thread T0 here:
    #0 0x7fc4d30349aa in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
    #1 0x7fc4d2d5c5d3 in icalmemory_new_buffer (/root/libical_asan/build/lib/libical.so.2+0x3c5d3)
    #2 0x7fc4d2d5e44c in make_segment (/root/libical_asan/build/lib/libical.so.2+0x3e44c)
    #3 0x7fc4d2d5e82d in icalparser_get_value (/root/libical_asan/build/lib/libical.so.2+0x3e82d)
    #4 0x7fc4d2d5feb6 in icalparser_add_line (/root/libical_asan/build/lib/libical.so.2+0x3feb6)
    #5 0x400cbd in main (/root/libical_asan/build/src/test/parser+0x400cbd)
    #6 0x7fc4d2976a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c047fff9cc0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9cd0: fa fa 00 06 fa fa fd fd fa fa 00 05 fa fa fd fd
  0x0c047fff9ce0: fa fa 00 06 fa fa fd fd fa fa fd fd fa fa 00 00
  0x0c047fff9cf0: fa fa fd fd fa fa 00 03 fa fa fd fd fa fa 00 03
  0x0c047fff9d00: fa fa fd fd fa fa 00 fa fa fa 00 07 fa fa fd fd
=>0x0c047fff9d10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa[fd]fa
  0x0c047fff9d20: fa fa fd fd fa fa 03 fa fa fa fd fa fa fa fd fd
  0x0c047fff9d30: fa fa 05 fa fa fa fd fa fa fa fd fd fa fa 02 fa
  0x0c047fff9d40: fa fa fd fa fa fa 06 fa fa fa fd fd fa fa fd fa
  0x0c047fff9d50: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9d60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==19414==ABORTING

What's the best way to get the test cases to reproduce the issues to you? My email is bperry.volatile@gmail.com if you would like to hit me up directly at your convenience.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions