Closed
Description
Hello,
I have been fuzzing libical for a while, I have a handful of use-after-frees (might be all the same root bug) I would like to provide, but these are potentially security-sensitive and not appropriate for a github comment.
An example asan trace (tested against 1.0, 1.0.1?, and master from 20 minutes ago):
=================================================================
==19414==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000e8f5 at pc 0x7fc4d2ffc649 bp 0x7ffda2a4b8c0 sp 0x7ffda2a4b038
READ of size 1 at 0x60200000e8f5 thread T0
#0 0x7fc4d2ffc648 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x60648)
#1 0x7fc4d2ffd5a5 in __interceptor_vsnprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x615a5)
#2 0x7fc4d2ffd811 in snprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x61811)
#3 0x7fc4d2d6fb30 in icalreqstattype_as_string_r (/root/libical_asan/build/lib/libical.so.2+0x4fb30)
#4 0x7fc4d2d7247b in icalvalue_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x5247b)
#5 0x7fc4d2d6108c in icalproperty_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x4108c)
#6 0x7fc4d2d57132 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x37132)
#7 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#8 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#9 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#10 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#11 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#12 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#13 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#14 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#15 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#16 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#17 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#18 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#19 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#20 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#21 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#22 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#23 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#24 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#25 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#26 0x7fc4d2d571a3 in icalcomponent_as_ical_string_r (/root/libical_asan/build/lib/libical.so.2+0x371a3)
#27 0x7fc4d2d56fd1 in icalcomponent_as_ical_string (/root/libical_asan/build/lib/libical.so.2+0x36fd1)
#28 0x400cd4 in main (/root/libical_asan/build/src/test/parser+0x400cd4)
#29 0x7fc4d2976a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#30 0x400ae8 in _start (/root/libical_asan/build/src/test/parser+0x400ae8)
0x60200000e8f5 is located 5 bytes inside of 6-byte region [0x60200000e8f0,0x60200000e8f6)
freed by thread T0 here:
#0 0x7fc4d30346aa in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x986aa)
#1 0x7fc4d2d5c667 in icalmemory_free_buffer (/root/libical_asan/build/lib/libical.so.2+0x3c667)
#2 0x7fc4d2d600d7 in icalparser_add_line (/root/libical_asan/build/lib/libical.so.2+0x400d7)
#3 0x400cbd in main (/root/libical_asan/build/src/test/parser+0x400cbd)
#4 0x7fc4d2976a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
previously allocated by thread T0 here:
#0 0x7fc4d30349aa in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
#1 0x7fc4d2d5c5d3 in icalmemory_new_buffer (/root/libical_asan/build/lib/libical.so.2+0x3c5d3)
#2 0x7fc4d2d5e44c in make_segment (/root/libical_asan/build/lib/libical.so.2+0x3e44c)
#3 0x7fc4d2d5e82d in icalparser_get_value (/root/libical_asan/build/lib/libical.so.2+0x3e82d)
#4 0x7fc4d2d5feb6 in icalparser_add_line (/root/libical_asan/build/lib/libical.so.2+0x3feb6)
#5 0x400cbd in main (/root/libical_asan/build/src/test/parser+0x400cbd)
#6 0x7fc4d2976a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x0c047fff9cc0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9cd0: fa fa 00 06 fa fa fd fd fa fa 00 05 fa fa fd fd
0x0c047fff9ce0: fa fa 00 06 fa fa fd fd fa fa fd fd fa fa 00 00
0x0c047fff9cf0: fa fa fd fd fa fa 00 03 fa fa fd fd fa fa 00 03
0x0c047fff9d00: fa fa fd fd fa fa 00 fa fa fa 00 07 fa fa fd fd
=>0x0c047fff9d10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa[fd]fa
0x0c047fff9d20: fa fa fd fd fa fa 03 fa fa fa fd fa fa fa fd fd
0x0c047fff9d30: fa fa 05 fa fa fa fd fa fa fa fd fd fa fa 02 fa
0x0c047fff9d40: fa fa fd fa fa fa 06 fa fa fa fd fd fa fa fd fa
0x0c047fff9d50: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==19414==ABORTING
What's the best way to get the test cases to reproduce the issues to you? My email is bperry.volatile@gmail.com if you would like to hit me up directly at your convenience.
Metadata
Metadata
Assignees
Labels
No labels