Heap Overflow / Corruption

[blindfuzzy]

*** Error in `/home/robin/Exploit-Dev/TESTS/IN/gravity/gravity': realloc(): invalid next size: 0x000000000095d190 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7052f907e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x82a5a)[0x7f7052f9ba5a]
/lib/x86_64-linux-gnu/libc.so.6(realloc+0x179)[0x7f7052f9cc89]
/home/robin/Exploit-Dev/TESTS/IN/gravity/gravity[0x436a3f]
/home/robin/Exploit-Dev/TESTS/IN/gravity/gravity[0x440fc2]
/home/robin/Exploit-Dev/TESTS/IN/gravity/gravity[0x46c3e1]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7052f39830]
/home/robin/Exploit-Dev/TESTS/IN/gravity/gravity[0x401809]
======= Memory map: ========
00400000-00479000 r-xp 00000000 fc:01 4988605                            /home/robin/Exploit-Dev/TESTS/IN/gravity/gravity
00678000-0067a000 rw-p 00078000 fc:01 4988605                            /home/robin/Exploit-Dev/TESTS/IN/gravity/gravity
0067a000-0068b000 rw-p 00000000 00:00 0 
0095d000-0099f000 rw-p 00000000 00:00 0                                  [heap]
7f704c000000-7f704c021000 rw-p 00000000 00:00 0 
7f704c021000-7f7050000000 ---p 00000000 00:00 0 
7f7052ae6000-7f7052afc000 r-xp 00000000 fc:01 6558219                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7052afc000-7f7052cfb000 ---p 00016000 fc:01 6558219                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7052cfb000-7f7052cfc000 rw-p 00015000 fc:01 6558219                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7052cfc000-7f7052d14000 r-xp 00000000 fc:01 6558251                    /lib/x86_64-linux-gnu/libpthread-2.23.so
7f7052d14000-7f7052f13000 ---p 00018000 fc:01 6558251                    /lib/x86_64-linux-gnu/libpthread-2.23.so
7f7052f13000-7f7052f14000 r--p 00017000 fc:01 6558251                    /lib/x86_64-linux-gnu/libpthread-2.23.so
7f7052f14000-7f7052f15000 rw-p 00018000 fc:01 6558251                    /lib/x86_64-linux-gnu/libpthread-2.23.so
7f7052f15000-7f7052f19000 rw-p 00000000 00:00 0 
7f7052f19000-7f70530d8000 r-xp 00000000 fc:01 6558153                    /lib/x86_64-linux-gnu/libc-2.23.so
7f70530d8000-7f70532d8000 ---p 001bf000 fc:01 6558153                    /lib/x86_64-linux-gnu/libc-2.23.so
7f70532d8000-7f70532dc000 r--p 001bf000 fc:01 6558153                    /lib/x86_64-linux-gnu/libc-2.23.so
7f70532dc000-7f70532de000 rw-p 001c3000 fc:01 6558153                    /lib/x86_64-linux-gnu/libc-2.23.so
7f70532de000-7f70532e2000 rw-p 00000000 00:00 0 
7f70532e2000-7f70532e9000 r-xp 00000000 fc:01 6558205                    /lib/x86_64-linux-gnu/librt-2.23.so
7f70532e9000-7f70534e8000 ---p 00007000 fc:01 6558205                    /lib/x86_64-linux-gnu/librt-2.23.so
7f70534e8000-7f70534e9000 r--p 00006000 fc:01 6558205                    /lib/x86_64-linux-gnu/librt-2.23.so
7f70534e9000-7f70534ea000 rw-p 00007000 fc:01 6558205                    /lib/x86_64-linux-gnu/librt-2.23.so
7f70534ea000-7f70535f2000 r-xp 00000000 fc:01 6558095                    /lib/x86_64-linux-gnu/libm-2.23.so
7f70535f2000-7f70537f1000 ---p 00108000 fc:01 6558095                    /lib/x86_64-linux-gnu/libm-2.23.so
7f70537f1000-7f70537f2000 r--p 00107000 fc:01 6558095                    /lib/x86_64-linux-gnu/libm-2.23.so
7f70537f2000-7f70537f3000 rw-p 00108000 fc:01 6558095                    /lib/x86_64-linux-gnu/libm-2.23.so
7f70537f3000-7f7053819000 r-xp 00000000 fc:01 6558163                    /lib/x86_64-linux-gnu/ld-2.23.so
7f70539e8000-7f70539ec000 rw-p 00000000 00:00 0 
7f7053a15000-7f7053a18000 rw-p 00000000 00:00 0 
7f7053a18000-7f7053a19000 r--p 00025000 fc:01 6558163                    /lib/x86_64-linux-gnu/ld-2.23.so
7f7053a19000-7f7053a1a000 rw-p 00026000 fc:01 6558163                    /lib/x86_64-linux-gnu/ld-2.23.so
7f7053a1a000-7f7053a1b000 rw-p 00000000 00:00 0 
7ffda8e74000-7ffda8e95000 rw-p 00000000 00:00 0                          [stack]
7ffda8fb5000-7ffda8fb7000 r--p 00000000 00:00 0                          [vvar]
7ffda8fb7000-7ffda8fb9000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)

Valgrind:

valgrind -q ~/Exploit-Dev/TESTS/IN/gravity/gravity '/media/robin/DC51-1B89/Gravity_dblFREE/Heapoverflows/id_000031,sig_06,src_001271,op_ext_AO,pos_221' 
==13060== Invalid write of size 8
==13060==    at 0x431E9A: gravity_vm_exec (gravity_vm.c:567)
==13060==    by 0x440FC1: gravity_vm_runmain (gravity_vm.c:1522)
==13060==    by 0x46C3E0: main (gravity.c:222)
==13060==  Address 0x5932230 is 0 bytes after a block of size 4,096 alloc'd
==13060==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13060==    by 0x45D50C: gravity_fiber_new (gravity_value.c:1045)
==13060==    by 0x42DD47: gravity_vm_new (gravity_vm.c:1275)
==13060==    by 0x46C27B: main (gravity.c:180)
==13060== 
==13060== Invalid write of size 8
==13060==    at 0x431E9E: gravity_vm_exec (gravity_vm.c:567)
==13060==    by 0x440FC1: gravity_vm_runmain (gravity_vm.c:1522)
==13060==    by 0x46C3E0: main (gravity.c:222)
==13060==  Address 0x5932238 is 8 bytes after a block of size 4,096 alloc'd
==13060==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13060==    by 0x45D50C: gravity_fiber_new (gravity_value.c:1045)
==13060==    by 0x42DD47: gravity_vm_new (gravity_vm.c:1275)
==13060==    by 0x46C27B: main (gravity.c:180)
==13060== 
==13060== Invalid write of size 8
==13060==    at 0x431EB2: gravity_vm_exec (gravity_vm.c:567)
==13060==    by 0x440FC1: gravity_vm_runmain (gravity_vm.c:1522)
==13060==    by 0x46C3E0: main (gravity.c:222)
==13060==  Address 0x5932240 is 16 bytes after a block of size 4,096 alloc'd
==13060==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13060==    by 0x45D50C: gravity_fiber_new (gravity_value.c:1045)
==13060==    by 0x42DD47: gravity_vm_new (gravity_vm.c:1275)
==13060==    by 0x46C27B: main (gravity.c:180)
==13060== 
==13060== Invalid read of size 8
==13060==    at 0x4488B6: object_isa (gravity_core.c:384)
==13060==    by 0x431F7A: gravity_vm_exec (gravity_vm.c:570)
==13060==    by 0x440FC1: gravity_vm_runmain (gravity_vm.c:1522)
==13060==    by 0x46C3E0: main (gravity.c:222)
==13060==  Address 0x5932230 is 0 bytes after a block of size 4,096 alloc'd
==13060==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13060==    by 0x45D50C: gravity_fiber_new (gravity_value.c:1045)
==13060==    by 0x42DD47: gravity_vm_new (gravity_vm.c:1275)
==13060==    by 0x46C27B: main (gravity.c:180)
==13060== 
==13060== Invalid read of size 8
==13060==    at 0x4488BA: object_isa (gravity_core.c:384)
==13060==    by 0x431F7A: gravity_vm_exec (gravity_vm.c:570)
==13060==    by 0x440FC1: gravity_vm_runmain (gravity_vm.c:1522)
==13060==    by 0x46C3E0: main (gravity.c:222)
==13060==  Address 0x5932238 is 8 bytes after a block of size 4,096 alloc'd
==13060==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13060==    by 0x45D50C: gravity_fiber_new (gravity_value.c:1045)
==13060==    by 0x42DD47: gravity_vm_new (gravity_vm.c:1275)
==13060==    by 0x46C27B: main (gravity.c:180)
==13060== 

valgrind: m_mallocfree.c:303 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 4160, hi = 93541472.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.


host stacktrace:
==13060==    at 0x38083F48: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13060==    by 0x38084064: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13060==    by 0x380841F1: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13060==    by 0x38091A9C: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13060==    by 0x3807D673: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13060==    by 0x3807BF03: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13060==    by 0x380800DA: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13060==    by 0x3807B49A: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13060==    by 0x38059401: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==13060==    by 0x802FDDE8C: ???
==13060==    by 0x802CADF2F: ???
==13060==    by 0x80200832F: ???
==13060==    by 0x452F62: object_real_load (gravity_core.c:434)
==13060==    by 0x80200832F: ???
==13060==    by 0x1BFF: ???
==13060==    by 0x12F7B: ???
==13060==    by 0x804D2FFFF: ???
==13060==    by 0x2EE8: ???

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 13060)
==13060==    at 0x4488C4: object_isa (gravity_core.c:385)
==13060==    by 0x431F7A: gravity_vm_exec (gravity_vm.c:570)
==13060==    by 0x440FC1: gravity_vm_runmain (gravity_vm.c:1522)
==13060==    by 0x46C3E0: main (gravity.c:222)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.

Can provide test case if need be.

[marcobambini]

Please send me the test case. Thanks.

[blindfuzzy]

heap.txt
^
That's the test case for the heap issue.

[marcobambini]

I think to have fixed the crash with d493524
Infinite loop cannot be avoided in this case because it is due to user code.
I am not sure I am 100% satisfied by the solution. Any advice is more than welcomed.

[blindfuzzy]

Didn't fix the heap corruption. I'll take a deeper look at this though.

[marcobambini]

Fixed by c67888e
Please confirm.

[marcobambini]

Hi @blindfuzzy please pull the latest version and try again.
I just tested it on Linux 64bit using Valgrind and everything seems to works fine for me.

[blindfuzzy]

@marcobambini issue appears to be fixed at this time.