Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-use-after-free in Function mxmlWalkNext #234

Closed
fouzhe opened this issue Dec 3, 2018 · 12 comments
Closed

heap-use-after-free in Function mxmlWalkNext #234

fouzhe opened this issue Dec 3, 2018 · 12 comments
Assignees
Labels
duplicate This issue or pull request already exists

Comments

@fouzhe
Copy link

fouzhe commented Dec 3, 2018

I used clang 6.0 and AddressSanitizer to build mxml 2.12, this file can cause heap-use-after-free in mxmlWalkNext in mxml-search.c when executing this command:

./mxmldoc $crash

This is the ASAN information:

==2544==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000008ec0 at pc 0x7fedf0751729 bp 0x7fff65264ee0 sp 0x7fff65264ed0
READ of size 8 at 0x608000008ec0 thread T0
    #0 0x7fedf0751728 in mxmlWalkNext /home/fouzhe/my_fuzz/mxml/mxml-search.c:212
    #1 0x7fedf075180c in mxmlFindElement /home/fouzhe/my_fuzz/mxml/mxml-search.c:101
    #2 0x405074 in sort_node /home/fouzhe/my_fuzz/mxml/mxmldoc.c:3372
    #3 0x405b5d in scan_file /home/fouzhe/my_fuzz/mxml/mxmldoc.c:1981
    #4 0x402b1d in main /home/fouzhe/my_fuzz/mxml/mxmldoc.c:503
    #5 0x7fedeff5d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x402ff8 in _start (/home/fouzhe/my_fuzz/mxml/mxmldoc+0x402ff8)

0x608000008ec0 is located 32 bytes inside of 88-byte region [0x608000008ea0,0x608000008ef8)
freed by thread T0 here:
    #0 0x7fedf09f92ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x4050c1 in sort_node /home/fouzhe/my_fuzz/mxml/mxmldoc.c:3389

previously allocated by thread T0 here:
    #0 0x7fedf09f979a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
    #1 0x7fedf0750e50 in mxml_new /home/fouzhe/my_fuzz/mxml/mxml-node.c:844

SUMMARY: AddressSanitizer: heap-use-after-free /home/fouzhe/my_fuzz/mxml/mxml-search.c:212 mxmlWalkNext
Shadow bytes around the buggy address:
  0x0c107fff9180: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c107fff9190: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c107fff91a0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c107fff91b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff91c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c107fff91d0: fa fa fa fa fd fd fd fd[fd]fd fd fd fd fd fd fa
  0x0c107fff91e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff91f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff9200: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff9210: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff9220: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==2544==ABORTING
@michaelrsweet
Copy link
Owner

@fouzhe I'm sorry, but I really don't know what to do with this. The backtrace is for mxmldoc, but the command you've provided is the unit test program. The referenced file is garbage.

@michaelrsweet michaelrsweet self-assigned this Dec 3, 2018
@fouzhe
Copy link
Author

fouzhe commented Dec 3, 2018

@michaelrsweet Anyway, the bug ocurrs in the library!

@michaelrsweet
Copy link
Owner

@fouzhe If I cannot reproduce, I cannot fix. Please provide more information or I will just have to close it...

@fouzhe
Copy link
Author

fouzhe commented Dec 6, 2018

@michaelrsweet The file is OK and you should add AddressSanitizer(export CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address"
before ./configure) to get the detail information...

@fouzhe
Copy link
Author

fouzhe commented Dec 6, 2018

However, just as this issue #232 says, there are detected memory leaks when compiling with AddressSanitizer, but you are not willing to fix it, so you should also export ASAN_OPTIONS=detect_leaks=0 to turn off the leak detection.

@hongxuchen
Copy link

This seems a buffer overflow caused crash at the call of memmove during file scanning.
2018-12-13-115011_1546x529_scrot

@michaelrsweet
Copy link
Owner

😔 OK, so you feed a garbage file instead of a valid C source file into mxmldoc and it crashes. What was your expectation?

There is a limit to how much bloat I will add to what is a standalone developer tool that happens to be bundled with the Mini-XML library.

@fouzhe
Copy link
Author

fouzhe commented Dec 16, 2018

Rediculous....

@fouzhe
Copy link
Author

fouzhe commented Dec 16, 2018

If the library can't deal with garbage file, the library is just a garbage......

@michaelrsweet
Copy link
Owner

@fouzhe This isn't the library crashing, this is the standalone developer tool that is bundled with the library crashing, based on invalid C code being passed to it. All the more reason I should just move mxmldoc to a separate project...

@michaelrsweet michaelrsweet added the duplicate This issue or pull request already exists label Jan 3, 2019
@michaelrsweet
Copy link
Owner

Dupe of Issue #237, and I've just removed mxmldoc from the project.

@michaelrsweet
Copy link
Owner

FWIW, changes in the codedoc project fix this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
duplicate This issue or pull request already exists
Projects
None yet
Development

No branches or pull requests

3 participants