Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap Use After Free in server_example_goose and server_example_61400_25 #111

Closed
arunm2110 opened this issue Jan 15, 2019 · 2 comments
Closed

Comments

@arunm2110
Copy link

arunm2110 commented Jan 15, 2019

Hi Team,
There is Heap Use After Free in server_example_goose and server_example_61400_25
Snip
server_example_goose.c
server_example_61400_25.c

=================================================================================
For server_example_goose

Starting server failed! Exit.

==5820==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00000dcc8 at pc 0x00000046d043 bp 0x7fdf9f6fedc0 sp 0x7fdf9f6fedb0
READ of size 8 at 0x60e00000dcc8 thread T1
#0 0x46d042 in getState /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:115
#1 0x46dffe in IsoServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:645
#2 0x477737 in MmsServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:461
#3 0x42b30c in IedServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:668
#4 0x42adbb in singleThreadedServerThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:566
#5 0x50dea5 in destroyAutomaticThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/thread/linux/thread_linux.c:90
#6 0x7fdfa287b6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#7 0x7fdfa25b141c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x60e00000dcc8 is located 8 bytes inside of 152-byte region [0x60e00000dcc0,0x60e00000dd58)
freed by thread T0 here:
#0 0x7fdfa2b292ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x50e895 in Memory_free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/memory/lib_memory.c:82
#2 0x46e520 in IsoServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:817
#3 0x476dc7 in MmsServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:296
#4 0x42aa3a in IedServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:505
#5 0x41765b in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_goose/server_example_goose.c:82
#6 0x7fdfa24ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
#0 0x7fdfa2b2979a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x50e82e in Memory_calloc /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/memory/lib_memory.c:59
#2 0x46da7f in IsoServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:510
#3 0x475ea8 in MmsServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:55
#4 0x42a39e in IedServer_createWithConfig /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:434
#5 0x42a97d in IedServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:483
#6 0x417536 in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_goose/server_example_goose.c:56
#7 0x7fdfa24ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Thread T1 created by T0 here:
#0 0x7fdfa2ac7253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x50df2e in Thread_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/thread/linux/thread_linux.c:101
#2 0x42af4f in IedServer_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:595
#3 0x4175b4 in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_goose/server_example_goose.c:66
#4 0x7fdfa24ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:115 getState
Shadow bytes around the buggy address:
0x0c1c7fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1c7fff9b90: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
0x0c1c7fff9ba0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c1c7fff9bb0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff9bc0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff9be0: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==5820==ABORTING

===============================================================================
For server_example_61400_25
Starting server failed! Exit.

==6075==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00000de88 at pc 0x00000047038d bp 0x7f9ae7ffedc0 sp 0x7f9ae7ffedb0
READ of size 8 at 0x60e00000de88 thread T1
#0 0x47038c in getState /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:115
#1 0x471348 in IsoServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:645
#2 0x47aa81 in MmsServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:461
#3 0x42e656 in IedServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:668
#4 0x42e105 in singleThreadedServerThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:566
#5 0x5111ef in destroyAutomaticThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/thread/linux/thread_linux.c:90
#6 0x7f9aeb1996b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#7 0x7f9aeaecf41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x60e00000de88 is located 8 bytes inside of 152-byte region [0x60e00000de80,0x60e00000df18)
freed by thread T0 here:
#0 0x7f9aeb4472ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x511bdf in Memory_free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/memory/lib_memory.c:82
#2 0x47186a in IsoServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:817
#3 0x47a111 in MmsServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:296
#4 0x42dd84 in IedServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:505
#5 0x41aa9a in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_61400_25/server_example_61400_25.c:85
#6 0x7f9aeade882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
#0 0x7f9aeb44779a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x511b78 in Memory_calloc /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/memory/lib_memory.c:59
#2 0x470dc9 in IsoServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:510
#3 0x4791f2 in MmsServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_mms/server/mms_server.c:55
#4 0x42d6e8 in IedServer_createWithConfig /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:434
#5 0x42dcc7 in IedServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:483
#6 0x41aa19 in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_61400_25/server_example_61400_25.c:71
#7 0x7f9aeade882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Thread T1 created by T0 here:
#0 0x7f9aeb3e5253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x511278 in Thread_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/hal/thread/linux/thread_linux.c:101
#2 0x42e299 in IedServer_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/iec61850/server/impl/ied_server.c:595
#3 0x41aa6b in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/examples/server_example_61400_25/server_example_61400_25.c:81
#4 0x7f9aeade882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.0/src/mms/iso_server/iso_server.c:115 getState
Shadow bytes around the buggy address:
0x0c1c7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1c7fff9bd0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c7fff9be0: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1c7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==6075==ABORTING

@arunm2110 arunm2110 changed the title Heap Use After Free in server_example_goose Heap Use After Free in server_example_goose and server_example_61400_25 Jan 15, 2019
@abergmann
Copy link

CVE-2019-6719 was assigned to this issue.

@mzillgith
Copy link
Contributor

Hi. I cannot reproduce the issue. Maybe it has been resolved in the meantime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants