Skip to content

Heap use after free #11

Closed
Closed
@C0NSTANTINE110

Description

@C0NSTANTINE110

Tested on:

version 1.5-PRE-GIT
version 1.2a3

Command:

tcpslice -w a.txt heap.pcap
Segmentation fault

Results:

==1676569==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000000160 at pc 0x7ffff761fa7d bp 0x7fffffffd700 sp 0x7fffffffce90
WRITE of size 56 at 0x617000000160 thread T0
#0 0x7ffff761fa7c in vsnprintf (/lib/x86_64-linux-gnu/libasan.so.5+0x9fa7c)
#1 0x7ffff7620036 in __snprintf_chk (/lib/x86_64-linux-gnu/libasan.so.5+0xa0036)
#2 0x7ffff75594ee in pcap_dump_open (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x244ee)
#3 0x555555559ea4 in extract_slice tcpslice.c:882
#4 0x555555559ea4 in main tcpslice.c:312
#5 0x7ffff736a0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#6 0x55555555eadd in _start (/home/constantine/tcpslice/tcpslice+0xaadd)

0x617000000160 is located 224 bytes inside of 664-byte region [0x617000000080,0x617000000318)
freed by thread T0 here:
#0 0x7ffff768d7cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x555555559d8a in get_next_packet tcpslice.c:747
#2 0x555555559d8a in extract_slice tcpslice.c:879
#3 0x555555559d8a in main tcpslice.c:312

previously allocated by thread T0 here:
#0 0x7ffff768ddc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
#1 0x7ffff7545bea (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x10bea)
#2 0x64656e696665646d ()

SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0x9fa7c) in vsnprintf
Shadow bytes around the buggy address:
0x0c2e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e7fff8020: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
0x0c2e7fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e7fff8060: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1676569==ABORTING

PoC:

heap.pcap.zip

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions