Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ASAN crash log

➜  fuzzer git:(master) ✗ ./clamav_fuzzer clamav-use-after-free.exe
LibClamAV Warning: cli_load: unknown extension - skipping /home/varsleak/.local/share/clamav
=================================================================
==7813==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000007c15 at pc 0x7fa99e035689 bp 0x7ffe98962520 sp 0x7ffe98962510
READ of size 4 at 0x611000007c15 thread T0
    #0 0x7fa99e035688 in wwunpack /home/varsleak/github/clamav-devel/libclamav/wwunpack.c:229
    #1 0x7fa99dff5fc8 in cli_scanpe /home/varsleak/github/clamav-devel/libclamav/pe.c:4756
    #2 0x7fa99df96a1e in magic_scandesc /home/varsleak/github/clamav-devel/libclamav/scanners.c:3159
    #3 0x7fa99df973be in cli_base_scandesc /home/varsleak/github/clamav-devel/libclamav/scanners.c:3230
    #4 0x7fa99df97516 in cli_magic_scandesc /home/varsleak/github/clamav-devel/libclamav/scanners.c:3239
    #5 0x7fa99df98b5c in scan_common /home/varsleak/github/clamav-devel/libclamav/scanners.c:3471
    #6 0x7fa99df98d2c in cl_scandesc_callback /home/varsleak/github/clamav-devel/libclamav/scanners.c:3589
    #7 0x411d36 in scanfile /home/varsleak/github/clamav-devel/clamscan/manager.c:392
    #8 0x416f60 in scanmanager /home/varsleak/github/clamav-devel/clamscan/manager.c:1203
    #9 0x40f6e4 in main /home/varsleak/github/clamav-devel/clamscan/clamscan.c:161
    #10 0x7fa99d86182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x403148 in _start (/home/varsleak/.local/bin/clamscan+0x403148)

0x611000007c15 is located 21 bytes inside of 200-byte region [0x611000007c00,0x611000007cc8)
freed by thread T0 here:
    #0 0x7fa99e8032ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x7fa99dffc98d in cli_peheader /home/varsleak/github/clamav-devel/libclamav/pe.c:5287
    #2 0x7fa99df488fa in cli_targetinfo /home/varsleak/github/clamav-devel/libclamav/matcher.c:496
    #3 0x7fa99df4d093 in cli_fmap_scandesc /home/varsleak/github/clamav-devel/libclamav/matcher.c:914
    #4 0x7fa99df8d8d2 in cli_scanraw /home/varsleak/github/clamav-devel/libclamav/scanners.c:2148
    #5 0x7fa99df960ef in magic_scandesc /home/varsleak/github/clamav-devel/libclamav/scanners.c:3091
    #6 0x7fa99df973be in cli_base_scandesc /home/varsleak/github/clamav-devel/libclamav/scanners.c:3230
    #7 0x7fa99df97516 in cli_magic_scandesc /home/varsleak/github/clamav-devel/libclamav/scanners.c:3239
    #8 0x7fa99df98b5c in scan_common /home/varsleak/github/clamav-devel/libclamav/scanners.c:3471
    #9 0x7fa99df98d2c in cl_scandesc_callback /home/varsleak/github/clamav-devel/libclamav/scanners.c:3589
    #10 0x411d36 in scanfile /home/varsleak/github/clamav-devel/clamscan/manager.c:392
    #11 0x416f60 in scanmanager /home/varsleak/github/clamav-devel/clamscan/manager.c:1203
    #12 0x40f6e4 in main /home/varsleak/github/clamav-devel/clamscan/clamscan.c:161
    #13 0x7fa99d86182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7fa99e80379a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
    #1 0x7fa99e36ff1d in cli_calloc /home/varsleak/github/clamav-devel/libclamav/others_common.c:217
    #2 0x7fa99dff9d7d in cli_peheader /home/varsleak/github/clamav-devel/libclamav/pe.c:5042
    #3 0x7fa99df488fa in cli_targetinfo /home/varsleak/github/clamav-devel/libclamav/matcher.c:496
    #4 0x7fa99df4d093 in cli_fmap_scandesc /home/varsleak/github/clamav-devel/libclamav/matcher.c:914
    #5 0x7fa99df8d8d2 in cli_scanraw /home/varsleak/github/clamav-devel/libclamav/scanners.c:2148
    #6 0x7fa99df960ef in magic_scandesc /home/varsleak/github/clamav-devel/libclamav/scanners.c:3091
    #7 0x7fa99df973be in cli_base_scandesc /home/varsleak/github/clamav-devel/libclamav/scanners.c:3230
    #8 0x7fa99df97516 in cli_magic_scandesc /home/varsleak/github/clamav-devel/libclamav/scanners.c:3239
    #9 0x7fa99df98b5c in scan_common /home/varsleak/github/clamav-devel/libclamav/scanners.c:3471
    #10 0x7fa99df98d2c in cl_scandesc_callback /home/varsleak/github/clamav-devel/libclamav/scanners.c:3589
    #11 0x411d36 in scanfile /home/varsleak/github/clamav-devel/clamscan/manager.c:392
    #12 0x416f60 in scanmanager /home/varsleak/github/clamav-devel/clamscan/manager.c:1203
    #13 0x40f6e4 in main /home/varsleak/github/clamav-devel/clamscan/clamscan.c:161
    #14 0x7fa99d86182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/varsleak/github/clamav-devel/libclamav/wwunpack.c:229 wwunpack
Shadow bytes around the buggy address:
  0x0c227fff8f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa fa
  0x0c227fff8f50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff8f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff8f70: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c227fff8f80: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff8f90: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c227fff8fa0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff8fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff8fc0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c227fff8fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==7813==ABORTING