Heap UAF in mark

We are developing a new fuzzer, and it found a heap use after free bug in mark_callers.

Command to Reproduce

./cflow <input_file> --ta _

input file and shell script is uploaded.

Stack Trace

==31022==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0000051d8 at pc 0x55a8a50c0913 bp 0x7ffccf8dc9e0 sp 0x7ffccf8dc9d0

READ of size 4 at 0x60e0000051d8 thread T0

#0 0x55a8a50c0912 in mark_callers (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2d912)

#1 0x55a8a50c0a08 in mark_callers (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2da08)

#2 0x55a8a50c0b93 in eliminate_non_targets (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2db93)

#3 0x55a8a50b6047 in output (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x23047)

#4 0x55a8a50b38a0 in main (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x208a0)

#5 0x7fdd74316c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

#6 0x55a8a50a3699 in _start (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x10699)

0x60e0000051d8 is located 56 bytes inside of 152-byte region [0x60e0000051a0,0x60e000005238)

freed by thread T0 here:

#0 0x7fdd747c47a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)

#1 0x55a8a50bf3e1 in delete_symbol (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2c3e1)

#2 0x55a8a50bf4f4 in static_free (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2c4f4)

#3 0x55a8a50b09f1 in linked_list_destroy (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1d9f1)

#4 0x55a8a50bf57c in delete_statics (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2c57c)

#5 0x55a8a50ae081 in yywrap (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1b081)

#6 0x55a8a50a93a8 in yylex (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x163a8)

#7 0x55a8a50ae0a8 in get_token (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x1b0a8)

#8 0x55a8a50b7449 in nexttoken (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x24449)

#9 0x55a8a50bafdb in maybe_parm_list (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x27fdb)

#10 0x55a8a50bab21 in dirdcl (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x27b21)

#11 0x55a8a50ba980 in dcl (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x27980)

#12 0x55a8a50ba75b in parse_dcl (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2775b)

#13 0x55a8a50ba047 in parse_variable_declaration (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x27047)

#14 0x55a8a50b970b in parse_declaration (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2670b)

#15 0x55a8a50b949e in yyparse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2649e)

#16 0x55a8a50b372a in main (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2072a)

#17 0x7fdd74316c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

previously allocated by thread T0 here:

#0 0x7fdd747c4b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)

#1 0x55a8a50e6c27 in xmalloc (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x53c27)

#2 0x55a8a50be9f4 in install (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2b9f4)

#3 0x55a8a50bf15f in install_ident (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2c15f)

#4 0x55a8a50bc90c in get_symbol (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2990c)

#5 0x55a8a50bbbb4 in declare (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x28bb4)

#6 0x55a8a50ba7a3 in parse_dcl (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x277a3)

#7 0x55a8a50ba3a6 in parse_knr_dcl (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x273a6)

#8 0x55a8a50b9a5d in parse_function_declaration (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x26a5d)

#9 0x55a8a50b96f8 in parse_declaration (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x266f8)

#10 0x55a8a50b949e in yyparse (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2649e)

#11 0x55a8a50b372a in main (/home/youngseok/power_exp/crash_analysis/final_subjects_asan/cflow-1.7/src/cflow+0x2072a)

#12 0x7fdd74316c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

Environment

- OS: Ubuntu 18.04.1

- gcc 7.5.0

- cflow: 1.7

Note that we configured cflow with address sanitizer.

CFLAGS="-fsanitize=address" ./configure

make -j

Many Thanks,

Youngseok Choi

From:	Youngseok Choi
Subject:	Heap UAF in mark_callers
Date:	Wed, 08 Mar 2023 14:33:47 +0900 (KST)

Heap UAF in mark_callers