[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PSPP-BUG: [bug #58601] Use after free in read in fh_set_default_handle
From: |
Andrea Fioraldi |
Subject: |
PSPP-BUG: [bug #58601] Use after free in read in fh_set_default_handle |
Date: |
Wed, 17 Jun 2020 05:25:48 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0 |
URL:
<https://savannah.gnu.org/bugs/?58601>
Summary: Use after free in read in fh_set_default_handle
Project: PSPP
Submitted by: andreafioraldi
Submitted on: Wed 17 Jun 2020 09:25:47 AM UTC
Category: Syntax Parser
Severity: 5 - Average
Status: None
Assigned to: None
Open/Closed: Open
Release: None
Discussion Lock: Any
Effort: 0.00
_______________________________________________________
Details:
./pspp -O format=txt -o /dev/null -b uaf4
=================================================================
==127250==ERROR: AddressSanitizer: heap-use-after-free on address
0x60b000000c18 at pc 0x0000009fb2d0 bp 0x7fffffffdc70 sp 0x7fffffffdc68
READ of size 4 at 0x60b000000c18 thread T0
#0 0x9fb2cf in fh_set_default_handle
/home/andreaf/real/pspp/src/data/file-handle-def.c:406:3
#1 0x5313b6 in cmd_data_list
/home/andreaf/real/pspp/src/language/data-io/data-list.c:265:3
#2 0x4d048b in do_parse_command
/home/andreaf/real/pspp/src/language/command.c:233:16
#3 0x4d048b in cmd_parse_in_state
/home/andreaf/real/pspp/src/language/command.c:148:12
#4 0x4c9df6 in main /home/andreaf/real/pspp/src/ui/terminal/main.c:138:20
#5 0x7ffff61a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#6 0x421499 in _start (/home/andreaf/real/pspp/pspp_afl+0x421499)
0x60b000000c18 is located 40 bytes inside of 104-byte region
[0x60b000000bf0,0x60b000000c58)
freed by thread T0 here:
#0 0x49995d in free (/home/andreaf/real/pspp/pspp_afl+0x49995d)
#1 0x9f88e5 in free_handle
/home/andreaf/real/pspp/src/data/file-handle-def.c:134:3
#2 0x9f88e5 in fh_unref
/home/andreaf/real/pspp/src/data/file-handle-def.c:170:9
previously allocated by thread T0 here:
#0 0x499bdd in malloc (/home/andreaf/real/pspp/pspp_afl+0x499bdd)
#1 0xc8427b in xmalloc /home/andreaf/real/pspp/gl/xmalloc.c:41:13
#2 0xc8427b in xzalloc /home/andreaf/real/pspp/gl/xmalloc.c:86:18
#3 0x7ffff61a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-use-after-free
/home/andreaf/real/pspp/src/data/file-handle-def.c:406:3 in
fh_set_default_handle
Shadow bytes around the buggy address:
0x0c167fff8130: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c167fff8140: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c167fff8150: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c167fff8160: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c167fff8170: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fd fd
=>0x0c167fff8180: fd fd fd[fd]fd fd fd fd fd fd fd fa fa fa fa fa
0x0c167fff8190: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c167fff81a0: 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
0x0c167fff81b0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c167fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c167fff81d0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==127250==ABORTING
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Wed 17 Jun 2020 09:25:47 AM UTC Name: uaf4 Size: 5KiB By:
andreafioraldi
<http://savannah.gnu.org/bugs/download.php?file_id=49298>
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?58601>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
- PSPP-BUG: [bug #58601] Use after free in read in fh_set_default_handle,
Andrea Fioraldi <=