bug-recutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Use After Free in rec_record_destroy() at rec-record.c:174

From: AiDai
Subject: Use After Free in rec_record_destroy() at rec-record.c:174
Date: Mon, 27 Dec 2021 23:17:01 +0800
# Use After Free in rec_record_destroy() at rec-record.c:174

## Description

A Use After Free was discovered in rec_record_destroy() at rec-record.c:174. The vulnerability causes a segmentation fault and application crash.

**version**

ea03fdaf84860488e6aa09f40cfbaeca8c02fb03

```
./recsel --version
recsel (GNU recutils) 1.8.90

Copyright (C) 2010-2020 Jose E. Marchesi.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Jose E. Marchesi.
```

**System information**
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

## Proof of Concept

**poc**

```
base64 poc
IyAtKi0gbW9kZTogcmVjIAoKCiVyZWM6IEJvb2sKCiV5OiBUaXRsZQoKJXR5cGU6IExvY2F0aW9u
IGVudW0gbG9hbmVkIGhvbWUgdW5rbm8KCgolcmVjOiBCb29rCgoleTogVGl3bgoKJWRvYzoKKyBB
IGJvb2sgaW4gbXkgcGVyc29uYWwgY29sbGVjdGlvbi4KCiMKVGl0bGU6IEdOVSBFbWFjcyBNYW51
YVwKCkF1dGhvcjogUmljaGFyZCBNLiBTdGFsbG1hbgoKUDogRlNGCgpMb2NhdGlvbjogaG9tZQoK
CgpUaXRsZTogVGhlIENvbG91ciBvZiBNYWdpYwoKQXV0aG9yOiBUZXJyeSBQcmF0Y2hldHQKCkxv
Y2F0aW9uOiBsb2FuZWQKCgoKVGl0bGU6IE1pbyBDaWQKCkF1dGhvcjogQW5vbnltb3VhcHRlcnMu
Z251Lm9yZyBhZG1pbmlzdHJhdGlvbiBndWlkZQoKQXV0aG9yOiBOYWN0aW9ub256YWxlegoKQXV0
aG9yOiBKb3NlIEUuIE1hcmNoZXNpCgpMb2NhdGlvbjogdW5rbm93bgoKCgpUaXRsZTogWWVlbG9u
ZyBVc2VyIE1hbnVhbAoKTG9jYXRpb246IGhvbWUKCgoKIyBFbmQgb2YgYm9v////
```

**command:**

```
./recsel ./poc
```

**Result**

```
./recsel ./poc
./poc: 55: error: malloc_consolidate(): invalid chunk size
[1]    2504473 abort      ./recsel ./poc
```

**gdb**

```
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x7ffff7aa1880 ◂— 0x7ffff7aa1880
 RCX  0x7ffff7d5a18b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
 RDX  0x0
 RDI  0x2
 RSI  0x7fffffffd420 ◂— 0x0
 R8   0x0
 R9   0x7fffffffd420 ◂— 0x0
 R10  0x8
 R11  0x246
 R12  0x7fffffffd690 ◂— 0x1
 R13  0x10
 R14  0x7ffff7ffb000 ◂— 0x6c6c616d00001000
 R15  0x1
 RBP  0x7fffffffd770 ◂— 0x20 /* ' ' */
 RSP  0x7fffffffd420 ◂— 0x0
 RIP  0x7ffff7d5a18b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
─────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────
 ► 0x7ffff7d5a18b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
   0x7ffff7d5a193 <raise+211>    xor    rax, qword ptr fs:[0x28]
   0x7ffff7d5a19c <raise+220>    jne    raise+260                <raise+260>
    ↓
   0x7ffff7d5a1c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>

   0x7ffff7d5a1c9                nop    dword ptr [rax]
   0x7ffff7d5a1d0 <killpg>       endbr64
   0x7ffff7d5a1d4 <killpg+4>     test   edi, edi
   0x7ffff7d5a1d6 <killpg+6>     js     killpg+16                <killpg+16>

   0x7ffff7d5a1d8 <killpg+8>     neg    edi
   0x7ffff7d5a1da <killpg+10>    jmp    kill                <kill>

   0x7ffff7d5a1df <killpg+15>    nop
─────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────
00:0000│ rsi r9 rsp 0x7fffffffd420 ◂— 0x0
01:0008│            0x7fffffffd428 —▸ 0x7fffffffd440 —▸ 0x55555557031c ◂— 0x6f72726500007325 /* '%s' */
02:0010│            0x7fffffffd430 ◂— 0x0
03:0018│            0x7fffffffd438 ◂— 0x0
04:0020│            0x7fffffffd440 —▸ 0x55555557031c ◂— 0x6f72726500007325 /* '%s' */
05:0028│            0x7fffffffd448 —▸ 0x55555557031e ◂— 0x20726f7272650000
06:0030│            0x7fffffffd450 ◂— 0x0
07:0038│            0x7fffffffd458 ◂— 0x0
───────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────
 ► f 0   0x7ffff7d5a18b raise+203
   f 1   0x7ffff7d39859 abort+299
   f 2   0x7ffff7da43ee __libc_message+670
   f 3   0x7ffff7dac47c
   f 4   0x7ffff7dacc58
   f 5   0x7ffff7daee03 _int_malloc+531
   f 6   0x7ffff7db12d4 malloc+116
   f 7   0x7ffff7d98e84 _IO_file_doallocate+148
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7d39859 in __GI_abort () at abort.c:79
#2  0x00007ffff7da43ee in __libc_message (action="" fmt=fmt@entry=0x7ffff7ece285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7dac47c in malloc_printerr (str=str@entry=0x7ffff7ed0278 "malloc_consolidate(): invalid chunk size") at malloc.c:5347
#4  0x00007ffff7dacc58 in malloc_consolidate (av=av@entry=0x7ffff7effb80 <main_arena>) at malloc.c:4477
#5  0x00007ffff7daee03 in _int_malloc (av=av@entry=0x7ffff7effb80 <main_arena>, bytes=bytes@entry=4096) at malloc.c:3699
#6  0x00007ffff7db12d4 in __GI___libc_malloc (bytes=4096) at malloc.c:3058
#7  0x00007ffff7d98e84 in __GI__IO_file_doallocate (fp=0x55555557ead0) at filedoalloc.c:101
#8  0x00007ffff7da9050 in __GI__IO_doallocbuf (fp=fp@entry=0x55555557ead0) at libioP.h:948
#9  0x00007ffff7da7e24 in _IO_new_file_underflow (fp=0x55555557ead0) at fileops.c:486
#10 0x00007ffff7da9106 in __GI__IO_default_uflow (fp=0x55555557ead0) at libioP.h:948
#11 0x00007ffff7d9a9ec in __GI__IO_getline_info (fp=fp@entry=0x55555557ead0, buf=buf@entry=0x7fffffffdb10 "\001", n=n@entry=399, delim=delim@entry=10, extract_delim=extract_delim@entry=1, eof=eof@entry=0x0) at iogetline.c:60
#12 0x00007ffff7d9aaec in __GI__IO_getline (fp=fp@entry=0x55555557ead0, buf=buf@entry=0x7fffffffdb10 "\001", n=n@entry=399, delim=delim@entry=10, extract_delim=extract_delim@entry=1) at iogetline.c:34
#13 0x00007ffff7da5445 in __GI___fgets_unlocked (buf=buf@entry=0x7fffffffdb10 "\001", n=n@entry=400, fp=fp@entry=0x55555557ead0) at iofgets_u.c:52
#14 0x00007ffff7d4f060 in read_alias_file (fname=<optimized out>, fname_len=<optimized out>) at localealias.c:258
#15 0x00007ffff7d4f584 in _nl_expand_alias (name=name@entry=0x7fffffffddc0 "en_US.UTF-8") at localealias.c:198
#16 0x00007ffff7d4d5f8 in _nl_find_domain (dirname=dirname@entry=0x555555577960 "/home/aidai/fuzzing/recutils/test/share/locale", locale=locale@entry=0x7fffffffddc0 "en_US.UTF-8", domainname=domainname@entry=0x7fffffffdde0 "LC_MESSAGES/recutils.mo", domainbinding=domainbinding@entry=0x555555577930) at finddomain.c:123
#17 0x00007ffff7d4cd2f in __dcigettext (domainname=0x555555579b40 "recutils", domainname@entry=0x0, msgid1=0x7ffff7f4c5bc "expected a record", msgid2=msgid2@entry=0x0, plural=plural@entry=0, n=n@entry=0, category=category@entry=5) at dcigettext.c:702
#18 0x00007ffff7d4b993 in __GI___dcgettext (domainname=domainname@entry=0x0, msgid=<optimized out>, category=category@entry=5) at dcgettext.c:47
#19 0x00007ffff7f1f2ca in rec_parser_perror (parser=parser@entry=0x555555579f00, fmt=fmt@entry=0x55555557031c "%s") at rec-parser.c:574
#20 0x00005555555596c4 in recutl_parse_db_from_file (in=in@entry=0x5555555772a0, file_name=file_name@entry=0x7fffffffe4e4 "/home/aidai/fuzzing/recutils/fuckresults/fucksel/__GI_raise-__GI_abort/id:000010,sig:06,src:000002,op:arith8,pos:148,val:+25", db=db@entry=0x555555579b60) at recutl.c:285
#21 0x0000555555559816 in recutl_build_db (argc=2, argv=0x7fffffffe1e8) at recutl.c:320
#22 0x0000555555558f76 in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe1e8) at recsel.c:429
#23 0x00007ffff7d3b0b3 in __libc_start_main (main=0x555555558f40 <main>, argc=2, argv=0x7fffffffe1e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1d8) at ../csu/libc-start.c:308
#24 0x0000555555558fce in _start () at recsel.c:441
```

break rec-record.c:174

```
pwndbg> c
Continuing.

Breakpoint 1, rec_record_destroy (record=0x55555557fbe0) at rec-record.c:174
174           rec_mset_destroy (record->mset);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────
 RAX  0x0
*RBX  0xb
 RCX  0x0
*RDX  0x55555557fe00 ◂— 0x90
 RDI  0x555555577010 ◂— 0x7000300070007
 RSI  0x0
 R8   0x7
 R9   0x5555555831e0 —▸ 0x7ffff7f5d2e0 (gl_array_list_implementation) —▸ 0x7ffff7f2c040 (gl_array_nx_create_empty) ◂— endbr64
 R10  0x7ffff7f0bef6 ◂— 'rec_comment_destroy'
 R11  0x7ffff7f196c0 (rec_comment_destroy) ◂— endbr64
 R12  0x555555582450 —▸ 0x7ffff7f5d2e0 (gl_array_list_implementation) —▸ 0x7ffff7f2c040 (gl_array_nx_create_empty) ◂— endbr64
 R13  0x7ffff7f17dd0 (rec_mset_elem_dispose_fn) ◂— endbr64
 R14  0x7fffffffe010 —▸ 0x555555579fe0 —▸ 0x55555557b440 ◂— 0x0
 R15  0x55555557f030 —▸ 0x55555557ea70 ◂— 0x0
*RBP  0x55555557fbe0 —▸ 0x55555557e9e0 —▸ 0x55555557cd20 —▸ 0x55555557ce50 —▸ 0x55555557d210 ◂— ...
 RSP  0x7fffffffdf20 —▸ 0x555555580020 ◂— 0x7fff00000001
 RIP  0x7ffff7f19d18 (rec_record_destroy+40) ◂— mov    rdi, qword ptr [rbp + 0x38]
─────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────
 ► 0x7ffff7f19d18 <rec_record_destroy+40>    mov    rdi, qword ptr [rbp + 0x38]
   0x7ffff7f19d1c <rec_record_destroy+44>    call   rec_mset_destroy@plt                <rec_mset_destroy@plt>

   0x7ffff7f19d21 <rec_record_destroy+49>    mov    rdi, rbp
   0x7ffff7f19d24 <rec_record_destroy+52>    pop    rbp
   0x7ffff7f19d25 <rec_record_destroy+53>    jmp    free@plt                <free@plt>

   0x7ffff7f19d2a <rec_record_destroy+58>    nop    word ptr [rax + rax]
   0x7ffff7f19d30 <rec_record_destroy+64>    ret

   0x7ffff7f19d31                            nop    word ptr cs:[rax + rax]
   0x7ffff7f19d3c                            nop    dword ptr [rax]
   0x7ffff7f19d40 <rec_record_new>           endbr64
   0x7ffff7f19d44 <rec_record_new+4>         push   r12
─────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────
In file: /home/aidai/fuzzing/recutils/recutils/src/rec-record.c
   169   if (record)
   170     {
   171       free (record->source);
   172       free (record->location_str);
   173       free (record->char_location_str);
 ► 174       rec_mset_destroy (record->mset);
   175       free (record);
   176     }
   177 }
   178
   179 rec_record_t
─────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdf20 —▸ 0x555555580020 ◂— 0x7fff00000001
01:0008│     0x7fffffffdf28 —▸ 0x7ffff7f17db6 (rec_mset_elem_destroy+38) ◂— mov    rdi, rbp
02:0010│     0x7fffffffdf30 —▸ 0x555555583558 —▸ 0x555555580490 ◂— 0x7fff00000001
03:0018│     0x7fffffffdf38 —▸ 0x7ffff7f2c01b (gl_array_list_free+59) ◂— sub    rbx, 1
04:0020│     0x7fffffffdf40 —▸ 0x55555557e790 ◂— 0x3
05:0028│     0x7fffffffdf48 ◂— 0x3
06:0030│     0x7fffffffdf50 —▸ 0x55555557e790 ◂— 0x3
07:0038│     0x7fffffffdf58 —▸ 0x55555557e9e0 —▸ 0x55555557cd20 —▸ 0x55555557ce50 —▸ 0x55555557d210 ◂— ...
───────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────
 ► f 0   0x7ffff7f19d18 rec_record_destroy+40
   f 1   0x7ffff7f19d18 rec_record_destroy+40
   f 2   0x7ffff7f17db6 rec_mset_elem_destroy+38
   f 3   0x7ffff7f2c01b gl_array_list_free+59
   f 4   0x7ffff7f17e23 rec_mset_destroy+67
   f 5   0x7ffff7f17e23 rec_mset_destroy+67
   f 6   0x7ffff7f17e23 rec_mset_destroy+67
   f 7   0x7ffff7f1b781 rec_rset_destroy+113
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bin
tcachebins
0x20 [  7]: 0x55555557d280 —▸ 0x55555557d260 —▸ 0x55555557cec0 —▸ 0x55555557cea0 —▸ 0x55555557cf90 —▸ 0x55555557cf70 —▸ 0x555555583370 ◂— 0x0
0x30 [  7]: 0x55555557edf0 —▸ 0x55555557dc60 —▸ 0x55555557eaa0 —▸ 0x55555557e0e0 —▸ 0x555555582420 —▸ 0x5555555823f0 —▸ 0x55555557cfb0 ◂— 0x0
0x40 [  3]: 0x5555555810e0 —▸ 0x555555582c20 —▸ 0x55555557ea40 ◂— 0x0
0x50 [  7]: 0x55555557ecb0 —▸ 0x5555555824a0 —▸ 0x5555555825d0 —▸ 0x5555555826f0 —▸ 0x55555557cd20 —▸ 0x55555557ce50 —▸ 0x55555557d210 ◂— 0x0
0x60 [  2]: 0x55555557e110 —▸ 0x55555557dc90 ◂— 0x0
0x70 [  2]: 0x55555557e8b0 —▸ 0x55555557da00 ◂— 0x0
0x80 [  5]: 0x5555555804c0 —▸ 0x555555582370 —▸ 0x55555557e960 —▸ 0x555555582c80 —▸ 0x5555555822f0 ◂— 0x0
0x90 [  7]: 0x55555557f210 —▸ 0x55555557ed20 —▸ 0x555555582a10 —▸ 0x555555582780 —▸ 0x555555582620 —▸ 0x55555557d2a0 —▸ 0x55555557cee0 ◂— 0x0
0xc0 [  2]: 0x55555557e1b0 —▸ 0x55555557e270 ◂— 0x0
0xe0 [  6]: 0x55555557f7c0 —▸ 0x55555557f3c0 —▸ 0x55555557f0a0 —▸ 0x5555555828a0 —▸ 0x5555555824f0 —▸ 0x55555557cd70 ◂— 0x0
0xf0 [  1]: 0x55555557d480 ◂— 0x0
0x110 [  1]: 0x55555557d370 ◂— 0x0
0x180 [  1]: 0x55555557d570 ◂— 0x0
0x1d0 [  1]: 0x555555581120 ◂— 0x0
0x1e0 [  2]: 0x55555557ead0 —▸ 0x55555557c9d0 ◂— 0x0
0x1f0 [  7]: 0x55555557d000 —▸ 0x55555557c7b0 —▸ 0x55555557c170 —▸ 0x55555557bf60 —▸ 0x55555557b930 —▸ 0x55555557b720 —▸ 0x55555557b230 ◂— 0x0
0x230 [  2]: 0x55555557e560 —▸ 0x55555557e330 ◂— 0x0
0x310 [  1]: 0x55555557d6f0 ◂— 0x0
0x3d0 [  1]: 0x55555557dd10 ◂— 0x0
0x410 [  1]: 0x555555577500 ◂— 0x0
fastbins
0x20: 0x55555557fe20 —▸ 0x55555557fe00 —▸ 0x55555557fa00 —▸ 0x55555557fb80 —▸ 0x55555557fb60 ◂— ...
0x30: 0x55555557fba0 —▸ 0x55555557f9d0 —▸ 0x55555557f730 —▸ 0x55555557eff0 —▸ 0x55555557ef80 ◂— ...
0x40: 0x0
0x50: 0x55555557f760 —▸ 0x55555557f890 —▸ 0x55555557fa40 —▸ 0x55555557f360 —▸ 0x55555557f490 ◂— ...
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x55555557fd70 —▸ 0x55555557fad0 —▸ 0x55555557f900 —▸ 0x55555557f660 —▸ 0x55555557f4e0 ◂— ...
smallbins
empty
largebins
empty
pwndbg> c
Continuing.

Breakpoint 1, rec_record_destroy (record=0x555555580050) at rec-record.c:174
174           rec_mset_destroy (record->mset);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────
 RAX  0x0
*RBX  0xa
 RCX  0x0
*RDX  0x555555580270 ◂— 0x90
 RDI  0x555555577010 ◂— 0x7000300070007
 RSI  0x0
 R8   0x7
 R9   0x5555555831e0 —▸ 0x7ffff7f5d2e0 (gl_array_list_implementation) —▸ 0x7ffff7f2c040 (gl_array_nx_create_empty) ◂— endbr64
 R10  0x7ffff7f0bef6 ◂— 'rec_comment_destroy'
 R11  0x7ffff7f196c0 (rec_comment_destroy) ◂— endbr64
 R12  0x555555582450 —▸ 0x7ffff7f5d2e0 (gl_array_list_implementation) —▸ 0x7ffff7f2c040 (gl_array_nx_create_empty) ◂— endbr64
 R13  0x7ffff7f17dd0 (rec_mset_elem_dispose_fn) ◂— endbr64
 R14  0x7fffffffe010 —▸ 0x555555579fe0 —▸ 0x55555557b440 ◂— 0x0
 R15  0x55555557f030 —▸ 0x55555557ea70 ◂— 0x0
*RBP  0x555555580050 —▸ 0x55555557e9e0 —▸ 0x55555557cd20 —▸ 0x55555557ce50 —▸ 0x55555557d210 ◂— ...
 RSP  0x7fffffffdf20 —▸ 0x555555580490 ◂— 0x7fff00000001
 RIP  0x7ffff7f19d18 (rec_record_destroy+40) ◂— mov    rdi, qword ptr [rbp + 0x38]
─────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────
 ► 0x7ffff7f19d18 <rec_record_destroy+40>    mov    rdi, qword ptr [rbp + 0x38]
   0x7ffff7f19d1c <rec_record_destroy+44>    call   rec_mset_destroy@plt                <rec_mset_destroy@plt>

   0x7ffff7f19d21 <rec_record_destroy+49>    mov    rdi, rbp
   0x7ffff7f19d24 <rec_record_destroy+52>    pop    rbp
   0x7ffff7f19d25 <rec_record_destroy+53>    jmp    free@plt                <free@plt>

   0x7ffff7f19d2a <rec_record_destroy+58>    nop    word ptr [rax + rax]
   0x7ffff7f19d30 <rec_record_destroy+64>    ret

   0x7ffff7f19d31                            nop    word ptr cs:[rax + rax]
   0x7ffff7f19d3c                            nop    dword ptr [rax]
   0x7ffff7f19d40 <rec_record_new>           endbr64
   0x7ffff7f19d44 <rec_record_new+4>         push   r12
─────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────
In file: /home/aidai/fuzzing/recutils/recutils/src/rec-record.c
   169   if (record)
   170     {
   171       free (record->source);
   172       free (record->location_str);
   173       free (record->char_location_str);
 ► 174       rec_mset_destroy (record->mset);
   175       free (record);
   176     }
   177 }
   178
   179 rec_record_t
─────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdf20 —▸ 0x555555580490 ◂— 0x7fff00000001
01:0008│     0x7fffffffdf28 —▸ 0x7ffff7f17db6 (rec_mset_elem_destroy+38) ◂— mov    rdi, rbp
02:0010│     0x7fffffffdf30 —▸ 0x555555583560 —▸ 0x555555580980 ◂— 0x7fff00000001
03:0018│     0x7fffffffdf38 —▸ 0x7ffff7f2c01b (gl_array_list_free+59) ◂— sub    rbx, 1
04:0020│     0x7fffffffdf40 —▸ 0x55555557e790 ◂— 0x3
05:0028│     0x7fffffffdf48 ◂— 0x3
06:0030│     0x7fffffffdf50 —▸ 0x55555557e790 ◂— 0x3
07:0038│     0x7fffffffdf58 —▸ 0x55555557e9e0 —▸ 0x55555557cd20 —▸ 0x55555557ce50 —▸ 0x55555557d210 ◂— ...
───────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────
 ► f 0   0x7ffff7f19d18 rec_record_destroy+40
   f 1   0x7ffff7f19d18 rec_record_destroy+40
   f 2   0x7ffff7f17db6 rec_mset_elem_destroy+38
   f 3   0x7ffff7f2c01b gl_array_list_free+59
   f 4   0x7ffff7f17e23 rec_mset_destroy+67
   f 5   0x7ffff7f17e23 rec_mset_destroy+67
   f 6   0x7ffff7f17e23 rec_mset_destroy+67
   f 7   0x7ffff7f1b781 rec_rset_destroy+113
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bin
tcachebins
0x20 [  7]: 0x55555557d280 —▸ 0x55555557d260 —▸ 0x55555557cec0 —▸ 0x55555557cea0 —▸ 0x55555557cf90 —▸ 0x55555557cf70 —▸ 0x555555583370 ◂— 0x0
0x30 [  7]: 0x55555557edf0 —▸ 0x55555557dc60 —▸ 0x55555557eaa0 —▸ 0x55555557e0e0 —▸ 0x555555582420 —▸ 0x5555555823f0 —▸ 0x55555557cfb0 ◂— 0x0
0x40 [  3]: 0x5555555810e0 —▸ 0x555555582c20 —▸ 0x55555557ea40 ◂— 0x0
0x50 [  7]: 0x55555557ecb0 —▸ 0x5555555824a0 —▸ 0x5555555825d0 —▸ 0x5555555826f0 —▸ 0x55555557cd20 —▸ 0x55555557ce50 —▸ 0x55555557d210 ◂— 0x0
0x60 [  2]: 0x55555557e110 —▸ 0x55555557dc90 ◂— 0x0
0x70 [  2]: 0x55555557e8b0 —▸ 0x55555557da00 ◂— 0x0
0x80 [  5]: 0x5555555804c0 —▸ 0x555555582370 —▸ 0x55555557e960 —▸ 0x555555582c80 —▸ 0x5555555822f0 ◂— 0x0
0x90 [  7]: 0x55555557f210 —▸ 0x55555557ed20 —▸ 0x555555582a10 —▸ 0x555555582780 —▸ 0x555555582620 —▸ 0x55555557d2a0 —▸ 0x55555557cee0 ◂— 0x0
0xc0 [  2]: 0x55555557e1b0 —▸ 0x55555557e270 ◂— 0x0
0xe0 [  7]: 0x55555557fc30 —▸ 0x55555557f7c0 —▸ 0x55555557f3c0 —▸ 0x55555557f0a0 —▸ 0x5555555828a0 —▸ 0x5555555824f0 —▸ 0x55555557cd70 ◂— 0x0
0xf0 [  1]: 0x55555557d480 ◂— 0x0
0x110 [  1]: 0x55555557d370 ◂— 0x0
0x180 [  1]: 0x55555557d570 ◂— 0x0
0x1d0 [  1]: 0x555555581120 ◂— 0x0
0x1e0 [  2]: 0x55555557ead0 —▸ 0x55555557c9d0 ◂— 0x0
0x1f0 [  7]: 0x55555557d000 —▸ 0x55555557c7b0 —▸ 0x55555557c170 —▸ 0x55555557bf60 —▸ 0x55555557b930 —▸ 0x55555557b720 —▸ 0x55555557b230 ◂— 0x0
0x230 [  2]: 0x55555557e560 —▸ 0x55555557e330 ◂— 0x0
0x310 [  1]: 0x55555557d6f0 ◂— 0x0
0x3d0 [  1]: 0x55555557dd10 ◂— 0x0
0x410 [  1]: 0x555555577500 ◂— 0x0
fastbins
0x20: 0x555555580290 —▸ 0x555555580270 —▸ 0x55555557fe70 —▸ 0x55555557fff0 —▸ 0x55555557ffd0 ◂— ...
0x30: 0x555555580010 —▸ 0x55555557fe40 —▸ 0x55555557fba0 —▸ 0x55555557f9d0 —▸ 0x55555557f730 ◂— ...
0x40: 0x0
0x50: 0x55555557fbd0 —▸ 0x55555557fd00 —▸ 0x55555557feb0 —▸ 0x55555557f760 —▸ 0x55555557f890 ◂— ...
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all [corrupted]
FD: 0x5555555801e0 —▸ 0x55555557ff40 —▸ 0x55555557fd70 —▸ 0x55555557fad0 —▸ 0x55555557f900 ◂— ...
BK: 0x555555582b60 —▸ 0x55555557eeb0 —▸ 0x55555557f4e0 —▸ 0x55555557f660 —▸ 0x55555557f900 ◂— ...
smallbins
empty
largebins
empty
pwndbg>
```

reply via email to
[Prev in Thread] Current Thread [Next in Thread]