From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-gnulib-bounces+normalperson=yhbt.net@gnu.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS22989 209.51.188.0/24
X-Spam-Status: No, score=-3.7 required=3.0 tests=AWL,BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham
	autolearn_force=no version=3.4.2
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dcvr.yhbt.net (Postfix) with ESMTPS id 36F7B1F466
	for <normalperson@yhbt.net>; Fri, 17 Jan 2020 17:05:01 +0000 (UTC)
Received: from localhost ([::1]:60534 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnulib-bounces+normalperson=yhbt.net@gnu.org>)
	id 1isV3L-0006dR-5l
	for normalperson@yhbt.net; Fri, 17 Jan 2020 12:04:59 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:49823)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <bruno@clisp.org>) id 1isUzT-0002rQ-LQ
 for bug-gnulib@gnu.org; Fri, 17 Jan 2020 12:01:03 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <bruno@clisp.org>) id 1isUzM-00018A-NB
 for bug-gnulib@gnu.org; Fri, 17 Jan 2020 12:00:59 -0500
Received: from mo6-p00-ob.smtp.rzone.de ([2a01:238:20a:202:5300::5]:31999)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <bruno@clisp.org>) id 1isUzM-00014R-0Z
 for bug-gnulib@gnu.org; Fri, 17 Jan 2020 12:00:52 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1579280447;
 s=strato-dkim-0002; d=clisp.org;
 h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:
 X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender;
 bh=W87/87d9GU3JBj8k8BT65lFFKI4mDNf2IPzR173gkzY=;
 b=H+u2W+IxUpVLEGN/tVkIEJfmZZUuXS4qWY92TnqyQtY7PxRZSOYkqpowqD734dKb7X
 aeM9SZrklfTR8C1vPKQWPkTt0zwqLcn7YzTgLu+ZEwE/Mpgz0BthYYwxUYrOwtmhGlhk
 I8T1M5O0fKO9fTFU2ECis6KIHbGmJXuQMzfgr+FEQtlD5GQ8kn+/LsKZY3yPYAEVqzFY
 UKx+FnErtiUEKA6JTexkaSzFgpZUvlyejf2UFqFNlQMaCm6UHrjtdOY4XAxm2vvNMnNT
 j97onPvz56o7/cZzasztz5ukwvsl2ABpswoG3okbc0Aiw5jMJKguXvkF6YCM821UsUsO
 Xflw==
X-RZG-AUTH: ":Ln4Re0+Ic/6oZXR1YgKryK8brlshOcZlIWs+iCP5vnk6shH+AHjwLuWOH6fzxfs="
X-RZG-CLASS-ID: mo00
Received: from bruno.haible.de by smtp.strato.de (RZmta 46.1.4 DYNA|AUTH)
 with ESMTPSA id z0b9d9w0HH0ah7E
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (curve X9_62_prime256v1 with 256
 ECDH bits, eq. 3072 bits RSA))
 (Client did not present a certificate);
 Fri, 17 Jan 2020 18:00:36 +0100 (CET)
From: Bruno Haible <bruno@clisp.org>
To: bug-gnulib@gnu.org
Subject: Re: heap-use-after-free in rpl_glob
Date: Fri, 17 Jan 2020 18:00:35 +0100
Message-ID: <6008915.UEnMCXWWPA@omega>
User-Agent: KMail/5.1.3 (Linux/4.4.0-171-generic; KDE/5.18.0; x86_64; ; )
In-Reply-To: <fa7000b5-13f3-a88b-3fd8-9d97730fe460@gmx.de>
References: <fa7000b5-13f3-a88b-3fd8-9d97730fe460@gmx.de>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2a01:238:20a:202:5300::5
X-BeenThere: bug-gnulib@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Gnulib discussion list <bug-gnulib.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnulib>,
 <mailto:bug-gnulib-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnulib>
List-Post: <mailto:bug-gnulib@gnu.org>
List-Help: <mailto:bug-gnulib-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnulib>,
 <mailto:bug-gnulib-request@gnu.org?subject=subscribe>
Cc: Tim =?ISO-8859-1?Q?R=FChsen?= <tim.ruehsen@gmx.de>,
 Paul Eggert <eggert@cs.ucla.edu>
Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org
Sender: "bug-gnulib" <bug-gnulib-bounces+normalperson=yhbt.net@gnu.org>

Hi Tim,

> The continuous fuzzer at OSS-Fuzz today reported an issue in rpl_glob.
>=20
> To reproduce with attached C code (on Debian unstable here, same result
> on Ubuntu 16.04.6 docker container with clang 10):
>=20
> export CC=3Dgcc
> export CFLAGS=3D"-O1 -g -fno-omit-frame-pointer -fsanitize=3Daddress
> -fsanitize-address-use-after-scope"
> # ... build gnulib ...
> $CC $CFLAGS -I. -Ilib glob_crash2.c -o glob_crash2 lib/.libs/libgnu.a
> ./glob_crash2
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> =3D=3D1671628=3D=3DERROR: AddressSanitizer: heap-use-after-free on address
> 0x604000000013 at pc 0x55fa90a36ecd bp 0x7ffe68412980 sp 0x7ffe68412978
> READ of size 44 at 0x604000000013 thread T0
>     #0 0x55fa90a36ecc in rpl_glob /home/tim/src/wget2/lib/glob.c:868
>     #1 0x55fa90a334eb in main /home/tim/src/wget2/glob_crash2.c:35
>     #2 0x7fdafafabbba in __libc_start_main ../csu/libc-start.c:308
>     #3 0x55fa90a332f9 in _start (/home/tim/src/wget2/glob_crash2+0x22f9)
>=20
> 0x604000000013 is located 3 bytes inside of 48-byte region
> [0x604000000010,0x604000000040)
> freed by thread T0 here:
>     #0 0x7fdafb24c277 in __interceptor_free
> (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107277)
>     #1 0x55fa90a36e31 in rpl_glob /home/tim/src/wget2/lib/glob.c:849
>     #2 0x55fa90a334eb in main /home/tim/src/wget2/glob_crash2.c:35
>     #3 0x7fdafafabbba in __libc_start_main ../csu/libc-start.c:308
>=20
> previously allocated by thread T0 here:
>     #0 0x7fdafb24c628 in malloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107628)
>     #1 0x55fa90a35311 in rpl_glob /home/tim/src/wget2/lib/glob.c:565
>     #2 0x55fa90a334eb in main /home/tim/src/wget2/glob_crash2.c:35
>     #3 0x7fdafafabbba in __libc_start_main ../csu/libc-start.c:308

I can't reproduce the crashes. But the line numbers (565, 849, 868)
from the output above are clearly indicating the problem:
  - end_name is part of dirname,
  - dirname is freed,
  - after dirname is freed, the code still accesses end_name.

Can you please test this patch?

Thank you very much for this report! I expect that the fix will also need
to go into glibc.


2020-01-17  Bruno Haible  <bruno@clisp.org>

	glob: Fix use-after-free bug.
	Reported by Tim R=FChsen <tim.ruehsen@gmx.de> in
	<https://lists.gnu.org/archive/html/bug-gnulib/2020-01/msg00102.html>.
	* lib/glob.c (__glob): Delay freeing dirname until after the use of
	end_name.

diff --git a/lib/glob.c b/lib/glob.c
index a67cbb6..5b34939 100644
=2D-- a/lib/glob.c
+++ b/lib/glob.c
@@ -843,10 +843,11 @@ __glob (const char *pattern, int flags, int (*errfunc=
) (const char *, int),
               {
                 size_t home_len =3D strlen (p->pw_dir);
                 size_t rest_len =3D end_name =3D=3D NULL ? 0 : strlen (end=
_name);
+                /* dirname contains end_name; we can't free it now.  */
+                char *prev_dirname =3D
+                  (__glibc_unlikely (malloc_dirname) ? dirname : NULL);
                 char *d;
=20
=2D                if (__glibc_unlikely (malloc_dirname))
=2D                  free (dirname);
                 malloc_dirname =3D 0;
=20
                 if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
@@ -868,6 +869,8 @@ __glob (const char *pattern, int flags, int (*errfunc) =
(const char *, int),
                   d =3D mempcpy (d, end_name, rest_len);
                 *d =3D '\0';
=20
+                free (prev_dirname);
+
                 dirlen =3D home_len + rest_len;
                 dirname_modified =3D 1;
               }