From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS22989 209.51.188.0/24 X-Spam-Status: No, score=-3.7 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 8318A1F466 for ; Fri, 17 Jan 2020 19:35:06 +0000 (UTC) Received: from localhost ([::1]:33934 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1isXOa-00030K-Lu for normalperson@yhbt.net; Fri, 17 Jan 2020 14:35:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40449) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1isXJw-0006iF-Ac for bug-gnulib@gnu.org; Fri, 17 Jan 2020 14:30:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1isXJs-0005Nj-BB for bug-gnulib@gnu.org; Fri, 17 Jan 2020 14:30:16 -0500 Received: from mout.gmx.net ([212.227.15.18]:50835) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1isXJr-0005Hz-So for bug-gnulib@gnu.org; Fri, 17 Jan 2020 14:30:12 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1579289394; bh=Iklkjj0FyMMxsEC6X8qrWudxLiCabvJ2zNbB3D/w+B8=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=Ut+yBjGl3MAb8F8nNykun6LSx49D35iGUsFxeO3HKrysiN91BHPAYdPaVU6gcZiRI LT7DCaO1B84Cz8LoWOx0Np427xrmxf40hDovRoyt+VcxvHtF/6D1uBhh+UHbEWK3UM dIfmTWJGuq3PzIAeddw1+y327UbMRQoZj2ATdjbI= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.178.70] ([93.181.17.247]) by mail.gmx.com (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MybGh-1jrWgx2RUz-00z260; Fri, 17 Jan 2020 20:29:54 +0100 Subject: Re: heap-use-after-free in rpl_glob To: Bruno Haible , bug-gnulib@gnu.org References: <6008915.UEnMCXWWPA@omega> From: =?UTF-8?Q?Tim_R=c3=bchsen?= Autocrypt: addr=tim.ruehsen@gmx.de; prefer-encrypt=mutual; keydata= mQINBFOsE5ABEADD/k0t8to+R0kPhr2k7d0P/p1SYgxkwSaYgdv4/MgO/yEbQDMsqs1mw88m WnFKKdbH4QUSqCj21SiiJVrcoY7dNNapkKNiaMNCylAxkLtDw9/up0AVdkJ/7iHvrKlwIb3S BQV1oJYBrXF9rzFBtkW9NhLc+DzloeHfPtABCIi0XoIOGSDn+RQvppe/13phBj+2fd5ILNWi HfKIrr6228TynSPqy7H4z5DYcnYIJ7f7FO+MgaZjj28GFCyCFz7DMJsR/JX8CDsaOHvBsBRt BIKSQ7ce9KtAnemsmyGVkaHpGvxo3gaWj8pROIiQRbDYfXXvMbpTYh/OTxbbx3SgBNjk3fH6 ZjYZXuz+1kjJ9aajRKWvhZbMCjKEGjm3n+PrYdd2o9W6j5+aOhSWDs54z7froPmt291NdykF 4kHb3W3SwGaIACV3/ZorrwG8wHhnV8dEwqTrE6xcTIwr2+C07yFDKrSgTbZsjEb6RbZA9SKs j6+ct8TrAxVPAigj7eMdWcF8yxxQCCZci8UIx9hyHAfr4fKCYl0KlG3SoZ8kTKiB0AvjsK+Q owE7gKuHeKOvEn8cb2DiBWjDfJoTO19xhzm51jxcDneIkVoeSg5QJqtiQZybyhf7vP9vl1fS 9O8I9y1uR2lCx7UkWAGTTVTtzs+O47125jsj/BjLMECT/Ub33QARAQABtCBUaW0gUsO8aHNl biA8dGltLnJ1ZWhzZW5AZ214LmRlPokCVAQTAQoAPgIbAwULCQgHAwUVCgkICwUWAgMBAAIe AQIXgBYhBByyfbyYYUstWEFkbQgwLbaiZwQoBQJcdtynBQkMjTAXAAoJEAgwLbaiZwQo6DoP /Ah7ARec12d6Aw7vMu/Nbd0eewQt5fwlvXoYoHmpk5uVPhPboUYwtpYFtRlzsq28i7LYtdIZ R2YUXkyMba9YnTjSPeDsK5la/W58QdhdWH69T4AgtdMNyt5kRiYaheuTs5A0MQIFPMjTcqhq 265ceVz/umkk/9tq1daP4/WY4LIRWOGqJOATIObxHRGWU8rohnkc0/3uNCxM0SfXPFrkV5WH LwhLrfE0/edNkJEDpoJViogvu6gFztlejgtB/3N5jlquqSrfih7B5flBBm9ANDPCFtq3K+KJ 62vZj7qrsDM/nrNH8+vbG+iWqbjvFkXP41nUzZca+3BEnP99Ew5bOCX63uYRGHpfRS6nTthk QA6eg/LOVo6yizT0Yoo39Y/93ZE8RB79TEsi5zz6smoUUkHQm5nrBqqUPNfSO9uZwbUhDrSB PKMnfIiOWNzMLTu1ywwdgv2bUjybsTBJVb3IYQMeYj9P/mNHRc706ZIjj0rFbumYVRQe7Fv+ Vff6fPaFhBb83CxCUvwDJ6gF/pPtt78NvUIPCFnLtFkVGdKQe9RQAGa3TxZYRVlo7FcAYYfX dS5PChHkZvocC4ak+Yy1QqdmYNtFqirYrggBdsMdC6DqrEfI4dXzVwh34bNiB+bg7RkOsHr9 vBDwOKhyFujW8WsVlTV/XaGMdbAapq2gZFGLuQINBFOsE5ABEADrLQL3bP7+M6PTCjuVbqqH BDhBAKEEuxKffwDz1AJKfRhvqTYIKQqgZwaIzXdbOkmPrTEgWHJKbwssaRmdBVRSYkE2DXLE cnuxqAgNyc5RMoVHWIE4jFNkxmrN6ZcVWel2OwCo9A6bzUftKKYJRPAYou4nmv87+CdKT16J V40dMG/phLyPINByy9wThIodpJQX/H1O6OCsMM/ZQJQ8zJCXbCCCe/c5gcg6+RJLsNa1CjIj QH0F1XZuncxz3nvKLxXLuQG8HCcU5GxW/z2byjEkoJrlakmcwUzuih7IuFrvSaexb8so2N6u 5H8vm+SBkCwUc28lBsKECOJUeH28CBcMmFuRKFgF/fBpRiXDKI8Fl3IRm5vFIfL6oIBJBSDf unfZ5FPXup5fVGT9k0dhBlD48zDQ22kVVmRkpctxGwd3yE4BM9/sQ3nK4HwrB9+9X2RqxbAz wz8LGvRE7/rusBg9HaO8kIOO/7NjutCvJkHGPfJSF7i9XvBcoQpkTIJFPaxupk7TCFOVDAzU Yh82MzNq89SVe49017/nuXzKJ3SAtok7xDYVsXXriYgnmouL7f+cDXdXmLIxPZN6LKkwKb9/ rU0/9xPuvxS25zCSgjig8/SFEdSt6wvs94npSn6RcmVxi5VN1Ni4IMRgQn7hXpGKATlM6CQ3 2V7QBJN24mFECQARAQABiQI7BBgBCgAmAhsMFiEEHLJ9vJhhSy1YQWRtCDAttqJnBCgFAlx2 3MEFCQyNMDEACgkQCDAttqJnBCivgg/3cc22sESKwJrAc7cfjhxIXvqPseJAnk2lKLuPxfG0 zIozDBPQedz7ACLH0gKGZWzF4qZRLBrEflzM/KXFtkdLhNE6Ezx91X429eCwnki+wfyeDT9X c4neT73Gnx5eD8xKq4QjR7GIUNQFSuLF4BnePyboQYpPRcLuWfUCucnYjdq0abWstPaIp6pj VYmkJUnKv/99rE1NP8+cyxCLKlrV7sQtH5GLaZsCyxJhHKZ+uE0DRfNox3/Dk6tg3MfPLDZz sd7x2ZgT5zTlj0fswuHSMHKkRJXnaHzhjXiF+4FGZk+MsHCW29wS6a8AbW7KRpzGmsdjroKZ mgs8YQnRVlgYKIIp2xkjMhxE7ZVJOW5v2RcTWh9wNB9vMJdgWijnki8+0L7R0aOO1KZRxWjO no6VS2hFwu2Usu1/5XEinl0iVa+iPbq/Yt3omWXD5N20uIO2hGakj/sw87ndzdZRdy6ANZCT 4WrjxWsR/qF2xiJF8gArgG8G2VZk0O3fUEaAISlnETJsvTGBQs4KAQkwiX4QjtG1Oa5RDOod jPEChMBomPeNEDk+vsosjV0Q24t0m4wdrUlgK9skQ3hw/pbqUc27TB4/0FHQ4KNNnyGuQLB6 Gzkku0EgHlNaOS4Htab28LM9cOyPJC5t2XCfQiR477unMkNjgwSjQET9gPWtmTDjvQ== Message-ID: <6dea4cb8-10b6-91de-b9cc-33e18c42123f@gmx.de> Date: Fri, 17 Jan 2020 20:29:50 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 In-Reply-To: <6008915.UEnMCXWWPA@omega> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="cTPPaWJXt4Rp9naUTvV2nQsrZh5jKdBFQ" X-Provags-ID: V03:K1:RxtOfsHVdViDipVWxZPbtt6X0e+dGf0FlixNUJUpS9xDTntL3Ab jspuerYlnAa076G4KMsXBddjWaoHLryPykg4vc4Zmoq8E7M/HDfTqhFTg9ijBRVOtsjkZI9 Gm5Sxh0Mn8jj+UOCpMu00Xv9XcM0I+YgwScEea7J7bckkJQ27S83ynBPKVqRkKO7bqfqGmh FgL4LTryFqgOxTzcaa7EQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:ITiQrwyrIlA=:O0dS94fFFJvoJ3R5nXGuv4 4UQYAFkimEKnSHk9TE3F9JF/3kA+XHSmHIlz9p3zTNvD+W3HqcHdryYIwvCyfl1FZ4wfKpiav ircLTKwSl5FgJ86o3hpT8W/USZY5bIDdf9B9SoZkKKi1yav8rVgEaX0WN8z6tUr+XhtgdGFtM muWPJzAnoMxYNC7JjE7t0m2zM2WMroB8b2banINYlGofrRAaAj7uTXPIdwTYuHjbcBJsBZOF/ YJh0MVowzGno9N4ZxsRL+R7JDA+TYUhuLmr+H+RLk2YkKcdQ5S4v6tV2kKdeLBXvRP5Uq00Ol MMuwI6iIXwEgAQYfhQVdC2sOCqHBHNTMihuU/F35tmA08SnNL1ekMHkgonRQL3mctnHtM2zac ogq8g0QtkOd2hete+7AjAaMxCBY6A2AMmgf5ZTPAzWVk9/CgNBBXp/hVu88AT4c7FjENWJMbu FTYbN9Qsw6bl8bCwQsbg2ZBu4DXhg9XESqp+SI58o1nuEFsloeFMWF/BuMV4EbbpzwKJPuxUV FAjRLZhxAd3hjeuJOExXJdT8Qb9ynEvbuP7YAmacrqJ1J/hNt05WVoS5BcW05jy7l/JsBNo5P 1Ss/fs36V7dr/WtWE2ZxMldTLFylvloPa33Zjz19N6EFIfOiwTdEJEU72rdthv0PRVU3povsq JN2JSPiFVz3YNbI+U/q0sG4IymNKcQW9NdPNofX5pvQVGQmpV+P5Fn1ew0izPWB53NjJ/kSED cWgPAWbnI7kWqUsTDU/K0319PYALoHwl9YTgs66ZDB2c6lFC7hWmgFWmOfCYK6/bCpBxwi8KF WMZsapPwKNIwSYzj1tvnZerqOdr3hecHj8Yjgo64q8kgh3pv1446oOWB9iS8GN9Dk5jvqFI5Q On85pRnsRPIE9ewM13tlS5HA/HX7hm2pk/V0U4dyr3+cM/vwS5/9YJXwdoGhWXTowe7684HrG HkQ8JR9y/qbXFdwd55AQeBzGvCq8kMWyCTe4I+KndU8nlpP2+7mL/ibSNv6lugpyXZ/GuJwGV SEwLEXDnqxGuQ3PUyfsTSgXTeH5dNX5QLHsE1JbI5f+jmDT9dhgzb2Rd6hfrNyDBD+cZBhVxa QZjKXfslSrVvQmViorjuw/vQiy3ufegcJXdW7FqBVrrl0nRL9zE63/BT1rnPePujvBLUo+8S2 R7AaFqgayct4V1MFQU4wBgvcT4vwh+F+3El6NrPkv2dYFxWl0HY06I9G2PWBocb/4Z6ZbB/s0 BSoJ/0FF+9wL0ssX1LYTISWcZi1n/XKXvMTF4Nl10YO/Y4ONeZuDIG2VOFzpkkyeBBSKH7Tr0 q0UKbcQJ7cEBT5ASqlkGRANRgdgB9C75x/U8qlyFhuUgLHTsUY836D2gSgnIlWe0A5t13QKg4 FCvK6rlnoNfsQk31en27X+b7qzcXNw73dWNOJ7MWZI= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 212.227.15.18 X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Paul Eggert Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --cTPPaWJXt4Rp9naUTvV2nQsrZh5jKdBFQ Content-Type: multipart/mixed; boundary="NOaIgvZXWKoc0J8K76ytn5FDvxcmp9iyo" --NOaIgvZXWKoc0J8K76ytn5FDvxcmp9iyo Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hi Bruno, I can confirm that your patch doesn't trigger asan any more. Thank you ! Regards, Tim On 17.01.20 18:00, Bruno Haible wrote: > Hi Tim, >=20 >> The continuous fuzzer at OSS-Fuzz today reported an issue in rpl_glob.= >> >> To reproduce with attached C code (on Debian unstable here, same resul= t >> on Ubuntu 16.04.6 docker container with clang 10): >> >> export CC=3Dgcc >> export CFLAGS=3D"-O1 -g -fno-omit-frame-pointer -fsanitize=3Daddress >> -fsanitize-address-use-after-scope" >> # ... build gnulib ... >> $CC $CFLAGS -I. -Ilib glob_crash2.c -o glob_crash2 lib/.libs/libgnu.a >> ./glob_crash2 >> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> =3D=3D1671628=3D=3DERROR: AddressSanitizer: heap-use-after-free on add= ress >> 0x604000000013 at pc 0x55fa90a36ecd bp 0x7ffe68412980 sp 0x7ffe6841297= 8 >> READ of size 44 at 0x604000000013 thread T0 >> #0 0x55fa90a36ecc in rpl_glob /home/tim/src/wget2/lib/glob.c:868 >> #1 0x55fa90a334eb in main /home/tim/src/wget2/glob_crash2.c:35 >> #2 0x7fdafafabbba in __libc_start_main ../csu/libc-start.c:308 >> #3 0x55fa90a332f9 in _start (/home/tim/src/wget2/glob_crash2+0x22f= 9) >> >> 0x604000000013 is located 3 bytes inside of 48-byte region >> [0x604000000010,0x604000000040) >> freed by thread T0 here: >> #0 0x7fdafb24c277 in __interceptor_free >> (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107277) >> #1 0x55fa90a36e31 in rpl_glob /home/tim/src/wget2/lib/glob.c:849 >> #2 0x55fa90a334eb in main /home/tim/src/wget2/glob_crash2.c:35 >> #3 0x7fdafafabbba in __libc_start_main ../csu/libc-start.c:308 >> >> previously allocated by thread T0 here: >> #0 0x7fdafb24c628 in malloc >> (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107628) >> #1 0x55fa90a35311 in rpl_glob /home/tim/src/wget2/lib/glob.c:565 >> #2 0x55fa90a334eb in main /home/tim/src/wget2/glob_crash2.c:35 >> #3 0x7fdafafabbba in __libc_start_main ../csu/libc-start.c:308 >=20 > I can't reproduce the crashes. But the line numbers (565, 849, 868) > from the output above are clearly indicating the problem: > - end_name is part of dirname, > - dirname is freed, > - after dirname is freed, the code still accesses end_name. >=20 > Can you please test this patch? >=20 > Thank you very much for this report! I expect that the fix will also ne= ed > to go into glibc. >=20 >=20 > 2020-01-17 Bruno Haible >=20 > glob: Fix use-after-free bug. > Reported by Tim R=C3=BChsen in > .= > * lib/glob.c (__glob): Delay freeing dirname until after the use of > end_name. >=20 > diff --git a/lib/glob.c b/lib/glob.c > index a67cbb6..5b34939 100644 > --- a/lib/glob.c > +++ b/lib/glob.c > @@ -843,10 +843,11 @@ __glob (const char *pattern, int flags, int (*err= func) (const char *, int), > { > size_t home_len =3D strlen (p->pw_dir); > size_t rest_len =3D end_name =3D=3D NULL ? 0 : strlen = (end_name); > + /* dirname contains end_name; we can't free it now. *= / > + char *prev_dirname =3D > + (__glibc_unlikely (malloc_dirname) ? dirname : NULL)= ; > char *d; > =20 > - if (__glibc_unlikely (malloc_dirname)) > - free (dirname); > malloc_dirname =3D 0; > =20 > if (glob_use_alloca (alloca_used, home_len + rest_len = + 1)) > @@ -868,6 +869,8 @@ __glob (const char *pattern, int flags, int (*errfu= nc) (const char *, int), > d =3D mempcpy (d, end_name, rest_len); > *d =3D '\0'; > =20 > + free (prev_dirname); > + > dirlen =3D home_len + rest_len; > dirname_modified =3D 1; > } >=20 --NOaIgvZXWKoc0J8K76ytn5FDvxcmp9iyo-- --cTPPaWJXt4Rp9naUTvV2nQsrZh5jKdBFQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHLJ9vJhhSy1YQWRtCDAttqJnBCgFAl4iCzEACgkQCDAttqJn BCjzLhAApxKbxLzLKvxUR7hTHdAvEwFMARpcXbuBAmv/P9S0s7lCH6O82UoU0/23 1DGio8npbf60uTxOTAj15wwgsODxHNRXQmcu+ct5Zgbrts3wnd9LWCCz3L2c5b5b ichi9An/0NlFwxw7XVPdmCbW6nMwR+PmQOw5pGFY0oihDvis5UB0jwsJZjq5DUhZ EypO46iNYLmOY4hgHaVnTl8uvDc/+Y1P0XaLPZJ+hQMo/PW2UtDYTbTur8dGcMGX fasHnZCdDbxEEamOrDUy8EfoimKqLsnpQBvWVS55QA5y8SQeR3KDk8S8mghK5HDR e7DhAOn791anx4x379dsIzHPCbOLssUcfXjSN2MUFlvvrZbmLaqbr23FMbR2k4gg K9NnyA78Sayn+8EehQU3eQBLNu35699twP8+Va6gnEFoP5n9pABFbSac8yJNib1q vVW3Nh2CHglie/FbYmzEpeyrSNq/HyNgjzxxiDErp76KjVni5T5iGHxnYnGtF0sw j3KLuyMHb7mq+H3chVLIFVh69Mv+/cmX9x3E05nWHbGCBKEe1VaJ18dMyXkGmymq KWE89jD/URv1bJ7jbEZ2JsOPHvBHPjJEKPt4zahIYuKbUnAhOmVjs8//HWSiKfCA 0VYcaWEkGPDzgBk6EZjo5RfNkeUeV758fbfvm79oUBuumX8R/wo= =FJV2 -----END PGP SIGNATURE----- --cTPPaWJXt4Rp9naUTvV2nQsrZh5jKdBFQ--