heap-use-after-free in rpl_glob

From: "Tim Rühsen" <tim.ruehsen@gmx.de>
To: bug-gnulib@gnu.org
Subject: heap-use-after-free in rpl_glob
Date: Fri, 17 Jan 2020 16:50:44 +0100	[thread overview]
Message-ID: <fa7000b5-13f3-a88b-3fd8-9d97730fe460@gmx.de> (raw)

[-- Attachment #1.1.1: Type: text/plain, Size: 3498 bytes --]

Hi,

I recently updated wget2 to gnulib commit
a7903da07d3d18c23314aa0815adbb4058fd7cec.

The continuous fuzzer at OSS-Fuzz today reported an issue in rpl_glob.

To reproduce with attached C code (on Debian unstable here, same result
on Ubuntu 16.04.6 docker container with clang 10):

export CC=gcc
export CFLAGS="-O1 -g -fno-omit-frame-pointer -fsanitize=address
-fsanitize-address-use-after-scope"
# ... build gnulib ...
$CC $CFLAGS -I. -Ilib glob_crash2.c -o glob_crash2 lib/.libs/libgnu.a
./glob_crash2

=================================================================
==1671628==ERROR: AddressSanitizer: heap-use-after-free on address
0x604000000013 at pc 0x55fa90a36ecd bp 0x7ffe68412980 sp 0x7ffe68412978
READ of size 44 at 0x604000000013 thread T0
    #0 0x55fa90a36ecc in rpl_glob /home/tim/src/wget2/lib/glob.c:868
    #1 0x55fa90a334eb in main /home/tim/src/wget2/glob_crash2.c:35
    #2 0x7fdafafabbba in __libc_start_main ../csu/libc-start.c:308
    #3 0x55fa90a332f9 in _start (/home/tim/src/wget2/glob_crash2+0x22f9)

0x604000000013 is located 3 bytes inside of 48-byte region
[0x604000000010,0x604000000040)
freed by thread T0 here:
    #0 0x7fdafb24c277 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107277)
    #1 0x55fa90a36e31 in rpl_glob /home/tim/src/wget2/lib/glob.c:849
    #2 0x55fa90a334eb in main /home/tim/src/wget2/glob_crash2.c:35
    #3 0x7fdafafabbba in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7fdafb24c628 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107628)
    #1 0x55fa90a35311 in rpl_glob /home/tim/src/wget2/lib/glob.c:565
    #2 0x55fa90a334eb in main /home/tim/src/wget2/glob_crash2.c:35
    #3 0x7fdafafabbba in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free
/home/tim/src/wget2/lib/glob.c:868 in rpl_glob
Shadow bytes around the buggy address:
  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c087fff8000: fa fa[fd]fd fd fd fd fd fa fa 00 00 00 00 00 01
  0x0c087fff8010: fa fa 00 00 00 00 00 01 fa fa 00 00 00 00 06 fa
  0x0c087fff8020: fa fa 00 00 00 00 06 fa fa fa 00 00 00 00 02 fa
  0x0c087fff8030: fa fa 00 00 00 00 02 fa fa fa 00 00 00 00 00 fa
  0x0c087fff8040: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff8050: fa fa 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1671628==ABORTING

Maybe someone who knows glob better than me could have a look. It seems
to be a regression.

Regards, Tim

[-- Attachment #1.1.2: glob_crash2.c --]
[-- Type: text/x-csrc, Size: 1443 bytes --]

/*
 * Created 17.01.2019 by Tim Rühsen
 *
 * Call glob() using data from fuzzer crash file
 *
 * Build and execute with instrumented gnulib (amend -I paths as needed):
 *
 * clang build (spills out WRITE heap buffer overflow)
 * export CC=clang-6.0
 * export CFLAGS="-O1 -g -fno-omit-frame-pointer -fsanitize=address -fsanitize-address-use-after-scope"
 * $CC $CFLAGS -I. -Ilib glob_crash2.c -o glob_crash2 lib/.libs/libgnu.a
 * ./glob_crash2
 *
 * gcc build (spills out READ heap buffer overflow):
 * export CC=gcc
 * export CFLAGS="-O1 -g -fno-omit-frame-pointer -fsanitize=address -fsanitize-address-use-after-scope"
 * $CC $CFLAGS -I. -Ilib glob_crash2.c -o glob_crash2 lib/.libs/libgnu.a
 * ./glob_crash2
 */

#include <stdio.h>
#include <glob.h>

int main(int argc, char **argv)
{
static const unsigned char data[] = {
  0x7e,0x6c,0x70,0x2f,0x83,0x6d,0x65,0x1d,0x75,0xef,0xcc,0xf0,0x74,0x1b,0x03,0x02,0x43,
  0x94,0x05,0x33,0x83,0x1a,0xd4,0x4c,0x9f,0xbb,0x62,0xe6,0xb5,0x99,0x75,0x9f,0x26,0x69,
  0xc0,0x49,0xb0,0x4b,0x38,0xe8,0x74,0x0c,0xc2,0xd1,0x81,0x46,0x77,0x2f,0x89,0xf1,0xc8,
  0x73,0xb3,0x8f,0xf7,0x60,0x63,0xba,0xa5,0x59,0xaa,0xd1,0xa8,0xfc,0xf8,0x20,0xd8,0x12,
  0x58,0x61,0x12,0xc6,0x21,0x5b,0xf5,0x93,0x5a,0x7c,0x79,0x34,0xa5,0x01, 0x00
};

	glob_t pglob = { .gl_pathc = 0 };
	if (glob((const char *) data, GLOB_MARK | GLOB_TILDE, NULL, &pglob) == 0)
		globfree(&pglob);

	return 0;
}

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]