Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incomplete preprocessor tokens at end of file lead to heap-use-after-free #353

Open
clesmian opened this issue Jul 26, 2023 · 4 comments
Open

Comments

@clesmian
Copy link

clesmian commented Jul 26, 2023

This has been found while fuzzing c2m compiled from commit d51b45f with ASAN.

Running c2m poc.txt with an input file containing #define\ (without trailing newline) leads to a hang. Compilation with ASAN shows that it the underlying problem is a heap-use-after-free in get_next_pptoken_1. This also happens with #ifdef or #include

poc.txt

ASAN Output

a:0:0: warning -- no end of line at file end
a:1:7: no ident after #define: <EOU>
=================================================================
==2105235==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000000020 at pc 0x561d65ff8184 bp 0x7f07828fdea0 sp 0x7f07828fde90
READ of size 8 at 0x608000000020 thread T1
    #0 0x561d65ff8183 in get_next_pptoken_1 c2mir/c2mir.c:1530
    #1 0x561d660070b9 in get_next_pptoken c2mir/c2mir.c:1712
    #2 0x561d660070b9 in skip_nl c2mir/c2mir.c:2198
    #3 0x561d660070b9 in define c2mir/c2mir.c:2259
    #4 0x561d6600f7a7 in process_directive c2mir/c2mir.c:3065
    #5 0x561d6600f7a7 in processing c2mir/c2mir.c:3563
    #6 0x561d6605d4a3 in pre c2mir/c2mir.c:3801
    #7 0x561d6605d4a3 in c2mir_compile c2mir/c2mir.c:13464
    #8 0x561d66061534 in compile c2mir/c2mir-driver.c:498
    #9 0x7f0785f03608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
    #10 0x7f0785e28132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x608000000020 is located 0 bytes inside of 88-byte region [0x608000000020,0x608000000078)
freed by thread T1 here:
    #0 0x7f078618040f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x561d65ff38d3 in free_stream c2mir/c2mir.c:894
    #2 0x561d65ff38d3 in get_next_pptoken_1 c2mir/c2mir.c:1529

previously allocated by thread T1 here:
    #0 0x7f0786180808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x561d65f869c8 in new_stream c2mir/c2mir.c:905
    #2 0x561d65f869c8 in add_stream c2mir/c2mir.c:926

Thread T1 created by T0 here:
    #0 0x7f07860ad815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
    #1 0x561d65f73cab in init_compilers c2mir/c2mir-driver.c:540
    #2 0x561d65f73cab in main c2mir/c2mir-driver.c:656

SUMMARY: AddressSanitizer: heap-use-after-free c2mir/c2mir.c:1530 in get_next_pptoken_1
Shadow bytes around the buggy address:
  0x0c107fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff8000: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff8010: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff8020: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff8030: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 02 fa
  0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2105235==ABORTING
@vnmakarov
Copy link
Owner

Thank you for reporting this. I'll try to fix it as as soon as possible.

@vnmakarov
Copy link
Owner

I've fixed it by recent patches.

@clesmian
Copy link
Author

clesmian commented Aug 7, 2023

4ff53b1 partially fixes the issue.

This file poc2.txt still leads to a heap use-after-free.

poc2.txt:0:0: warning -- no end of line at file end
=================================================================
==631532==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000000020 at pc 0x5637c40eda59 bp 0x7f6ec6dfe040 sp 0x7f6ec6dfe030
READ of size 8 at 0x608000000020 thread T1
    #0 0x5637c40eda58 in get_next_pptoken_1 c2mir/c2mir.c:1530
    #1 0x5637c40fbf91 in get_next_pptoken c2mir/c2mir.c:1712
    #2 0x5637c40fbf91 in processing c2mir/c2mir.c:3560
    #3 0x5637c414f533 in pre c2mir/c2mir.c:3801
    #4 0x5637c414f533 in c2mir_compile c2mir/c2mir.c:13468
    #5 0x5637c4152d6a in compile c2mir/c2mir-driver.c:498
    #6 0x7f6eca3e2608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
    #7 0x7f6eca307132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x608000000020 is located 0 bytes inside of 88-byte region [0x608000000020,0x608000000078)
freed by thread T1 here:
    #0 0x7f6eca65f40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x5637c40e80ca in free_stream c2mir/c2mir.c:894
    #2 0x5637c40e80ca in get_next_pptoken_1 c2mir/c2mir.c:1529

previously allocated by thread T1 here:
    #0 0x7f6eca65f808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x5637c4077b58 in new_stream c2mir/c2mir.c:905
    #2 0x5637c4077b58 in add_stream c2mir/c2mir.c:926

Thread T1 created by T0 here:
    #0 0x7f6eca58c815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
    #1 0x5637c40676f8 in init_compilers c2mir/c2mir-driver.c:540
    #2 0x5637c40676f8 in main c2mir/c2mir-driver.c:656

SUMMARY: AddressSanitizer: heap-use-after-free c2mir/c2mir.c:1530 in get_next_pptoken_1
Shadow bytes around the buggy address:
  0x0c107fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff8000: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff8010: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff8020: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff8030: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 02 fa
  0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==631532==ABORTING

@vnmakarov
Copy link
Owner

Sorry for the delay. I fixed this PR in my recent commit 55ec6a7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants