Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap Use After Free Vulnerability #11

Open
serj opened this issue Mar 26, 2024 · 0 comments
Open

Heap Use After Free Vulnerability #11

serj opened this issue Mar 26, 2024 · 0 comments

Comments

@serj
Copy link

serj commented Mar 26, 2024
edited
Loading

Detected Heap Use After Free Vulnerability in src/explore_me/explore_me.cpp:49:3

SEVERITY
8.0

DESCRIPTION
A heap use after free is the use of memory locations that has been allocated during the program execution then freed. For example, using attempting to use a pointer that has been freed. Accessing such locations have consequences that range from interrupting the execution to making the machine vulnerable to malicious code execution.

CWE
Use After Free (#416)

STACKTRACE

==11==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020001daef0 at pc 0x558a4019f464 bp 0x7fffc6588ab0 sp 0x7fffc6588280
READ of size 3 at 0x6020001daef0 thread T0
    #0 0x558a4019f463 in __interceptor_puts (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xd9463) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #1 0x558a402442fb in trigger_use_after_free() /home/runner/work/c-cpp-example/c-cpp-example/checkout-dir/src/explore_me/explore_me.cpp:49:3
    #2 0x558a402442fb in ExploreComplexChecks(long, long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) /home/runner/work/c-cpp-example/c-cpp-example/checkout-dir/src/explore_me/explore_me.cpp:26:9
    #3 0x558a40242719 in LLVMFuzzerTestOneInputNoReturn(unsigned char const*, unsigned long) /home/runner/work/c-cpp-example/c-cpp-example/checkout-dir/src/explore_me/complex_checks_test.cpp:25:3
    #4 0x558a40242548 in LLVMFuzzerTestOneInput /home/runner/work/c-cpp-example/c-cpp-example/checkout-dir/src/explore_me/complex_checks_test.cpp:19:1
    #5 0x558a40168b03 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xa2b03) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #6 0x558a40168259 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xa2259) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #7 0x558a40169a49 in fuzzer::Fuzzer::MutateAndTestOne() (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xa3a49) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #8 0x558a4016a5c5 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xa45c5) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #9 0x558a40158702 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0x92702) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #10 0x558a401823f2 in main (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xbc3f2) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #11 0x7fb5cf22814f  (/lib/x86_64-linux-gnu/libc.so.6+0x2814f) (BuildId: 6a981b07a3731293c24c10a21397416d3c3d52ed)
    #12 0x7fb5cf228208 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28208) (BuildId: 6a981b07a3731293c24c10a21397416d3c3d52ed)
    #13 0x558a4014d144 in _start (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0x87144) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)

0x6020001daef0 is located 0 bytes inside of 6-byte region [0x6020001daef0,0x6020001daef6)
freed by thread T0 here:
    #0 0x558a40204ed2 in __interceptor_free (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0x13eed2) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #1 0x558a402442f3 in trigger_use_after_free() /home/runner/work/c-cpp-example/c-cpp-example/checkout-dir/src/explore_me/explore_me.cpp:48:3
    #2 0x558a402442f3 in ExploreComplexChecks(long, long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) /home/runner/work/c-cpp-example/c-cpp-example/checkout-dir/src/explore_me/explore_me.cpp:26:9
    #3 0x558a40242719 in LLVMFuzzerTestOneInputNoReturn(unsigned char const*, unsigned long) /home/runner/work/c-cpp-example/c-cpp-example/checkout-dir/src/explore_me/complex_checks_test.cpp:25:3
    #4 0x558a40242548 in LLVMFuzzerTestOneInput /home/runner/work/c-cpp-example/c-cpp-example/checkout-dir/src/explore_me/complex_checks_test.cpp:19:1
    #5 0x558a40168b03 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xa2b03) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #6 0x558a40168259 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xa2259) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #7 0x558a40169a49 in fuzzer::Fuzzer::MutateAndTestOne() (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xa3a49) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #8 0x558a4016a5c5 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xa45c5) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #9 0x558a40158702 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0x92702) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #10 0x558a401823f2 in main (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xbc3f2) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #11 0x7fb5cf22814f  (/lib/x86_64-linux-gnu/libc.so.6+0x2814f) (BuildId: 6a981b07a3731293c24c10a21397416d3c3d52ed)

previously allocated by thread T0 here:
    #0 0x558a4020517e in malloc (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0x13f17e) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #1 0x558a4024428d in trigger_use_after_free() /home/runner/work/c-cpp-example/c-cpp-example/checkout-dir/src/explore_me/explore_me.cpp:45:38
    #2 0x558a4024428d in ExploreComplexChecks(long, long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) /home/runner/work/c-cpp-example/c-cpp-example/checkout-dir/src/explore_me/explore_me.cpp:26:9
    #3 0x558a40242719 in LLVMFuzzerTestOneInputNoReturn(unsigned char const*, unsigned long) /home/runner/work/c-cpp-example/c-cpp-example/checkout-dir/src/explore_me/complex_checks_test.cpp:25:3
    #4 0x558a40242548 in LLVMFuzzerTestOneInput /home/runner/work/c-cpp-example/c-cpp-example/checkout-dir/src/explore_me/complex_checks_test.cpp:19:1
    #5 0x558a40168b03 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xa2b03) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #6 0x558a40168259 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xa2259) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #7 0x558a40169a49 in fuzzer::Fuzzer::MutateAndTestOne() (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xa3a49) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #8 0x558a4016a5c5 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xa45c5) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #9 0x558a40158702 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0x92702) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #10 0x558a401823f2 in main (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xbc3f2) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f)
    #11 0x7fb5cf22814f  (/lib/x86_64-linux-gnu/libc.so.6+0x2814f) (BuildId: 6a981b07a3731293c24c10a21397416d3c3d52ed)

SUMMARY: AddressSanitizer: heap-use-after-free (/cifuzz/libfuzzer/address+undefined/complex_checks_fuzz_test/bin/src/explore_me/complex_checks_fuzz_test+0xd9463) (BuildId: 15d92887abe303fdf1a09f36d2634bd24c87c90f) in __interceptor_putsShadow bytes around the buggy address:
  0x0c0480033580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480033590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800335a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800335b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800335c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c04800335d0: fa fa fd fd fa fa fa fa fa fa fa fa fa fa[fd]fa
  0x0c04800335e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c04800335f0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480033600: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480033610: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480033620: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11==ABORTING
MS: 1 ChangeBit-; base unit: 13d8cd99d22b2dfbe23ab4dd6daac321c56374a0
0x48,0x65,0x79,0x2c,0x20,0x77,0x65,0x6c,0x63,0x6f,0x6d,0x65,0x20,0x74,0x6f,0x20,0x43,0x49,0x20,0x46,0x75,0x7a,0x7a,0x21,
Hey, welcome to CI Fuzz!
artifact_prefix='/tmp/libfuzzer-out-3565272225/'; Test unit written to /tmp/libfuzzer-out-3565272225/crash-65caedf1d4a69e866125573f33a835499c5aac7f
Base64: SGV5LCB3ZWxjb21lIHRvIENJIEZ1enoh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@serj