Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UAF in client_close #8

Open
meme opened this issue Jul 7, 2021 · 1 comment
Open

UAF in client_close #8

meme opened this issue Jul 7, 2021 · 1 comment
Assignees
@sbingner

Comments

@meme
Copy link
Contributor

meme commented Jul 7, 2021

Looks like due to improper bookkeeping client_close is called twice for the same client, which has already been free'd, leading to a UAF.

ASan:

==33430==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000007a0
at pc 0x55d4554839b3 bp 0x7ffe3219c350 sp 0x7ffe3219c340
READ of size 4 at 0x6080000007a0 thread T0
    #0 0x55d4554839b2 in client_close /usbfluxd/usbfluxd/client.c:238
    #1 0x55d455485059 in client_notify_remote_close /usbfluxd/usbfluxd/client.c:390
    #2 0x55d4554922d8 in usbmux_remote_dispose /usbfluxd/usbfluxd/usbmux_remote.c:914
    #3 0x55d45549113a in remote_mark_dead /usbfluxd/usbfluxd/usbmux_remote.c:552
    #4 0x55d45549253d in usbmux_remote_mark_dead /usbfluxd/usbfluxd/usbmux_remote.c:933
    #5 0x55d4554956c2 in remote_process_recv /usbfluxd/usbfluxd/usbmux_remote.c:1231
    #6 0x55d4554967b6 in usbmux_remote_process /usbfluxd/usbfluxd/usbmux_remote.c:1343
    #7 0x55d455499526 in main_loop /usbfluxd/usbfluxd/main.c:159
    #8 0x55d45549a870 in main /usbfluxd/usbfluxd/main.c:477
    #9 0x7f3ed253bb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #10 0x55d45548295d in _start (/usr/local/sbin/usbfluxd+0xa95d)
0x6080000007a0 is located 0 bytes inside of 96-byte region [0x6080000007a0,0x608
000000800)
freed by thread T0 here:
    #0 0x7f3ed2932f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x55d455483c29 in client_close /usbfluxd/usbfluxd/client.c:254
    #2 0x55d45548b19d in client_process /usbfluxd/usbfluxd/client.c:1019
    #3 0x55d4554993cf in main_loop /usbfluxd/usbfluxd/main.c:156
    #4 0x55d45549a870 in main /usbfluxd/usbfluxd/main.c:477
    #5 0x7f3ed253bb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
previously allocated by thread T0 here:
    #0 0x7f3ed2933279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55d45548334c in client_accept /usbfluxd/usbfluxd/client.c:199
    #2 0x55d455499242 in main_loop /usbfluxd/usbfluxd/main.c:149
    #3 0x55d45549a870 in main /usbfluxd/usbfluxd/main.c:477
    #4 0x7f3ed253bb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
SUMMARY: AddressSanitizer: heap-use-after-free /usbfluxd/usbfluxd/client.c:238 in client_close
Shadow bytes around the buggy address:
  0x0c107fff80a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff80f0: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8110: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8120: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8130: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8140: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==33430==ABORTING
@sbingner sbingner mentioned this issue Feb 17, 2023
Closed
@sbingner
Copy link
Collaborator

sbingner commented Apr 5, 2023

This should now be fixed in master - if you can verify

@sbingner sbingner self-assigned this Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sbingner sbingner

Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sbingner @meme