Hi, I recently updated wget2 to gnulib commit a7903da07d3d18c23314aa0815adbb4058fd7cec.
The continuous fuzzer at OSS-Fuzz today reported an issue in rpl_glob. To reproduce with attached C code (on Debian unstable here, same result on Ubuntu 16.04.6 docker container with clang 10): export CC=gcc export CFLAGS="-O1 -g -fno-omit-frame-pointer -fsanitize=address -fsanitize-address-use-after-scope" # ... build gnulib ... $CC $CFLAGS -I. -Ilib glob_crash2.c -o glob_crash2 lib/.libs/libgnu.a ./glob_crash2 ================================================================= ==1671628==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000013 at pc 0x55fa90a36ecd bp 0x7ffe68412980 sp 0x7ffe68412978 READ of size 44 at 0x604000000013 thread T0 #0 0x55fa90a36ecc in rpl_glob /home/tim/src/wget2/lib/glob.c:868 #1 0x55fa90a334eb in main /home/tim/src/wget2/glob_crash2.c:35 #2 0x7fdafafabbba in __libc_start_main ../csu/libc-start.c:308 #3 0x55fa90a332f9 in _start (/home/tim/src/wget2/glob_crash2+0x22f9) 0x604000000013 is located 3 bytes inside of 48-byte region [0x604000000010,0x604000000040) freed by thread T0 here: #0 0x7fdafb24c277 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107277) #1 0x55fa90a36e31 in rpl_glob /home/tim/src/wget2/lib/glob.c:849 #2 0x55fa90a334eb in main /home/tim/src/wget2/glob_crash2.c:35 #3 0x7fdafafabbba in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7fdafb24c628 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107628) #1 0x55fa90a35311 in rpl_glob /home/tim/src/wget2/lib/glob.c:565 #2 0x55fa90a334eb in main /home/tim/src/wget2/glob_crash2.c:35 #3 0x7fdafafabbba in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free /home/tim/src/wget2/lib/glob.c:868 in rpl_glob Shadow bytes around the buggy address: 0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c087fff8000: fa fa[fd]fd fd fd fd fd fa fa 00 00 00 00 00 01 0x0c087fff8010: fa fa 00 00 00 00 00 01 fa fa 00 00 00 00 06 fa 0x0c087fff8020: fa fa 00 00 00 00 06 fa fa fa 00 00 00 00 02 fa 0x0c087fff8030: fa fa 00 00 00 00 02 fa fa fa 00 00 00 00 00 fa 0x0c087fff8040: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa 0x0c087fff8050: fa fa 00 00 00 00 00 fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1671628==ABORTING Maybe someone who knows glob better than me could have a look. It seems to be a regression. Regards, Tim
/* * Created 17.01.2019 by Tim Rühsen * * Call glob() using data from fuzzer crash file * * Build and execute with instrumented gnulib (amend -I paths as needed): * * clang build (spills out WRITE heap buffer overflow) * export CC=clang-6.0 * export CFLAGS="-O1 -g -fno-omit-frame-pointer -fsanitize=address -fsanitize-address-use-after-scope" * $CC $CFLAGS -I. -Ilib glob_crash2.c -o glob_crash2 lib/.libs/libgnu.a * ./glob_crash2 * * gcc build (spills out READ heap buffer overflow): * export CC=gcc * export CFLAGS="-O1 -g -fno-omit-frame-pointer -fsanitize=address -fsanitize-address-use-after-scope" * $CC $CFLAGS -I. -Ilib glob_crash2.c -o glob_crash2 lib/.libs/libgnu.a * ./glob_crash2 */ #include <stdio.h> #include <glob.h> int main(int argc, char **argv) { static const unsigned char data[] = { 0x7e,0x6c,0x70,0x2f,0x83,0x6d,0x65,0x1d,0x75,0xef,0xcc,0xf0,0x74,0x1b,0x03,0x02,0x43, 0x94,0x05,0x33,0x83,0x1a,0xd4,0x4c,0x9f,0xbb,0x62,0xe6,0xb5,0x99,0x75,0x9f,0x26,0x69, 0xc0,0x49,0xb0,0x4b,0x38,0xe8,0x74,0x0c,0xc2,0xd1,0x81,0x46,0x77,0x2f,0x89,0xf1,0xc8, 0x73,0xb3,0x8f,0xf7,0x60,0x63,0xba,0xa5,0x59,0xaa,0xd1,0xa8,0xfc,0xf8,0x20,0xd8,0x12, 0x58,0x61,0x12,0xc6,0x21,0x5b,0xf5,0x93,0x5a,0x7c,0x79,0x34,0xa5,0x01, 0x00 }; glob_t pglob = { .gl_pathc = 0 }; if (glob((const char *) data, GLOB_MARK | GLOB_TILDE, NULL, &pglob) == 0) globfree(&pglob); return 0; }
signature.asc
Description: OpenPGP digital signature