Hi, There is a use after free bug in the mkpat tool which is used during compilation of gnu go.
This is the code in dfa.c:
gpout->states[state].att = union_att(gpout, gpleft,
gpleft->states[l].att, gpright, gpright->states[r].att);
The problem is that union_att calls realloc on gpout->states. Therefore
at the time the value is returned the gpout->states variable is no
longer valid and may point to unallocated memory.
The fix is to store the output of union_att into a temporary variable
and thenn set gpout->states[state].att to that. See attached patch.
Use after free bugs are often security issues, but in this case I don't
think this is the case, as this tool is only used during compilation
and probably not meant to be used on any untrusted input. Anyway, I'd
still consider this a bug that should be fixed, as it might cause
random compilation failures.
This bug was detected with address sanitizer (can be enabled by adding
"-fsanitize=address" to CFLAGS with gcc or clang). I'll paste the stack
trace from address sanitizer below.
==23183==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f7a0b8e372c
at pc 0x418c9c bp 0x7ffcd3afa430 sp 0x7ffcd3afa428
WRITE of size 4 at 0x7f7a0b8e372c thread T0
#0 0x418c9b in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:682
#1 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#2 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#3 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#4 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#5 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#6 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#7 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#8 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#9 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#10 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#11 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#12 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#13 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#14 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#15 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#16 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#17 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#18 0x419455 in sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:741
#19 0x41ab6f in dfa_finalize /mnt/ram/gnugo-3.9.1/patterns/dfa.c:958
#20 0x4133bb in main /mnt/ram/gnugo-3.9.1/patterns/mkpat.c:2941
#21 0x7f7a0e67078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#22 0x401ae8 in _start (/mnt/ram/gnugo-3.9.1/patterns/mkpat+0x401ae8)
0x7f7a0b8e372c is located 69420 bytes inside of 405000-byte region
[0x7f7a0b8d2800,0x7f7a0b935608)
freed by thread T0 here:
#0 0x7f7a0ef97c66 in __interceptor_realloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x54c66)
#1 0x415c97 in resize_dfa /mnt/ram/gnugo-3.9.1/patterns/dfa.c:258
#2 0x41497b in union_att /mnt/ram/gnugo-3.9.1/patterns/dfa.c:125
#3 0x418c62 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:682
#4 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#5 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#6 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#7 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#8 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#9 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#10 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#11 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#12 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#13 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#14 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#15 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#16 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#17 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#18 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#19 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#20 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#21 0x419455 in sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:741
#22 0x41ab6f in dfa_finalize /mnt/ram/gnugo-3.9.1/patterns/dfa.c:958
#23 0x4133bb in main /mnt/ram/gnugo-3.9.1/patterns/mkpat.c:2941
#24 0x7f7a0e67078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
previously allocated by thread T0 here:
#0 0x7f7a0ef97c66 in __interceptor_realloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x54c66)
#1 0x415c97 in resize_dfa /mnt/ram/gnugo-3.9.1/patterns/dfa.c:258
#2 0x41903e in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:699
#3 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#4 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#5 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#6 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#7 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#8 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#9 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#10 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#11 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#12 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#13 0x419178 in do_sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:708
#14 0x419455 in sync_product /mnt/ram/gnugo-3.9.1/patterns/dfa.c:741
#15 0x41add7 in dfa_add_string /mnt/ram/gnugo-3.9.1/patterns/dfa.c:998
#16 0x402b7f in write_to_dfa /mnt/ram/gnugo-3.9.1/patterns/mkpat.c:704
#17 0x412ba7 in main /mnt/ram/gnugo-3.9.1/patterns/mkpat.c:2825
#18 0x7f7a0e67078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
SUMMARY: AddressSanitizer: heap-use-after-free
/mnt/ram/gnugo-3.9.1/patterns/dfa.c:682 do_sync_product
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
--- gnugo-3.9.1/patterns/dfa.c 2010-12-17 13:40:10.000000000 +0100
+++ gnugo-3.9.1-1/patterns/dfa.c 2016-06-24 23:04:02.254257947 +0200
@@ -675,12 +675,14 @@
int c;
int nextl, nextr;
int state;
+ int tmp;
state = gpout->last_state;
/* unify the attributes of states l and r */
- gpout->states[state].att = union_att(gpout, gpleft, gpleft->states[l].att,
- gpright, gpright->states[r].att);
+ tmp = union_att(gpout, gpleft, gpleft->states[l].att, gpright,
+ gpright->states[r].att);
+ gpout->states[state].att = tmp;
/* scan each possible out-transition */
for (c = 0; c != 4; c++) {
pgpzZt12m6xSL.pgp
Description: OpenPGP digital signature
_______________________________________________ gnugo-devel mailing list gnugo-devel@gnu.org https://lists.gnu.org/mailman/listinfo/gnugo-devel
