Bugzilla – Bug 1257
Memory corruption in ldns_str2rdf_long_str (double free)
Last modified: 2017-04-27 00:32:32 CEST
Created attachment 394 [details] ldns double free bug crash file The attached sample input file crashes ldns. The input file is fuzzed with american fuzzy lop http://lcamtuf.coredump.cx/afl/. I've tested the release version because the configure script from the git repo script didn't work for me. Version: ldns version 1.7.0 How to reproduce: # ./ldns-read-zone <attached input file> Output (memory map/bt): *** Error in `./ldns-read-zone': double free or corruption (fasttop): 0x00000000025d0380 *** ======= Backtrace: ========= /usr/lib/libc.so.6(+0x722ab)[0x7f3356df02ab] /usr/lib/libc.so.6(+0x7890e)[0x7f3356df690e] /usr/lib/libc.so.6(+0x7911e)[0x7f3356df711e] ./ldns-read-zone[0x458eb6] ./ldns-read-zone[0x43a332] ./ldns-read-zone[0x44398c] ./ldns-read-zone[0x4452cb] ./ldns-read-zone[0x45f017] ./ldns-read-zone[0x4048f5] /usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7f3356d9e511] ./ldns-read-zone[0x403dda] ======= Memory map: ======== 00400000-00478000 r-xp 00000000 fe:03 11040307 /home/stze/Downloads/ldns-1.7.0/examples/ldns-read-zone 00677000-00678000 r--p 00077000 fe:03 11040307 /home/stze/Downloads/ldns-1.7.0/examples/ldns-read-zone 00678000-0067d000 rw-p 00078000 fe:03 11040307 /home/stze/Downloads/ldns-1.7.0/examples/ldns-read-zone 0067d000-0068d000 rw-p 00000000 00:00 0 025d0000-02614000 rw-p 00000000 00:00 0 [heap] 7f3350000000-7f3350021000 rw-p 00000000 00:00 0 7f3350021000-7f3354000000 ---p 00000000 00:00 0 7f3354e3a000-7f3354e50000 r-xp 00000000 fe:02 306247 /usr/lib/libgcc_s.so.1 7f3354e50000-7f335504f000 ---p 00016000 fe:02 306247 /usr/lib/libgcc_s.so.1 7f335504f000-7f3355050000 r--p 00015000 fe:02 306247 /usr/lib/libgcc_s.so.1 7f3355050000-7f3355051000 rw-p 00016000 fe:02 306247 /usr/lib/libgcc_s.so.1 7f3355051000-7f3355065000 r-xp 00000000 fe:02 311843 /usr/lib/libgpg-error.so.0.22.0 7f3355065000-7f3355264000 ---p 00014000 fe:02 311843 /usr/lib/libgpg-error.so.0.22.0 7f3355264000-7f3355265000 r--p 00013000 fe:02 311843 /usr/lib/libgpg-error.so.0.22.0 7f3355265000-7f3355266000 rw-p 00014000 fe:02 311843 /usr/lib/libgpg-error.so.0.22.0 7f3355266000-7f335536d000 r-xp 00000000 fe:02 378506 /usr/lib/libgcrypt.so.20.1.6 7f335536d000-7f335556c000 ---p 00107000 fe:02 378506 /usr/lib/libgcrypt.so.20.1.6 7f335556c000-7f335556e000 r--p 00106000 fe:02 378506 /usr/lib/libgcrypt.so.20.1.6 7f335556e000-7f3355575000 rw-p 00108000 fe:02 378506 /usr/lib/libgcrypt.so.20.1.6 7f3355575000-7f3355588000 r-xp 00000000 fe:02 324730 /usr/lib/liblz4.so.1.7.5 7f3355588000-7f3355787000 ---p 00013000 fe:02 324730 /usr/lib/liblz4.so.1.7.5 7f3355787000-7f3355788000 r--p 00012000 fe:02 324730 /usr/lib/liblz4.so.1.7.5 7f3355788000-7f3355789000 rw-p 00013000 fe:02 324730 /usr/lib/liblz4.so.1.7.5 7f3355789000-7f33557ae000 r-xp 00000000 fe:02 272621 /usr/lib/liblzma.so.5.2.3 7f33557ae000-7f33559ad000 ---p 00025000 fe:02 272621 /usr/lib/liblzma.so.5.2.3 7f33559ad000-7f33559ae000 r--p 00024000 fe:02 272621 /usr/lib/liblzma.so.5.2.3 7f33559ae000-7f33559af000 rw-p 00025000 fe:02 272621 /usr/lib/liblzma.so.5.2.3 7f33559af000-7f33559b6000 r-xp 00000000 fe:02 264171 /usr/lib/librt-2.25.so 7f33559b6000-7f3355bb5000 ---p 00007000 fe:02 264171 /usr/lib/librt-2.25.so 7f3355bb5000-7f3355bb6000 r--p 00006000 fe:02 264171 /usr/lib/librt-2.25.so 7f3355bb6000-7f3355bb7000 rw-p 00007000 fe:02 264171 /usr/lib/librt-2.25.so 7f3355bb7000-7f3355bbb000 r-xp 00000000 fe:02 268609 /usr/lib/libcap.so.2.25 7f3355bbb000-7f3355dba000 ---p 00004000 fe:02 268609 /usr/lib/libcap.so.2.25 7f3355dba000-7f3355dbb000 rw-p 00003000 fe:02 268609 /usr/lib/libcap.so.2.25 7f3355dbb000-7f3355dce000 r-xp 00000000 fe:02 264172 /usr/lib/libresolv-2.25.so 7f3355dce000-7f3355fcd000 ---p 00013000 fe:02 264172 /usr/lib/libresolv-2.25.so 7f3355fcd000-7f3355fce000 r--p 00012000 fe:02 264172 /usr/lib/libresolv-2.25.so 7f3355fce000-7f3355fcf000 rw-p 00013000 fe:02 264172 /usr/lib/libresolv-2.25.so 7f3355fcf000-7f3355fd1000 rw-p 00000000 00:00 0 7f3355fd1000-7f33560e3000 r-xp 00000000 fe:02 264174 /usr/lib/libm-2.25.so 7f33560e3000-7f33562e2000 ---p 00112000 fe:02 264174 /usr/lib/libm-2.25.so 7f33562e2000-7f33562e3000 r--p 00111000 fe:02 264174 /usr/lib/libm-2.25.so 7f33562e3000-7f33562e4000 rw-p 00112000 fe:02 264174 /usr/lib/libm-2.25.so 7f33562e4000-7f33562fd000 r-xp 00000000 fe:02 264316 /usr/lib/libpthread-2.25.so 7f33562fd000-7f33564fc000 ---p 00019000 fe:02 264316 /usr/lib/libpthread-2.25.so 7f33564fc000-7f33564fd000 r--p 00018000 fe:02 264316 /usr/lib/libpthread-2.25.so 7f33564fd000-7f33564fe000 rw-p 00019000 fe:02 264316 /usr/lib/libpthread-2.25.so 7f33564fe000-7f3356502000 rw-p 00000000 00:00 0 7f3356502000-7f3356505000 r-xp 00000000 fe:02 264175 /usr/lib/libdl-2.25.so 7f3356505000-7f3356704000 ---p 00003000 fe:02 264175 /usr/lib/libdl-2.25.so 7f3356704000-7f3356705000 r--p 00002000 fe:02 264175 /usr/lib/libdl-2.25.so 7f3356705000-7f3356706000 rw-p 00003000 fe:02 264175 /usr/lib/libdl-2.25.so 7f3356706000-7f3356754000 r-xp 00000000 fe:02 342100 /usr/lib/libdbus-1.so.3.14.10 7f3356754000-7f3356953000 ---p 0004e000 fe:02 342100 /usr/lib/libdbus-1.so.3.14.10 7f3356953000-7f3356954000 r--p 0004d000 fe:02 342100 /usr/lib/libdbus-1.so.3.14.10 7f3356954000-7f3356955000 rw-p 0004e000 fe:02 342100 /usr/lib/libdbus-1.so.3.14.10 7f3356955000-7f3356956000 rw-p 00000000 00:00 0 7f3356956000-7f3356975000 r-xp 00000000 fe:02 283577 /usr/lib/libnl-3.so.200.24.0 7f3356975000-7f3356b75000 ---p 0001f000 fe:02 283577 /usr/lib/libnl-3.so.200.24.0 7f3356b75000-7f3356b77000 r--p 0001f000 fe:02 283577 /usr/lib/libnl-3.so.200.24.0 7f3356b77000-7f3356b78000 rw-p 00021000 fe:02 283577 /usr/lib/libnl-3.so.200.24.0 7f3356b78000-7f3356b7d000 r-xp 00000000 fe:02 283578 /usr/lib/libnl-genl-3.so.200.24.0 7f3356b7d000-7f3356d7c000 ---p 00005000 fe:02 283578 /usr/lib/libnl-genl-3.so.200.24.0 7f3356d7c000-7f3356d7d000 r--p 00004000 fe:02 283578 /usr/lib/libnl-genl-3.so.200.24.0 7f3356d7d000-7f3356d7e000 rw-p 00005000 fe:02 283578 /usr/lib/libnl-genl-3.so.200.24.0 7f3356d7e000-7f3356f19000 r-xp 00000000 fe:02 264297 /usr/lib/libc-2.25.so 7f3356f19000-7f3357118000 ---p 0019b000 fe:02 264297 /usr/lib/libc-2.25.so 7f3357118000-7f335711c000 r--p 0019a000 fe:02 264297 /usr/lib/libc-2.25.so 7f335711c000-7f335711e000 rw-p 0019e000 fe:02 264297 /usr/lib/libc-2.25.so 7f335711e000-7f3357122000 rw-p 00000000 00:00 0 7f3357122000-7f3357370000 r-xp 00000000 fe:02 311473 /usr/lib/libcrypto.so.1.0.0 7f3357370000-7f335756f000 ---p 0024e000 fe:02 311473 /usr/lib/libcrypto.so.1.0.0 7f335756f000-7f335758b000 r--p 0024d000 fe:02 311473 /usr/lib/libcrypto.so.1.0.0 7f335758b000-7f3357597000 rw-p 00269000 fe:02 311473 /usr/lib/libcrypto.so.1.0.0 7f3357597000-7f335759a000 rw-p 00000000 00:00 0 7f335759a000-7f33575dc000 r-xp 00000000 fe:02 299407 /usr/lib/libpcap.so.1.8.1 7f33575dc000-7f33577db000 ---p 00042000 fe:02 299407 /usr/lib/libpcap.so.1.8.1 7f33577db000-7f33577dd000 r--p 00041000 fe:02 299407 /usr/lib/libpcap.so.1.8.1 7f33577dd000-7f33577de000 rw-p 00043000 fe:02 299407 /usr/lib/libpcap.so.1.8.1 7f33577de000-7f3357801000 r-xp 00000000 fe:02 264298 /usr/lib/ld-2.25.so 7f3357933000-7f335793a000 rw-p 00000000 00:00 0 7f335793a000-7f33579be000 r-xp 00000000 fe:02 308884 /usr/lib/libsystemd.so.0.17.0 7f33579be000-7f33579c1000 r--p 00083000 fe:02 308884 /usr/lib/libsystemd.so.0.17.0 7f33579c1000-7f33579c2000 rw-p 00086000 fe:02 308884 /usr/lib/libsystemd.so.0.17.0 7f33579c2000-7f33579c7000 rw-p 00000000 00:00 0 7f33579ff000-7f3357a00000 rw-p 00000000 00:00 0 7f3357a00000-7f3357a01000 r--p 00022000 fe:02 264298 /usr/lib/ld-2.25.so 7f3357a01000-7f3357a02000 rw-p 00023000 fe:02 264298 /usr/lib/ld-2.25.so 7f3357a02000-7f3357a03000 rw-p 00000000 00:00 0 7ffc0e9f2000-7ffc0ea13000 rw-p 00000000 00:00 0 [stack] 7ffc0eb3f000-7ffc0eb41000 r--p 00000000 00:00 0 [vvar] 7ffc0eb41000-7ffc0eb43000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] [1] 30314 abort (core dumped) ./ldns-read-zone gdb: Program terminated with signal SIGABRT, Aborted. #0 0x00007f3356db1a10 in raise () from /usr/lib/libc.so.6 (gdb) bt #0 0x00007f3356db1a10 in raise () from /usr/lib/libc.so.6 #1 0x00007f3356db313a in abort () from /usr/lib/libc.so.6 #2 0x00007f3356df02b0 in __libc_message () from /usr/lib/libc.so.6 #3 0x00007f3356df690e in malloc_printerr () from /usr/lib/libc.so.6 #4 0x00007f3356df711e in _int_free () from /usr/lib/libc.so.6 #5 0x0000000000458eb6 in ldns_str2rdf_long_str (rd=<optimized out>, str=<optimized out>) at ./str2host.c:1504 #6 0x000000000043a332 in ldns_rdf_new_frm_str (type=LDNS_RDF_TYPE_LONG_STR, str=0x7ffc0ea119c0 "") at ./rdata.c:352 #7 0x000000000044398c in ldns_rr_new_frm_str_internal (newrr=<optimized out>, str=<optimized out>, default_ttl=<optimized out>, origin=<optimized out>, prev=<optimized out>, question=<optimized out>) at ./rr.c:586 #8 0x00000000004452cb in ldns_rr_new_frm_fp_l (newrr=<optimized out>, fp=<optimized out>, default_ttl=<optimized out>, origin=<optimized out>, prev=<optimized out>, line_nr=0x7ffc0ea12184) at ./rr.c:663 #9 0x000000000045f017 in ldns_zone_new_frm_fp_l (z=<optimized out>, fp=0x25d0040, origin=<optimized out>, ttl=<optimized out>, c=<optimized out>, line_nr=<optimized out>) at ./zone.c:227 #10 0x00000000004048f5 in main (argc=2, argv=<optimized out>) at ldns-read-zone.c:257 valgrind: ==19183== Memcheck, a memory error detector ==19183== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==19183== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==19183== Command: ./ldns-read-zone findings/crashes/id:000022,sig:06,src:001249,op:arith8,pos:420,val:+25 ==19183== ==19183== Invalid free() / delete / delete[] / realloc() ==19183== at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==19183== by 0x458EB5: ldns_str2rdf_long_str (str2host.c:0) ==19183== by 0x43A331: ldns_rdf_new_frm_str (rdata.c:352) ==19183== by 0x44398B: ldns_rr_new_frm_str_internal (rr.c:0) ==19183== by 0x4452CA: ldns_rr_new_frm_fp_l (rr.c:0) ==19183== by 0x45F016: ldns_zone_new_frm_fp_l (zone.c:227) ==19183== by 0x4048F4: main (ldns-read-zone.c:257) ==19183== Address 0x765f170 is 0 bytes after a block of size 0 free'd ==19183== at 0x4C2C0AB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==19183== by 0x4C2D197: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==19183== by 0x458E21: ldns_str2rdf_long_str (str2host.c:1502) ==19183== by 0x43A331: ldns_rdf_new_frm_str (rdata.c:352) ==19183== by 0x44398B: ldns_rr_new_frm_str_internal (rr.c:0) ==19183== by 0x4452CA: ldns_rr_new_frm_fp_l (rr.c:0) ==19183== by 0x45F016: ldns_zone_new_frm_fp_l (zone.c:227) ==19183== by 0x4048F4: main (ldns-read-zone.c:257) ==19183== Block was alloc'd at ==19183== at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==19183== by 0x458B05: ldns_str2rdf_long_str (str2host.c:1483) ==19183== by 0x43A331: ldns_rdf_new_frm_str (rdata.c:352) ==19183== by 0x44398B: ldns_rr_new_frm_str_internal (rr.c:0) ==19183== by 0x4452CA: ldns_rr_new_frm_fp_l (rr.c:0) ==19183== by 0x45F016: ldns_zone_new_frm_fp_l (zone.c:227) ==19183== by 0x4048F4: main (ldns-read-zone.c:257) ==19183== Syntax error, could not parse the RR's rdata at 0 ==19183== ==19183== HEAP SUMMARY: ==19183== in use at exit: 162 bytes in 6 blocks ==19183== total heap usage: 63 allocs, 58 frees, 630,854 bytes allocated ==19183== ==19183== LEAK SUMMARY: ==19183== definitely lost: 96 bytes in 2 blocks ==19183== indirectly lost: 66 bytes in 4 blocks ==19183== possibly lost: 0 bytes in 0 blocks ==19183== still reachable: 0 bytes in 0 blocks ==19183== suppressed: 0 bytes in 0 blocks ==19183== Rerun with --leak-check=full to see details of leaked memory ==19183== ==19183== For counts of detected and suppressed errors, rerun with: -v ==19183== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Regards, Stephan Zeisberg
Thank you Stephan, This is now fixed too on the develop branch: https://git.nlnetlabs.nl/ldns/commit/?id=3bdeed02 Good luck finding more fuzzing bugs ;) -- Willem