Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-use-after-free in fy_node_detach_and_free when using FYPCF_PREFER_RECURSIVE and FYPCF_ALLOW_DUPLICATE_KEYS #135

Open
rivit98 opened this issue Jan 20, 2025 · 0 comments
Open

heap-use-after-free in fy_node_detach_and_free when using FYPCF_PREFER_RECURSIVE and FYPCF_ALLOW_DUPLICATE_KEYS #135

rivit98 opened this issue Jan 20, 2025 · 0 comments

Comments

@rivit98
Copy link

rivit98 commented Jan 20, 2025

Hi, I found the following problem while fuzzing libfyaml

Code version

6e52e4d8b6adb01cc2fc377fab7b7fd523364438

How to reproduce

#include <stdio.h>
#include <libfyaml.h>

void main() {
  int flags = FYPCF_PREFER_RECURSIVE| FYPCF_ALLOW_DUPLICATE_KEYS;

  struct fy_document *fyd = NULL;
  struct fy_parse_cfg cfg = {0};
  cfg.flags = flags;

  char data[] = "\x3f\x0a\x3f\x00";
  fyd = fy_document_build_from_string(&cfg, data, strlen(data));
  fy_document_destroy(fyd);
}

compile & link with fuzzer support. Run and observe ASAN output:

==2164843==ERROR: AddressSanitizer: heap-use-after-free on address 0x50b000000488 at pc 0x58639e9f4952 bp 0x7fffe16e2a90 sp 0x7fffe16e2a88
READ of size 8 at 0x50b000000488 thread T0
    #0 0x58639e9f4951 in fy_node_detach_and_free /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:819:20
    #1 0x58639ea39969 in fy_parse_document_load_mapping /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:1716:2
    #2 0x58639ea025c8 in fy_parse_document_load_node /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:1772:9
    #3 0x58639ea01ede in fy_parse_load_document_recursive /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:1872:7
    #4 0x58639ea12cd2 in fy_document_build_internal /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3283:8
    #5 0x58639ea00738 in fy_document_build_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3340:9
    #6 0x58639e9bd0c1 in tc5 /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:79:9
    #7 0x58639e9bd307 in main /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:98:3
    #8 0x73dd0302a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x73dd0302a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #10 0x58639e8e34c4 in _start (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1124c4) (BuildId: 9963d534073b1d6093c85f2faaa7b183ee908935)

0x50b000000488 is located 40 bytes inside of 112-byte region [0x50b000000460,0x50b0000004d0)
freed by thread T0 here:
    #0 0x58639e97e07a in free (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1ad07a) (BuildId: 9963d534073b1d6093c85f2faaa7b183ee908935)
    #1 0x58639e9f8c37 in fy_node_free /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:810:2
    #2 0x58639e9f7c01 in fy_node_pair_free /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:686:7
    #3 0x58639ea025c8 in fy_parse_document_load_node /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:1772:9
    #4 0x58639ea01ede in fy_parse_load_document_recursive /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:1872:7
    #5 0x58639ea12cd2 in fy_document_build_internal /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3283:8
    #6 0x58639ea00738 in fy_document_build_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3340:9
    #7 0x58639e9bd0c1 in tc5 /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:79:9
    #8 0x58639e9bd307 in main /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:98:3
    #9 0x73dd0302a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x73dd0302a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #11 0x58639e8e34c4 in _start (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1124c4) (BuildId: 9963d534073b1d6093c85f2faaa7b183ee908935)

previously allocated by thread T0 here:
    #0 0x58639e97e313 in malloc (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1ad313) (BuildId: 9963d534073b1d6093c85f2faaa7b183ee908935)
    #1 0x58639e9f9e78 in fy_node_alloc /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:834:8

SUMMARY: AddressSanitizer: heap-use-after-free /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:819:20 in fy_node_detach_and_free
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rivit98