[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
gawk use-after-free in concat_exp()
|
From: |
sohu0106 |
|
Subject: |
gawk use-after-free in concat_exp() |
|
Date: |
Wed, 24 Aug 2022 09:31:54 +0800 (CST) |
I found a UAF(use-after-free) bug in concat_exp() gawk-5.1.1/array.c:424. The
version of gawk is gawk-5.1.1, See the attachment for the reproduced POC and
NEWS.0.
Asan report is below.
/gawk-master/gawk-5.1.1/gawk -f
/out/default/crashes.2022-08-22-09:08:30/id:000000,sig:06,src:004214,time:49812899,execs:10364938,op:havoc,rep:4
./NEWS.0
=================================================================
==1727718==ERROR: AddressSanitizer: heap-use-after-free on address
0x602000002810 at pc 0x000000497eb7 bp 0x7ffd99a1bac0 sp 0x7ffd99a1b288
READ of size 1 at 0x602000002810 thread T0
#0 0x497eb6 in __asan_memcpy (/gawk-master/gawk-5.1.1/gawk+0x497eb6)
#1 0x4cde0f in concat_exp /gawk-master/gawk-5.1.1/array.c:424:3
#2 0x601acb in r_interpret /gawk-master/gawk-5.1.1/./interpret.h:899:8
#3 0x69a2fe in main /gawk-master/gawk-5.1.1/main.c:526:3
#4 0x7f9070d6f082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#5 0x41d8ad in _start (/gawk-master/gawk-5.1.1/gawk+0x41d8ad)
0x602000002810 is located 0 bytes inside of 2-byte region
[0x602000002810,0x602000002812)
freed by thread T0 here:
#0 0x4988a2 in free (/gawk-master/gawk-5.1.1/gawk+0x4988a2)
#1 0x6aa180 in r_unref /gawk-master/gawk-5.1.1/node.c:511:3
previously allocated by thread T0 here:
#0 0x498b0d in malloc (/gawk-master/gawk-5.1.1/gawk+0x498b0d)
#1 0x6a492c in emalloc_real /gawk-master/gawk-5.1.1/./awk.h:2014:17
#2 0x6a492c in r_format_val /gawk-master/gawk-5.1.1/node.c:292:2
#3 0x640e36 in force_string_fmt /gawk-master/gawk-5.1.1/./awk.h:1931:9
#4 0x640e36 in reset_record /gawk-master/gawk-5.1.1/field.c:344:18
#5 0x69a2fe in main /gawk-master/gawk-5.1.1/main.c:526:3
#6 0x7f9070d6f082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)
SUMMARY: AddressSanitizer: heap-use-after-free
(/gawk-master/gawk-5.1.1/gawk+0x497eb6) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff84b0: fa fa 07 fa fa fa 05 fa fa fa 02 fa fa fa 00 fa
0x0c047fff84c0: fa fa 03 fa fa fa 05 fa fa fa 03 fa fa fa 00 fa
0x0c047fff84d0: fa fa 05 fa fa fa 03 fa fa fa 03 fa fa fa 07 fa
0x0c047fff84e0: fa fa 00 01 fa fa 00 fa fa fa 00 fa fa fa 07 fa
0x0c047fff84f0: fa fa fd fa fa fa 06 fa fa fa 01 fa fa fa 02 fa
=>0x0c047fff8500: fa fa[fd]fa fa fa 00 00 fa fa 00 06 fa fa 02 fa
0x0c047fff8510: fa fa 02 fa fa fa 04 fa fa fa fa fa fa fa fa fa
0x0c047fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1727718==ABORTING
gawk_use-after-free-poc.zip
Description: Zip compressed data
- gawk use-after-free in concat_exp(),
sohu0106 <=