Re: Potential double free in asn1_delete

help-libtasn1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential double free in asn1_delete_structure2

From:	Brandon Perry
Subject:	Re: Potential double free in asn1_delete_structure2
Date:	Wed, 29 Mar 2017 11:34:24 -0500

> On Mar 29, 2017, at 11:27 AM, Nikos Mavrogiannopoulos <address@hidden> wrote:
> 
> On Wed, 2017-03-29 at 09:42 -0500, Brandon Perry wrote:
>>> On Mar 29, 2017, at 9:35 AM, Nikos Mavrogiannopoulos <n.mavrogianno
>>> address@hidden> wrote:
>>> 
>>> Could you please provide a reproducer? The easiest to create it
>>> would
>>> be following decoding-invalid-pkcs7 lines in tests/
>> 
>> Let me see what I can do. It is easy to reproduce with FreeTDS,
>> though.
>> 
>> Compile FreeTDS (https://github.com/FreeTDS/freetds) and preeny (http
>> s://github.com/zardus/preeny)
>> 
>> You then use the preeny desock.so to force the FreeTDS binary tsql to
>> read data from stdin instead of network IO.
>> 
>> export LD_PRELOAD=~/preeny/x86_64-linux-gnu/desock.so
>> 
>> ~/tsql  -S 127.0.0.1 -U fdsa -P fdsa < file_to_repro_crash
>> 
>> Perhaps you could compile FreeTDS with a debug copy of
>> GnuTLS/libtasn1 to make it easier to track down? I can also work on a
>> reproducible test case in the mean time, but I am not sure at all how
>> long this could take.
> 
> I'd really prefer a reproducer for libtasn1 proper. There can be other
> factors that lead to a double free and simple reproducer will make sure
> that the error is pin-pointed to libtasn1.
> 
>> Do you want the file that reproduces the crash to be sent here on the
>> list or separately?
> 
> The list is fine.
> 
>>>>   None                      @ 0x00007ffff512e22a: in
>>>> /usr/lib/x86_64-linux-gnu/libtasn1.so.6.5.1
>>>>   asn1_delete_structure2    @ 0x00007ffff512f418: in
>>>> /usr/lib/x86_64-linux-gnu/libtasn1.so.6.5.1
>>>>   None                      @ 0x00007ffff720e27c: in
>>>> /usr/lib/x86_64-linux-gnu/libgnutls.so.30.6.2
> 
> As far as I understand that's a crash on the deinitialization of
> gnutls. That's pretty weird. Have you checked with valgrind or asan
> that there is no memory corruption involved somewhere?

You’re right. I missed two single byte invalid writes. I will ensure that this 
is not the root cause. If so, sorry for the confusion/timesink.

> 
> regards,
> Nikos
> 
>

signature.asc
Description: Message signed with OpenPGP

[Prev in Thread]

Current Thread

[Next in Thread]

Potential double free in asn1_delete_structure2, Brandon Perry, 2017/03/29
- Re: Potential double free in asn1_delete_structure2, Nikos Mavrogiannopoulos, 2017/03/29
  - Re: Potential double free in asn1_delete_structure2, Brandon Perry, 2017/03/29
    - Re: Potential double free in asn1_delete_structure2, Nikos Mavrogiannopoulos, 2017/03/29
    - Re: Potential double free in asn1_delete_structure2, Brandon Perry <=

Prev by Date: Re: Potential double free in asn1_delete_structure2
Previous by thread: Re: Potential double free in asn1_delete_structure2
Index(es):
- Date
- Thread