Bug 1256 - Memory corruption in ldns_rr_new_frm_fp_l (double free)
Memory corruption in ldns_rr_new_frm_fp_l (double free)
Status: RESOLVED FIXED
Product: ldns
Classification: Unclassified
Component: library
unspecified
x86_64 Linux
: P5 major
Assigned To: LDNS dev team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-25 16:58 CEST by Stephan Zeisberg
Modified: 2017-04-27 00:30 CEST (History)
1 user (show)

See Also:


Attachments
ldns double free bug crash file (28.43 KB, application/octet-stream)
2017-04-25 16:58 CEST, Stephan Zeisberg
Details
Additional double free crash input files that might be helpful (2.25 KB, application/x-xz)
2017-04-25 19:00 CEST, Stephan Zeisberg
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Zeisberg 2017-04-25 16:58:00 CEST
Created attachment 392 [details]
ldns double free bug crash file

The attached sample input file crashes ldns. The input file is fuzzed with american fuzzy lop http://lcamtuf.coredump.cx/afl/. I've tested the release version because the configure script from the git repo script didn't work for me.

Version:

ldns version 1.7.0

How to reproduce:

# ./ldns-read-zone <attached input file>

Output (memory map/bt):

*** Error in `./ldns-read-zone': double free or corruption (!prev): 0x00000000018b92b0 ***
======= Backtrace: =========
/usr/lib/libc.so.6(+0x722ab)[0x7f23e7e6a2ab]
/usr/lib/libc.so.6(+0x7890e)[0x7f23e7e7090e]
/usr/lib/libc.so.6(+0x7911e)[0x7f23e7e7111e]
./ldns-read-zone[0x444cbc]
./ldns-read-zone[0x45f017]
./ldns-read-zone[0x4048f5]
/usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7f23e7e18511]
./ldns-read-zone[0x403dda]
======= Memory map: ========
00400000-00478000 r-xp 00000000 fe:03 11040307                           /home/stze/Downloads/ldns-1.7.0/examples/ldns-read-zone
00677000-00678000 r--p 00077000 fe:03 11040307                           /home/stze/Downloads/ldns-1.7.0/examples/ldns-read-zone
00678000-0067d000 rw-p 00078000 fe:03 11040307                           /home/stze/Downloads/ldns-1.7.0/examples/ldns-read-zone
0067d000-0068d000 rw-p 00000000 00:00 0 
018b9000-018da000 rw-p 00000000 00:00 0                                  [heap]
7f23e0000000-7f23e0021000 rw-p 00000000 00:00 0 
7f23e0021000-7f23e4000000 ---p 00000000 00:00 0 
7f23e5eb4000-7f23e5eca000 r-xp 00000000 fe:02 306247                     /usr/lib/libgcc_s.so.1
7f23e5eca000-7f23e60c9000 ---p 00016000 fe:02 306247                     /usr/lib/libgcc_s.so.1
7f23e60c9000-7f23e60ca000 r--p 00015000 fe:02 306247                     /usr/lib/libgcc_s.so.1
7f23e60ca000-7f23e60cb000 rw-p 00016000 fe:02 306247                     /usr/lib/libgcc_s.so.1
7f23e60cb000-7f23e60df000 r-xp 00000000 fe:02 311843                     /usr/lib/libgpg-error.so.0.22.0
7f23e60df000-7f23e62de000 ---p 00014000 fe:02 311843                     /usr/lib/libgpg-error.so.0.22.0
7f23e62de000-7f23e62df000 r--p 00013000 fe:02 311843                     /usr/lib/libgpg-error.so.0.22.0
7f23e62df000-7f23e62e0000 rw-p 00014000 fe:02 311843                     /usr/lib/libgpg-error.so.0.22.0
7f23e62e0000-7f23e63e7000 r-xp 00000000 fe:02 378506                     /usr/lib/libgcrypt.so.20.1.6
7f23e63e7000-7f23e65e6000 ---p 00107000 fe:02 378506                     /usr/lib/libgcrypt.so.20.1.6
7f23e65e6000-7f23e65e8000 r--p 00106000 fe:02 378506                     /usr/lib/libgcrypt.so.20.1.6
7f23e65e8000-7f23e65ef000 rw-p 00108000 fe:02 378506                     /usr/lib/libgcrypt.so.20.1.6
7f23e65ef000-7f23e6602000 r-xp 00000000 fe:02 324730                     /usr/lib/liblz4.so.1.7.5
7f23e6602000-7f23e6801000 ---p 00013000 fe:02 324730                     /usr/lib/liblz4.so.1.7.5
7f23e6801000-7f23e6802000 r--p 00012000 fe:02 324730                     /usr/lib/liblz4.so.1.7.5
7f23e6802000-7f23e6803000 rw-p 00013000 fe:02 324730                     /usr/lib/liblz4.so.1.7.5
7f23e6803000-7f23e6828000 r-xp 00000000 fe:02 272621                     /usr/lib/liblzma.so.5.2.3
7f23e6828000-7f23e6a27000 ---p 00025000 fe:02 272621                     /usr/lib/liblzma.so.5.2.3
7f23e6a27000-7f23e6a28000 r--p 00024000 fe:02 272621                     /usr/lib/liblzma.so.5.2.3
7f23e6a28000-7f23e6a29000 rw-p 00025000 fe:02 272621                     /usr/lib/liblzma.so.5.2.3
7f23e6a29000-7f23e6a30000 r-xp 00000000 fe:02 264171                     /usr/lib/librt-2.25.so
7f23e6a30000-7f23e6c2f000 ---p 00007000 fe:02 264171                     /usr/lib/librt-2.25.so
7f23e6c2f000-7f23e6c30000 r--p 00006000 fe:02 264171                     /usr/lib/librt-2.25.so
7f23e6c30000-7f23e6c31000 rw-p 00007000 fe:02 264171                     /usr/lib/librt-2.25.so
7f23e6c31000-7f23e6c35000 r-xp 00000000 fe:02 268609                     /usr/lib/libcap.so.2.25
7f23e6c35000-7f23e6e34000 ---p 00004000 fe:02 268609                     /usr/lib/libcap.so.2.25
7f23e6e34000-7f23e6e35000 rw-p 00003000 fe:02 268609                     /usr/lib/libcap.so.2.25
7f23e6e35000-7f23e6e48000 r-xp 00000000 fe:02 264172                     /usr/lib/libresolv-2.25.so
7f23e6e48000-7f23e7047000 ---p 00013000 fe:02 264172                     /usr/lib/libresolv-2.25.so
7f23e7047000-7f23e7048000 r--p 00012000 fe:02 264172                     /usr/lib/libresolv-2.25.so
7f23e7048000-7f23e7049000 rw-p 00013000 fe:02 264172                     /usr/lib/libresolv-2.25.so
7f23e7049000-7f23e704b000 rw-p 00000000 00:00 0 
7f23e704b000-7f23e715d000 r-xp 00000000 fe:02 264174                     /usr/lib/libm-2.25.so
7f23e715d000-7f23e735c000 ---p 00112000 fe:02 264174                     /usr/lib/libm-2.25.so
7f23e735c000-7f23e735d000 r--p 00111000 fe:02 264174                     /usr/lib/libm-2.25.so
7f23e735d000-7f23e735e000 rw-p 00112000 fe:02 264174                     /usr/lib/libm-2.25.so
7f23e735e000-7f23e7377000 r-xp 00000000 fe:02 264316                     /usr/lib/libpthread-2.25.so
7f23e7377000-7f23e7576000 ---p 00019000 fe:02 264316                     /usr/lib/libpthread-2.25.so
7f23e7576000-7f23e7577000 r--p 00018000 fe:02 264316                     /usr/lib/libpthread-2.25.so
7f23e7577000-7f23e7578000 rw-p 00019000 fe:02 264316                     /usr/lib/libpthread-2.25.so
7f23e7578000-7f23e757c000 rw-p 00000000 00:00 0 
7f23e757c000-7f23e757f000 r-xp 00000000 fe:02 264175                     /usr/lib/libdl-2.25.so
7f23e757f000-7f23e777e000 ---p 00003000 fe:02 264175                     /usr/lib/libdl-2.25.so
7f23e777e000-7f23e777f000 r--p 00002000 fe:02 264175                     /usr/lib/libdl-2.25.so
7f23e777f000-7f23e7780000 rw-p 00003000 fe:02 264175                     /usr/lib/libdl-2.25.so
7f23e7780000-7f23e77ce000 r-xp 00000000 fe:02 342100                     /usr/lib/libdbus-1.so.3.14.10
7f23e77ce000-7f23e79cd000 ---p 0004e000 fe:02 342100                     /usr/lib/libdbus-1.so.3.14.10
7f23e79cd000-7f23e79ce000 r--p 0004d000 fe:02 342100                     /usr/lib/libdbus-1.so.3.14.10
7f23e79ce000-7f23e79cf000 rw-p 0004e000 fe:02 342100                     /usr/lib/libdbus-1.so.3.14.10
7f23e79cf000-7f23e79d0000 rw-p 00000000 00:00 0 
7f23e79d0000-7f23e79ef000 r-xp 00000000 fe:02 283577                     /usr/lib/libnl-3.so.200.24.0
7f23e79ef000-7f23e7bef000 ---p 0001f000 fe:02 283577                     /usr/lib/libnl-3.so.200.24.0
7f23e7bef000-7f23e7bf1000 r--p 0001f000 fe:02 283577                     /usr/lib/libnl-3.so.200.24.0
7f23e7bf1000-7f23e7bf2000 rw-p 00021000 fe:02 283577                     /usr/lib/libnl-3.so.200.24.0
7f23e7bf2000-7f23e7bf7000 r-xp 00000000 fe:02 283578                     /usr/lib/libnl-genl-3.so.200.24.0
7f23e7bf7000-7f23e7df6000 ---p 00005000 fe:02 283578                     /usr/lib/libnl-genl-3.so.200.24.0
7f23e7df6000-7f23e7df7000 r--p 00004000 fe:02 283578                     /usr/lib/libnl-genl-3.so.200.24.0
7f23e7df7000-7f23e7df8000 rw-p 00005000 fe:02 283578                     /usr/lib/libnl-genl-3.so.200.24.0
7f23e7df8000-7f23e7f93000 r-xp 00000000 fe:02 264297                     /usr/lib/libc-2.25.so
7f23e7f93000-7f23e8192000 ---p 0019b000 fe:02 264297                     /usr/lib/libc-2.25.so
7f23e8192000-7f23e8196000 r--p 0019a000 fe:02 264297                     /usr/lib/libc-2.25.so
7f23e8196000-7f23e8198000 rw-p 0019e000 fe:02 264297                     /usr/lib/libc-2.25.so
7f23e8198000-7f23e819c000 rw-p 00000000 00:00 0 
7f23e819c000-7f23e83ea000 r-xp 00000000 fe:02 311473                     /usr/lib/libcrypto.so.1.0.0
7f23e83ea000-7f23e85e9000 ---p 0024e000 fe:02 311473                     /usr/lib/libcrypto.so.1.0.0
7f23e85e9000-7f23e8605000 r--p 0024d000 fe:02 311473                     /usr/lib/libcrypto.so.1.0.0
7f23e8605000-7f23e8611000 rw-p 00269000 fe:02 311473                     /usr/lib/libcrypto.so.1.0.0
7f23e8611000-7f23e8614000 rw-p 00000000 00:00 0 
7f23e8614000-7f23e8656000 r-xp 00000000 fe:02 299407                     /usr/lib/libpcap.so.1.8.1
7f23e8656000-7f23e8855000 ---p 00042000 fe:02 299407                     /usr/lib/libpcap.so.1.8.1
7f23e8855000-7f23e8857000 r--p 00041000 fe:02 299407                     /usr/lib/libpcap.so.1.8.1
7f23e8857000-7f23e8858000 rw-p 00043000 fe:02 299407                     /usr/lib/libpcap.so.1.8.1
7f23e8858000-7f23e887b000 r-xp 00000000 fe:02 264298                     /usr/lib/ld-2.25.so
7f23e89ad000-7f23e89b4000 rw-p 00000000 00:00 0 
7f23e89b4000-7f23e8a38000 r-xp 00000000 fe:02 308884                     /usr/lib/libsystemd.so.0.17.0
7f23e8a38000-7f23e8a3b000 r--p 00083000 fe:02 308884                     /usr/lib/libsystemd.so.0.17.0
7f23e8a3b000-7f23e8a3c000 rw-p 00086000 fe:02 308884                     /usr/lib/libsystemd.so.0.17.0
7f23e8a3c000-7f23e8a41000 rw-p 00000000 00:00 0 
7f23e8a79000-7f23e8a7a000 rw-p 00000000 00:00 0 
7f23e8a7a000-7f23e8a7b000 r--p 00022000 fe:02 264298                     /usr/lib/ld-2.25.so
7f23e8a7b000-7f23e8a7c000 rw-p 00023000 fe:02 264298                     /usr/lib/ld-2.25.so
7f23e8a7c000-7f23e8a7d000 rw-p 00000000 00:00 0 
7ffd6d8e6000-7ffd6d907000 rw-p 00000000 00:00 0                          [stack]
7ffd6d94d000-7ffd6d94f000 r--p 00000000 00:00 0                          [vvar]
7ffd6d94f000-7ffd6d951000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

gdb:

Program terminated with signal SIGABRT, Aborted.
#0  0x00007f4951cc6a10 in raise () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007f4951cc6a10 in raise () from /usr/lib/libc.so.6
#1  0x00007f4951cc813a in abort () from /usr/lib/libc.so.6
#2  0x00007f4951d052b0 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007f4951d0b90e in malloc_printerr () from /usr/lib/libc.so.6
#4  0x00007f4951d0c11e in _int_free () from /usr/lib/libc.so.6
#5  0x0000000000444cbc in ldns_rr_new_frm_fp_l (newrr=<optimized out>, fp=0x741040, 
    default_ttl=0x7ffeb150b554, origin=<optimized out>, prev=<optimized out>, line_nr=0x7ffeb150b5c4)
    at ./rr.c:729
#6  0x000000000045f017 in ldns_zone_new_frm_fp_l (z=<optimized out>, fp=0x741040, 
    origin=<optimized out>, ttl=<optimized out>, c=<optimized out>, line_nr=<optimized out>)
    at ./zone.c:227
#7  0x00000000004048f5 in main (argc=2, argv=<optimized out>) at ldns-read-zone.c:257

valgrind:

==2000== Memcheck, a memory error detector
==2000== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==2000== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==2000== Command: ./ldns-read-zone findings/crashes/id:000000,sig:06,src:000657,op:havoc,rep:128
==2000== 
==2000== Invalid write of size 1
==2000==    at 0x4345E1: ldns_fget_token_l (parse.c:121)
==2000==    by 0x444C8A: ldns_rr_new_frm_fp_l (rr.c:728)
==2000==    by 0x45F016: ldns_zone_new_frm_fp_l (zone.c:227)
==2000==    by 0x4048F4: main (ldns-read-zone.c:257)
==2000==  Address 0x75c7277 is 0 bytes after a block of size 10,231 alloc'd
==2000==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2000==    by 0x444C44: ldns_rr_new_frm_fp_l (rr.c:722)
==2000==    by 0x45F016: ldns_zone_new_frm_fp_l (zone.c:227)
==2000==    by 0x4048F4: main (ldns-read-zone.c:257)
==2000== 
Syntax error, could not parse the RR at 9119
==2000== 
==2000== HEAP SUMMARY:
==2000==     in use at exit: 0 bytes in 0 blocks
==2000==   total heap usage: 8 allocs, 8 frees, 16,532 bytes allocated
==2000== 
==2000== All heap blocks were freed -- no leaks are possible
==2000== 
==2000== For counts of detected and suppressed errors, rerun with: -v
==2000== ERROR SUMMARY: 73 errors from 1 contexts (suppressed: 0 from 0)

Regards,
Stephan Zeisberg
Comment 1 Stephan Zeisberg 2017-04-25 19:00:45 CEST
Created attachment 393 [details]
Additional double free crash input files that might be helpful
Comment 2 Willem Toorop 2017-04-27 00:30:29 CEST
Thank you Stephan,

A fix is committed on the develop branch:

	https://git.nlnetlabs.nl/ldns/commit/?id=c8391790

Looking forward to more bugs found with fuzzing!

-- Willem