Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

double free in fy_input_free when using FYPCF_RESOLVE_DOCUMENT and FYPCF_YPATH_ALIASES #134

Open
rivit98 opened this issue Jan 20, 2025 · 0 comments
Open

double free in fy_input_free when using FYPCF_RESOLVE_DOCUMENT and FYPCF_YPATH_ALIASES #134

rivit98 opened this issue Jan 20, 2025 · 0 comments

Comments

@rivit98
Copy link

rivit98 commented Jan 20, 2025

Hi, I found the following problem while fuzzing libfyaml

Code version

6e52e4d8b6adb01cc2fc377fab7b7fd523364438

How to reproduce

#include <stdio.h>
#include <libfyaml.h>

void main() {
  int flags = FYPCF_RESOLVE_DOCUMENT| FYPCF_YPATH_ALIASES;

  struct fy_document *fyd = NULL;
  struct fy_parse_cfg cfg = {0};
  cfg.flags = flags;

  char data[] = "\x0a\x2a\x47\x26\x00";
  fyd = fy_document_build_from_string(&cfg, data, strlen(data));
  fy_document_destroy(fyd);
}

compile & link with fuzzer support. Run and observe ASAN output:

(null):1:3: error: bad path expression starts here c=38
*G&
  ^
<memory-@0x7bbf35b090e0-0x7bbf35b090e3>:2:2: error: invalid alias
*G&
 ^~
=================================================================
==2143547==ERROR: AddressSanitizer: attempting double-free on 0x5020000000d0 in thread T0:
    #0 0x5dff173d207a in free (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1ad07a) (BuildId: 9bf80e7e78dfc2831e5eccc59f23f83f7827d95b)
    #1 0x5dff174dcafd in fy_input_free /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-input.c:76:3
    #2 0x5dff175c4fcb in fy_input_unref /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-input.h:219:3
    #3 0x5dff175c4fcb in fy_token_clean_rl /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-token.c:51:2
    #4 0x5dff175e5f0a in fy_token_free_rl /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-token.h:188:2
    #5 0x5dff175e5f0a in fy_token_unref_rl /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-token.h:205:3
    #6 0x5dff175e5f0a in fy_token_unref /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-token.h:241:9
    #7 0x5dff175e5f0a in fy_path_expr_free /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:551:2
    #8 0x5dff175e6ca6 in fy_expr_stack_cleanup /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:615:3
    #9 0x5dff175e8f54 in fy_path_parser_cleanup /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:784:2
    #10 0x5dff17621db5 in fy_path_parser_destroy /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:3694:2
    #11 0x5dff17621db5 in fy_document_cleanup_path_expr_data /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:5230:2
    #12 0x5dff1744850a in fy_parse_document_destroy /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:346:2
    #13 0x5dff17459d40 in fy_parse_load_document_with_builder /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:1925:4
    #14 0x5dff17466b62 in fy_document_build_internal /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3283:8
    #15 0x5dff174545c8 in fy_document_build_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3340:9
    #16 0x5dff17410f51 in tc4 /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:66:9
    #17 0x5dff17411195 in main /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:84:3
    #18 0x7bbf37a2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #19 0x7bbf37a2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #20 0x5dff173374c4 in _start (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1124c4) (BuildId: 9bf80e7e78dfc2831e5eccc59f23f83f7827d95b)

0x5020000000d0 is located 0 bytes inside of 4-byte region [0x5020000000d0,0x5020000000d4)
freed by thread T0 here:
    #0 0x5dff173d207a in free (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1ad07a) (BuildId: 9bf80e7e78dfc2831e5eccc59f23f83f7827d95b)
    #1 0x5dff176225fa in fy_node_setup_path_expr_data /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:5314:3
    #2 0x5dff176234c7 in fy_node_alias_resolve_by_ypath_result /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:5370:7
    #3 0x5dff17623fba in fy_node_alias_resolve_by_ypath /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:5455:8
    #4 0x5dff17471058 in fy_node_follow_alias /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:2575:10
    #5 0x5dff1746c895 in fy_node_follow_aliases /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:4045:9
    #6 0x5dff17464b1d in fy_resolve_alias /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:2544:13
    #7 0x5dff17464b1d in fy_resolve_anchor_node /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:2794:10
    #8 0x5dff174596aa in fy_document_resolve /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3032:8
    #9 0x5dff17459d29 in fy_parse_load_document_with_builder /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:1923:8
    #10 0x5dff17466b62 in fy_document_build_internal /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3283:8
    #11 0x5dff174545c8 in fy_document_build_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3340:9
    #12 0x5dff17410f51 in tc4 /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:66:9
    #13 0x5dff17411195 in main /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:84:3
    #14 0x7bbf37a2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #15 0x7bbf37a2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #16 0x5dff173374c4 in _start (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1124c4) (BuildId: 9bf80e7e78dfc2831e5eccc59f23f83f7827d95b)

previously allocated by thread T0 here:
    #0 0x5dff173d2313 in malloc (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1ad313) (BuildId: 9bf80e7e78dfc2831e5eccc59f23f83f7827d95b)
    #1 0x5dff176223a5 in fy_node_setup_path_expr_data /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:5281:11
    #2 0x5dff176234c7 in fy_node_alias_resolve_by_ypath_result /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:5370:7
    #3 0x5dff17623fba in fy_node_alias_resolve_by_ypath /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:5455:8
    #4 0x5dff17471058 in fy_node_follow_alias /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:2575:10
    #5 0x5dff1746c895 in fy_node_follow_aliases /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:4045:9
    #6 0x5dff17464b1d in fy_resolve_alias /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:2544:13
    #7 0x5dff17464b1d in fy_resolve_anchor_node /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:2794:10
    #8 0x5dff174596aa in fy_document_resolve /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3032:8
    #9 0x5dff17459d29 in fy_parse_load_document_with_builder /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:1923:8
    #10 0x5dff17466b62 in fy_document_build_internal /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3283:8
    #11 0x5dff174545c8 in fy_document_build_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3340:9
    #12 0x5dff17410f51 in tc4 /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:66:9
    #13 0x5dff17411195 in main /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:84:3
    #14 0x7bbf37a2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #15 0x7bbf37a2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #16 0x5dff173374c4 in _start (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1124c4) (BuildId: 9bf80e7e78dfc2831e5eccc59f23f83f7827d95b)

SUMMARY: AddressSanitizer: double-free (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1ad07a) (BuildId: 9bf80e7e78dfc2831e5eccc59f23f83f7827d95b) in free
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rivit98