Headline
CVE-2021-33390: Heap Use After Free in the deletestringbox() function (different than #7) (#10) · Issues · Dwight Aplevich / dpic · GitLab
dpic 2021.04.10 has a use-after-free in thedeletestringbox() function in dpic.y. A different vulnerablility than CVE-2021-32421.
Skip to content
Heap Use After Free in the deletestringbox() function (different than #7)
Hi,
While fuzzing dpic 2021.04.10 (commit: d317e406), I found a heap use-after-free in the cmpstring() function, in dpic.y:L5724.
I have already confirmed the previous issue: #7 (closed) and that is already patched but this seems to be similar but not the same with this input test file and in the same deletestringbox() function.
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"
Attaching a reproducer: heap-uaf-read-test-deletestringbox
the issue can be reproduced by running:
dpic heap-uaf-read-test-deletestringbox
=================================================================
==3692838==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000000060 at pc 0x0000005094cf bp 0x7ffdf2d88ed0 sp 0x7ffdf2d88ec8
READ of size 8 at 0x60d000000060 thread T0
#0 0x5094ce in deletestringbox /home/bsdboy/projects/again/dpic/dpic.y:5724:19
#1 0x4fce1a in yyparse /home/bsdboy/projects/again/dpic/dpic.y:2839:4
#2 0x4d69ac in main /home/bsdboy/projects/again/dpic/main.c:1813:13
#3 0x7f638b8eb0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41c3dd in _start (/home/bsdboy/projects/again/dpic/dpic+0x41c3dd)
0x60d000000060 is located 32 bytes inside of 136-byte region [0x60d000000040,0x60d0000000c8)
freed by thread T0 here:
#0 0x4973d2 in free (/home/bsdboy/projects/again/dpic/dpic+0x4973d2)
#1 0x501778 in deletetree /home/bsdboy/projects/again/dpic/dpic.y:3917:12
#2 0x50989b in deletestringbox /home/bsdboy/projects/again/dpic/dpic.y:5732:3
#3 0x4fce1a in yyparse /home/bsdboy/projects/again/dpic/dpic.y:2839:4
#4 0x4d69ac in main /home/bsdboy/projects/again/dpic/main.c:1813:13
#5 0x7f638b8eb0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 here:
#0 0x49763d in malloc (/home/bsdboy/projects/again/dpic/dpic+0x49763d)
#1 0x507b27 in newprim /home/bsdboy/projects/again/dpic/dpic.y:4984:13
#2 0x4deb1a in yyparse /home/bsdboy/projects/again/dpic/dpic.y:892:19
#3 0x4d69ac in main /home/bsdboy/projects/again/dpic/main.c:1813:13
#4 0x7f638b8eb0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/bsdboy/projects/again/dpic/dpic.y:5724:19 in deletestringbox
Shadow bytes around the buggy address:
0x0c1a7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a7fff8000: fa fa fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd
0x0c1a7fff8010: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c1a7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3692838==ABORTING