142 lines
7.6 KiB
Diff
142 lines
7.6 KiB
Diff
From 8eccd30f5d3ae0be17f2a75116600f5fca9c76db Mon Sep 17 00:00:00 2001
|
|
From: root <root@localhost.localdomain>
|
|
Date: Sat, 4 May 2019 16:51:52 +0800
|
|
Subject: [PATCH] bugfix for use after free about soname
|
|
|
|
==18904==ERROR: AddressSanitizer: heap-use-after-free on address 0xffffa0d00313 at pc 0xffffa3d1bc70 bp 0xffffe9c118d0 sp 0xffffe9c11948
|
|
READ of size 5 at 0xffffa0d00313 thread T0
|
|
#0 0xffffa3d1bc6f (/usr/lib64/libasan.so.4+0x50c6f)
|
|
#1 0xaaaae94e1d67 in library_get_prototype /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:198
|
|
#2 0xaaaae94e2f8f in lookup_symbol_prototype /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:243
|
|
#3 0xaaaae94e383b in lookup_symbol_prototype /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:703
|
|
#4 0xaaaae94e383b in output_right /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:644
|
|
#5 0xaaaae94e08d3 in output_right_tos /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:665
|
|
#6 0xaaaae94e1a4f in handle_breakpoint /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:703
|
|
#7 0xaaaae94e1a4f in handle_event /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:200
|
|
#8 0xaaaae94ce237 in ltrace_main /root/rpmbuild/BUILD/ltrace-0.7.91/libltrace.c:174
|
|
#9 0xaaaae94cdd1f in main /root/rpmbuild/BUILD/ltrace-0.7.91/main.c:55
|
|
#10 0xffffa38ecadf in __libc_start_main (/lib64/libc.so.6+0x20adf)
|
|
#11 0xaaaae94cdd5f (/ltrace+0x9d5f)
|
|
|
|
0xffffa0d00313 is located 3 bytes inside of 8-byte region [0xffffa0d00310,0xffffa0d00318)
|
|
freed by thread T0 here:
|
|
#0 0xffffa3d9b6c3 in free (/usr/lib64/libasan.so.4+0xd06c3)
|
|
#1 0xaaaae94d101f in private_process_destroy /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:273
|
|
#2 0xaaaae94d10ab in remove_process /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:753
|
|
#3 0xaaaae94e0d73 in handle_exit_signal /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:521
|
|
#4 0xaaaae94e0d73 in handle_event /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:142
|
|
#5 0xaaaae94ce237 in ltrace_main /root/rpmbuild/BUILD/ltrace-0.7.91/libltrace.c:174
|
|
#6 0xaaaae94cdd1f in main /root/rpmbuild/BUILD/ltrace-0.7.91/main.c:55
|
|
#7 0xffffa38ecadf in __libc_start_main (/lib64/libc.so.6+0x20adf)
|
|
#8 0xaaaae94cdd5f (/ltrace+0x9d5f)
|
|
|
|
previously allocated by thread T0 here:
|
|
#0 0xffffa3d3e34f in strdup (/usr/lib64/libasan.so.4+0x7334f)
|
|
#1 0xaaaae94cfb2b in process_bare_init /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:128
|
|
#2 0xaaaae94cfcbf in process_init /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:214
|
|
#3 0xaaaae94cfe17 in open_program /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:330
|
|
#4 0xaaaae94ce09f in ltrace_init /root/rpmbuild/BUILD/ltrace-0.7.91/libltrace.c:125
|
|
#5 0xaaaae94cdd1b in main /root/rpmbuild/BUILD/ltrace-0.7.91/main.c:47
|
|
#6 0xffffa38ecadf in __libc_start_main (/lib64/libc.so.6+0x20adf)
|
|
#7 0xaaaae94cdd5f (/ltrace+0x9d5f)
|
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib64/libasan.so.4+0x50c6f)
|
|
Shadow bytes around the buggy address:
|
|
0x200ff41a0010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 00
|
|
0x200ff41a0020: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
|
|
0x200ff41a0030: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
|
|
0x200ff41a0040: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
|
|
0x200ff41a0050: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa fd fd
|
|
=>0x200ff41a0060: fa fa[fd]fa fa fa 00 07 fa fa 06 fa fa fa 05 fa
|
|
0x200ff41a0070: fa fa 00 00 fa fa 05 fa fa fa 00 00 fa fa 00 00
|
|
0x200ff41a0080: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 01 fa
|
|
0x200ff41a0090: fa fa 00 00 fa fa 00 00 fa fa 01 fa fa fa 00 00
|
|
0x200ff41a00a0: fa fa 04 fa fa fa 04 fa fa fa 00 fa fa fa fd fd
|
|
0x200ff41a00b0: fa fa 04 fa fa fa 04 fa fa fa 00 fa fa fa 04 fa
|
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
|
Addressable: 00
|
|
Partially addressable: 01 02 03 04 05 06 07
|
|
Heap left redzone: fa
|
|
Freed heap region: fd
|
|
Stack left redzone: f1
|
|
Stack mid redzone: f2
|
|
Stack right redzone: f3
|
|
Stack after return: f5
|
|
Stack use after scope: f8
|
|
Global redzone: f9
|
|
Global init order: f6
|
|
Poisoned by user: f7
|
|
Container overflow: fc
|
|
Array cookie: ac
|
|
Intra object redzone: bb
|
|
ASan internal: fe
|
|
Left alloca redzone: ca
|
|
Right alloca redzone: cb
|
|
=================================================================
|
|
==18904==ERROR: AddressSanitizer: heap-use-after-free on address 0xffffa0d00313 at pc 0xffffa3d3fbe4 bp 0xffffe9c118c0 sp 0xffffe9c11938
|
|
READ of size 5 at 0xffffa0d00313 thread T0
|
|
#0 0xffffa3d3fbe3 (/usr/lib64/libasan.so.4+0x74be3)
|
|
#1 0xaaaae94e1db3 in memcpy /usr/include/bits/string_fortified.h:34
|
|
#2 0xaaaae94e1db3 in library_get_prototype /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:200
|
|
#3 0xaaaae94e2f8f in lookup_symbol_prototype /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:243
|
|
#4 0xaaaae94e383b in lookup_symbol_prototype /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:703
|
|
#5 0xaaaae94e383b in output_right /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:644
|
|
#6 0xaaaae94e08d3 in output_right_tos /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:665
|
|
#7 0xaaaae94e1a4f in handle_breakpoint /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:703
|
|
#8 0xaaaae94e1a4f in handle_event /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:200
|
|
#9 0xaaaae94ce237 in ltrace_main /root/rpmbuild/BUILD/ltrace-0.7.91/libltrace.c:174
|
|
#10 0xaaaae94cdd1f in main /root/rpmbuild/BUILD/ltrace-0.7.91/main.c:55
|
|
#11 0xffffa38ecadf in __libc_start_main (/lib64/libc.so.6+0x20adf)
|
|
#12 0xaaaae94cdd5f (/ltrace+0x9d5f)
|
|
|
|
0xffffa0d00313 is located 3 bytes inside of 8-byte region [0xffffa0d00310,0xffffa0d00318)
|
|
freed by thread T0 here:
|
|
#0 0xffffa3d9b6c3 in free (/usr/lib64/libasan.so.4+0xd06c3)
|
|
#1 0xaaaae94d101f in private_process_destroy /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:273
|
|
#2 0xaaaae94d10ab in remove_process /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:753
|
|
#3 0xaaaae94e0d73 in handle_exit_signal /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:521
|
|
#4 0xaaaae94e0d73 in handle_event /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:142
|
|
#5 0xaaaae94ce237 in ltrace_main /root/rpmbuild/BUILD/ltrace-0.7.91/libltrace.c:174
|
|
#6 0xaaaae94cdd1f in main /root/rpmbuild/BUILD/ltrace-0.7.91/main.c:55
|
|
#7 0xffffa38ecadf in __libc_start_main (/lib64/libc.so.6+0x20adf)
|
|
#8 0xaaaae94cdd5f (/ltrace+0x9d5f)
|
|
|
|
previously allocated by thread T0 here:
|
|
#0 0xffffa3d3e34f in strdup (/usr/lib64/libasan.so.4+0x7334f)
|
|
#1 0xaaaae94cfb2b in process_bare_init /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:128
|
|
#2 0xaaaae94cfcbf in process_init /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:214
|
|
#3 0xaaaae94cfe17 in open_program /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:330
|
|
#4 0xaaaae94ce09f in ltrace_init /root/rpmbuild/BUILD/ltrace-0.7.91/libltrace.c:125
|
|
#5 0xaaaae94cdd1b in main /root/rpmbuild/BUILD/ltrace-0.7.91/main.c:47
|
|
#6 0xffffa38ecadf in __libc_start_main (/lib64/libc.so.6+0x20adf)
|
|
#7 0xaaaae94cdd5f (/ltrace+0x9d5f)
|
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib64/libasan.so.4+0x74be3)
|
|
---
|
|
ltrace-elf.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/ltrace-elf.c b/ltrace-elf.c
|
|
index f638342..286790a 100644
|
|
--- a/ltrace-elf.c
|
|
+++ b/ltrace-elf.c
|
|
@@ -1214,12 +1214,14 @@ read_module(struct library *lib, struct process *proc,
|
|
goto fail;
|
|
library_set_soname(lib, soname, 1);
|
|
} else {
|
|
+ char *soname_str = NULL;
|
|
const char *soname = rindex(lib->pathname, '/');
|
|
if (soname != NULL)
|
|
soname += 1;
|
|
else
|
|
soname = lib->pathname;
|
|
- library_set_soname(lib, soname, 0);
|
|
+ soname_str = strdup(soname);
|
|
+ library_set_soname(lib, soname_str, 1);
|
|
}
|
|
|
|
/* XXX The double cast should be removed when
|
|
--
|
|
2.19.1
|
|
|