Issue metadata
Sign in to add a comment
|
attempting free on address in WTF::Stringimpl
Reported by
cdsrc2...@gmail.com,
Jul 13
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Steps to reproduce the problem:
1. write a simple libfuzz to fuzz WTF::String
2. there is the key code in fuzz
"WTF::String string(data,size)"
3. run fuzz
What is the expected behavior?
What went wrong?
When input "size" is zero,crash happened.I am not sure if it belongs to security bug.
==17746==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x00001b3aee80 in thread T0
#0 0x32f8aa2 in __interceptor_free _asan_rtl_:3
#1 0x3328536 in Release /home/lly/chrome/src/out/libfuzzer/../../third_party/blink/renderer/platform/wtf/text/string_impl.h:280:7
#2 0x3328536 in Release /home/lly/chrome/src/out/libfuzzer/../../base/memory/scoped_refptr.h:280:0
#3 0x3328536 in ~scoped_refptr /home/lly/chrome/src/out/libfuzzer/../../base/memory/scoped_refptr.h:208:0
#4 0x3328536 in ~String /home/lly/chrome/src/out/libfuzzer/../../third_party/blink/renderer/platform/wtf/text/wtf_string.h:63:0
#5 0x3328536 in LLVMFuzzerTestOneInput /home/lly/chrome/src/out/libfuzzer/../../third_party/blink/renderer/modules/webaudio/webaudiofuzzer.cc:43:0
#6 0x3352142 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/lly/chrome/src/out/libfuzzer/../../third_party/libFuzzer/src/FuzzerLoop.cpp:526:13
#7 0x3355d2c in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /home/lly/chrome/src/out/libfuzzer/../../third_party/libFuzzer/src/FuzzerLoop.cpp:710:3
#8 0x3357098 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /home/lly/chrome/src/out/libfuzzer/../../third_party/libFuzzer/src/FuzzerLoop.cpp:755:3
#9 0x333e76b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/lly/chrome/src/out/libfuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:758:6
#10 0x336705c in main /home/lly/chrome/src/out/libfuzzer/../../third_party/libFuzzer/src/FuzzerMain.cpp:20:10
#11 0x7f5f123d382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291:0
0x00001b3aee80 is located 0 bytes inside of global variable 'WTF::g_global_emptyStorage' defined in '../../third_party/blink/renderer/platform/wtf/text/string_impl.cc:162:1' (0x1b3aee80) of size 16
SUMMARY: AddressSanitizer: bad-free (/home/lly/chrome/src/out/libfuzzer/webaudiofuzzer+0x32f8aa2)
==17746==ABORTING
Did this work before? N/A
Chrome version: 69.0.3479.0 Channel: stable
OS Version: 16.04
Flash Version:
,
Jul 13
Thanks for the report. Do you know of a way that this can be exploited from web content? If so, this would be a security bug. cc'ing some WTF owners. Maybe StringImpl ought to CHECK for this case?
,
Jul 13
https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/wtf/text/wtf_string.cc?g=0&l=42 Maybe this should check `characters && length` ? ...but this does do this check: https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/wtf/text/string_impl.cc?g=0&l=234 (which you list in comment 1). g_global_empty is refcounted, so destroying it should in theory be fine. Either g_global_empty is initialized with too low a ref count, or your fuzzer does soemthing wrong. Is your fuzzer's code available somewhere?
,
Jul 16
To figure out what happened,i simplify the fuzz code.Even if there is only one line (Could you please try like this?):
WTF::String string(data,size)
or
WTH::String string("")
The crash could still happen.
,
Jul 16
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 16
What's your fuzzer's setup code?
,
Jul 17
WTF::StringImpl::InitStatics(), or WTF::Initialize(), must be called before any String operations. I guess the reporter's fuzzer misses it.
,
Jul 17
Sorry I do miss the WTF::StringImpl::InitStatics() step.Once i add it in ,the crash wont happen.
,
Jul 17
,
Oct 23
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by cdsrc2...@gmail.com
, Jul 13When construct a WTF::String with a empty str,the constructo will retrun directly and not create StringImpl object.It's Ok. But when construct a WTF::String with a no-empty string and the second parameter is 0,the constructor will construct impl_ object by StringImpl::Create. in src/third_party/blink/renderer/platform/wtf/text/string_impl.cc:231 scoped_refptr<StringImpl> StringImpl::Create(const UChar* characters, unsigned length) { if (!characters || !length) return empty_; UChar* data; scoped_refptr<StringImpl> string = CreateUninitialized(length, data); memcpy(data, characters, length * sizeof(UChar)); return string; } if characters or length is not empty,it will return empty_ which was a global pointer. in src/third_party/blink/renderer/platform/wtf/text/string_impl.cc:165 StringImpl* StringImpl::empty_ = const_cast<StringImpl*>(&g_global_empty); When String destoryed,the ~String() will release impl_ pointer.Crash happened.