New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: Oct 2017
Cc:
Type: Bug



Sign in to add a comment

curl/curl_fuzzer: Direct-leak in curl_docalloc

Project Member Reported by ClusterFuzz-External, Oct 19 2017

Issue description

Detailed report: https://oss-fuzz.com/testcase?key=4976650178527232

Project: curl
Fuzzer: libFuzzer_curl_fuzzer
Fuzz target binary: curl_fuzzer
Job Type: libfuzzer_asan_curl
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  curl_docalloc
  Curl_ftp_parselist
  Curl_client_chop_write
  
Sanitizer: address (ASAN)

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_curl&range=201710180416:201710190414

Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=4976650178527232

Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.

When you fix this bug, please
  * mention the fix revision(s).
  * state whether the bug was a short-lived regression or an old bug in any stable releases.
  * add any other useful information.
This information can help downstream consumers.

If you have questions for the OSS-Fuzz team, please file an issue at https://github.com/google/oss-fuzz/issues.
 
Project Member

Comment 1 by ClusterFuzz-External, Oct 19 2017

Labels: OS-Linux

Comment 2 by cmeist...@gmail.com, Oct 19 2017

=================================================================
==7==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 168 byte(s) in 1 object(s) allocated from:
    #0 0x4df420 in calloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
    #1 0x5230b3 in curl_docalloc /src/curl/lib/memdebug.c:206:9
    #2 0x5fe134 in Curl_ftp_parselist /src/curl/lib/ftplistparser.c:362:27
    #3 0x56843d in Curl_client_chop_write /src/curl/lib/sendf.c:574:22
    #4 0x5a8503 in readwrite_data /src/curl/lib/transfer.c:796:26
    #5 0x5a5d3a in Curl_readwrite /src/curl/lib/transfer.c:1139:14
    #6 0x5302dd in multi_runsingle /src/curl/lib/multi.c:1896:16
    #7 0x52eac3 in curl_multi_perform /src/curl/lib/multi.c:2161:14
    #8 0x51b66f in fuzz_handle_transfer(fuzz_data*) /src/curl_fuzzer/curl_fuzzer.cc:379:5
    #9 0x51a76e in LLVMFuzzerTestOneInput /src/curl_fuzzer/curl_fuzzer.cc:89:3
    #10 0x62a230 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:465:13
    #11 0x6097a5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:273:6
    #12 0x614e54 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:689:9
    #13 0x608e48 in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #14 0x7ff68d0f082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 656 byte(s) in 1 object(s) allocated from:
    #0 0x4df670 in realloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107
    #1 0x52335c in curl_dorealloc /src/curl/lib/memdebug.c:294:9
    #2 0x5fe339 in Curl_ftp_parselist /src/curl/lib/ftplistparser.c:383:19
    #3 0x56843d in Curl_client_chop_write /src/curl/lib/sendf.c:574:22
    #4 0x5a8503 in readwrite_data /src/curl/lib/transfer.c:796:26
    #5 0x5a5d3a in Curl_readwrite /src/curl/lib/transfer.c:1139:14
    #6 0x5302dd in multi_runsingle /src/curl/lib/multi.c:1896:16
    #7 0x52eac3 in curl_multi_perform /src/curl/lib/multi.c:2161:14
    #8 0x51b66f in fuzz_handle_transfer(fuzz_data*) /src/curl_fuzzer/curl_fuzzer.cc:379:5
    #9 0x51a76e in LLVMFuzzerTestOneInput /src/curl_fuzzer/curl_fuzzer.cc:89:3
    #10 0x62a230 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:465:13
    #11 0x6097a5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:273:6
    #12 0x614e54 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:689:9
    #13 0x608e48 in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #14 0x7ff68d0f082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)


File contents:

TLVHeader(type='CURLOPT_URL' (1), length=37, data='ftp:/               /         /      ')
TLVHeader(type='Server banner (sent on connection)' (2), length=11, data='220       \n')
TLVHeader(type='Server response 1' (17), length=9, data='200     \n')
TLVHeader(type='Server response 2' (18), length=9, data='200     \n')
TLVHeader(type='Server response 3' (19), length=9, data='200     \n')
TLVHeader(type='Server response 4' (20), length=9, data='400     \n')
TLVHeader(type='Server response 5' (21), length=50, data='227                          3,  9,  2,  0,  6,4 \n')
TLVHeader(type='Server response 6' (22), length=9, data='200     \n')
TLVHeader(type='Server response 7' (23), length=34, data='150                              \n')
TLVHeader(type='Socket 2: Server banner (sent on connection)' (31), length=623, data='t                         \xff        \xff                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              \xff                            ')
TLVHeader(type='CURLOPT_WILDCARDMATCH' (33), length=4, data='    ')
Project Member

Comment 3 by ClusterFuzz-External, Oct 19 2017

Labels: ClusterFuzz-Top-Crash
Testcase 4976650178527232 is a top crash on ClusterFuzz for linux platform. Please prioritize fixing this crash.

If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new

Comment 4 by cmeist...@gmail.com, Oct 20 2017

My read of this is that the parser->file_data gets freed if the function hits PL_ERROR. Outside of that, I don't think it actually gets freed anywhere... Maybe I'm misreading the source.

Comment 5 by cmeist...@gmail.com, Oct 25 2017

https://github.com/curl/curl/pull/2013 appears to fix this.
Project Member

Comment 6 by ClusterFuzz-External, Oct 26 2017

ClusterFuzz has detected this issue as fixed in range 201710250414:201710260415.

Detailed report: https://oss-fuzz.com/testcase?key=4976650178527232

Project: curl
Fuzzer: libFuzzer_curl_fuzzer
Fuzz target binary: curl_fuzzer
Job Type: libfuzzer_asan_curl
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  curl_docalloc
  Curl_ftp_parselist
  Curl_client_chop_write
  
Sanitizer: address (ASAN)

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_curl&range=201710180416:201710190414
Fixed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_curl&range=201710250414:201710260415

Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=4976650178527232

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz-External, Oct 26 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: New)
ClusterFuzz testcase 4976650178527232 is verified as fixed, so closing issue as verified.

If this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 25 2017

Labels: -restrict-view-commit
This bug has been fixed for 30 days. It has been opened to the public.

- Your friendly Sheriffbot

Sign in to add a comment