Free an invalid address could lead to SEGV in davs2_free davs2/source/common/common.h:1269 #30
Description
Describe the bug
This bug allows to free an invalid address which is dangerous, the pointer to be free seems corrupted.
=============================================================================================
$ gdb ./davs2
(gdb) b davs2_free
Breakpoint 1 at 0x555555565b23: davs2_free. (9 locations)
(gdb) r -o ./test.yuv -i poc2
Thread 1 "davs2" hit Breakpoint 1, davs2_free (ptr=0x627000000120) at /home/arayz/arayz/work/davs2/source/common/common.h:1269
1269 free(*(((void **)ptr) - 1));
(gdb) x/20xb *(((void **)ptr) - 1)
0x627000000100: 0xbe 0xbe 0xbe 0xbe 0xbe 0xbe 0xbe 0xbe
0x627000000108: 0xbe 0xbe 0xbe 0xbe 0xbe 0xbe 0xbe 0xbe
0x627000000110: 0xbe 0xbe 0xbe 0xbe
(gdb) c
Continuing.
Thread 1 "davs2" hit Breakpoint 1, davs2_free (ptr=0x7fffcde91e60) at /home/arayz/arayz/work/davs2/source/common/common.h:1269
1269 free(*(((void **)ptr) - 1));
(gdb) x/20xb *(((void **)ptr) - 1)
0xfffffff100000000: Cannot access memory at address 0xfffffff100000000
=============================================================================================
To Reproduce
cd /path/to/davs2/build/linux/
./configure --enable-pic
vim config.mak (add -fsanitize=address to CFLAGS, and -fsanitize=address -lasan to LDFLAGS)
make
./davs2 -i /path/to/poc2.avs -o test.yuv
ASAN Crash log
=================================================================
==105979==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffff0fffffff0 (pc 0x7f652159ba16 bp 0xfffffff0fffffff0 sp 0x7ffdae8c08e0 T0)
==105979==The signal is caused by a WRITE memory access.
#0 0x7f652159ba15 in bool __sanitizer::atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t volatile*, __sanitizer::atomic_uint8_t::Type*, __sanitizer::atomic_uint8_t::Type, __sanitizer::memory_order) ../../../../src/libsanitizer/sanitizer_common/sanitizer_atomic_clang.h:79
#1 0x7f652159ba15 in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) ../../../../src/libsanitizer/asan/asan_allocator.cc:552
#2 0x7f652159ba15 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) ../../../../src/libsanitizer/asan/asan_allocator.cc:629
#3 0x7f652159ba15 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) ../../../../src/libsanitizer/asan/asan_allocator.cc:865
#4 0x7f65216803d8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:127
#5 0x5587417e73ff in davs2_free /home/arayz/arayz/work/davs2/source/common/common.h:1269
#6 0x5587417e73ff in davs2_frame_destroy /home/arayz/arayz/work/davs2/source/common/frame.cc:371
#7 0x5587417e2f69 in davs2_decoder_free_extra_buffer /home/arayz/arayz/work/davs2/source/common/decoder.cc:777
#8 0x5587417e6431 in davs2_decoder_decoder_close /home/arayz/arayz/work/davs2/source/common/decoder.cc:1205
#9 0x5587417dd34a in davs2_decoder_close /home/arayz/arayz/work/davs2/source/common/davs2.cc:797
#10 0x5587417da81f in test_decoder /home/arayz/arayz/work/davs2/source/test/test.c:275
#11 0x5587417db7bc in main /home/arayz/arayz/work/davs2/source/test/test.c:329
#12 0x7f6521036082 in __libc_start_main ../csu/libc-start.c:308
#13 0x5587417d652d in _start (/home/arayz/arayz/work/davs2/build/linux/davs2+0xc52d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_atomic_clang.h:79 in bool __sanitizer::atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t volatile*, __sanitizer::atomic_uint8_t::Type*, __sanitizer::atomic_uint8_t::Type, __sanitizer::memory_order)
==105979==ABORTING
This is a security issue.
Additional context
- OS: Ubuntu 20.04 (Desktop)
- Compiler gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
PoC:
poc2.zip