Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.43k stars 706 forks source link

possible double-free in libclamav/hashtab.c (v0.104.1) #534

Open easylyou opened 2 years ago

easylyou commented 2 years ago

Hi! We are using improved fuzzing technology with fault injection. I'm rather sure the bug is not a security issue. If you still worry about it, please point out and I would edit immediately. Although I'm fuzzing on v0.104.1, it seems still exiting in the latest version.

Different from traditional fuzzing, fault injection can test error-handling codes while the errors happen in some extreme conditions. (such as malloc() return NULL when out of memory). So it is hard to reproduce without our fault injection environment. I try to analysis the related codes to find the cause but not sure, needing your helps. I'm glad to provide more details if you need.

// in  clamav/libclamav/hashtab.c: 645
645 int cli_hashset_init(struct cli_hashset *hs, size_t initial_capacity, uint8_t load_factor)
646 {

           // hs->bitmap = NULL, if out of memory
662     hs->bitmap = cli_calloc(initial_capacity >> 5, sizeof(*hs->bitmap));
663     if (!hs->bitmap) {
               // First free here
664         free(hs->keys);

667     }
668     return 0;
669 }

// in  clamav/libclamav/hashtab.c: 697
697 void cli_hashset_destroy(struct cli_hashset *hs)
698 {

700     if (hs->mempool) {

703     } else {
               // Second free here, double free.
704         free(hs->keys);
705         free(hs->bitmap);
706     }

709 }
calloc_problem: Inappropriate ioctl for device
LibClamAV Error: cli_calloc(): Can't allocate memory (8 bytes).
LibClamAV Error: hashtab.c: Unable to allocate memory for hs->bitmap
LibClamAV Error: cli_peheader: Unable to init vinfo hashset
=================================================================
==52444==ERROR: AddressSanitizer: attempting double-free on 0x61100047e900 in thread T0:
    #0 ??:?
    #1 /home/r1/clamav/clamav-0.104.1/libclamav/hashtab.c:704
    #2 /home/r1/clamav/clamav-0.104.1/libclamav/execs.c:65
    #3 /home/r1/clamav/clamav-0.104.1/libclamav/matcher.c:546
    #4 /home/r1/clamav/clamav-0.104.1/libclamav/matcher.c:1377
    #5 /home/r1/clamav/clamav-0.104.1/libclamav/scanners.c:3397
    #6 /home/r1/clamav/clamav-0.104.1/libclamav/scanners.c:4694
    #7 /home/r1/clamav/clamav-0.104.1/libclamav/scanners.c:5311
    #8 /home/r1/clamav/clamav-0.104.1/libclamav/scanners.c:5487
    #9 /home/r1/clamav/clamav-0.104.1/clamscan/manager.c:407
    #10 /home/r1/clamav/clamav-0.104.1/clamscan/manager.c:1551
    #11 /home/r1/clamav/clamav-0.104.1/clamscan/clamscan.c:171
    #12 0x7f97d584d0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #13 ??:?

0x61100047e900 is located 0 bytes inside of 256-byte region [0x61100047e900,0x61100047ea00)
freed by thread T0 here:
    #0 ??:?
    #1 /home/r1/clamav/clamav-0.104.1/libclamav/hashtab.c:664
    #2 /home/r1/clamav/clamav-0.104.1/libclamav/pe.c:5338
    #3 /home/r1/clamav/clamav-0.104.1/libclamav/pe.c:4457
    #4 /home/r1/clamav/clamav-0.104.1/libclamav/matcher.c:533
    #5 /home/r1/clamav/clamav-0.104.1/libclamav/matcher.c:1051
    #6 /home/r1/clamav/clamav-0.104.1/libclamav/scanners.c:3397
    #7 /home/r1/clamav/clamav-0.104.1/libclamav/scanners.c:4694
    #8 /home/r1/clamav/clamav-0.104.1/libclamav/scanners.c:5311
    #9 /home/r1/clamav/clamav-0.104.1/libclamav/scanners.c:5487
    #10 /home/r1/clamav/clamav-0.104.1/clamscan/manager.c:407
    #11 /home/r1/clamav/clamav-0.104.1/clamscan/manager.c:1551
    #12 /home/r1/clamav/clamav-0.104.1/clamscan/clamscan.c:171
    #13 0x7f97d584d0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

previously allocated by thread T0 here:
    #0 ??:?
    #1 /home/r1/clamav/clamav-0.104.1/libclamav/others_common.c:197
    #2 /home/r1/clamav/clamav-0.104.1/libclamav/hashtab.c:656
    #3 /home/r1/clamav/clamav-0.104.1/libclamav/pe.c:5338
    #4 /home/r1/clamav/clamav-0.104.1/libclamav/pe.c:4457
    #5 /home/r1/clamav/clamav-0.104.1/libclamav/matcher.c:533
    #6 /home/r1/clamav/clamav-0.104.1/libclamav/matcher.c:1051
    #7 /home/r1/clamav/clamav-0.104.1/libclamav/scanners.c:3397
    #8 /home/r1/clamav/clamav-0.104.1/libclamav/scanners.c:4694
    #9 /home/r1/clamav/clamav-0.104.1/libclamav/scanners.c:5311
    #10 /home/r1/clamav/clamav-0.104.1/libclamav/scanners.c:5487
    #11 /home/r1/clamav/clamav-0.104.1/clamscan/manager.c:407
    #12 /home/r1/clamav/clamav-0.104.1/clamscan/manager.c:1551
    #13 /home/r1/clamav/clamav-0.104.1/clamscan/clamscan.c:171
    #14 0x7f97d584d0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

SUMMARY: AddressSanitizer: double-free (/home/r1/clamav/install/bin/clamscan+0x495f5d) 
==52444==ABORTING
n-bes commented 1 year ago

@easylyou could you explain how to inject the error?