search

LibVNC / libvncserver

LibVNCServer/LibVNCClient are cross-platform C libraries that allow you to easily implement VNC server or client functionality in your program.
GNU General Public License v2.0
1.11k stars 484 forks source link

RfbRegisterProtocolExtension () function will trigger the heap - use - after - free defects #566

Closed Dabiaoge6 closed 1 year ago

Dabiaoge6 commented 1 year ago

testcase:

EASYFUZZ(QeEmLbyx){

    rfbProtocolExtension * extension_sKWcnQYh = (rfbProtocolExtension *)calloc(1, sizeof(rfbProtocolExtension));
     extension_sKWcnQYh->pseudoEncodings = (int *) fuzzInt32(0);

    rfbRegisterProtocolExtension(extension_sKWcnQYh);

    free(extension_sKWcnQYh);

}

Crashlog:

==2856==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000140 at pc 0x7f73ecd57669 bp 0x7ffeae7787d0 sp 0x7ffeae7787c0 READ of size 8 at 0x607000000140 thread T0

0 0x7f73ecd57668 in rfbRegisterProtocolExtension /cloud_proj/pr1679995373267xbruewtfxojxvgnl/libvncserver/main.c:94

#1 0x55b77f53a6ca in easyloop /dockerin/test_file.c:40
#2 0x55b77f53a40b in main /opt1/software/betafuzz/srap/wrapentry.c:108
#3 0x7f73eca6fd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#4 0x7f73eca6fe3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#5 0x55b77f53a464 in _start (/dockerin/clouditera+0x1464)

0x607000000140 is located 64 bytes inside of 72-byte region [0x607000000100,0x607000000148) freed by thread T0 here:

0 0x7f73ecf41517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127

#1 0x55b77f53a6d9 in easyloop /dockerin/test_file.c:44
#2 0x55b77f53a40b in main /opt1/software/betafuzz/srap/wrapentry.c:108

previously allocated by thread T0 here:

0 0x7f73ecf41a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154

#1 0x55b77f53a672 in easyloop /dockerin/test_file.c:18
#2 0x55b77f53a40b in main /opt1/software/betafuzz/srap/wrapentry.c:108

SUMMARY: AddressSanitizer: heap-use-after-free /cloud_proj/pr1679995373267xbruewtfxojxvgnl/libvncserver/main.c:94 in rfbRegisterProtocolExtension Shadow bytes around the buggy address: 0x0c0e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0e7fff8000: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa 0x0c0e7fff8010: fa fa 00 00 00 00 00 00 00 00 05 fa fa fa fa fa =>0x0c0e7fff8020: fd fd fd fd fd fd fd fd[fd]fa fa fa fa fa 00 00 0x0c0e7fff8030: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc

bk138 commented 1 year ago

@Dabiaoge6 how to reproduce this step by step? Please post the framework you were using and the complete source of wrapentry.c

bk138 commented 1 year ago

Tentatively closing as there's no way to repo. Please post new info here once available.