search

Yeraze / ytnef

Yeraze's TNEF Stream Reader - for winmail.dat files
GNU General Public License v2.0
32 stars 22 forks source link

Double free via TNEFSubjectHandler #85

Closed jasperla closed 3 years ago

jasperla commented 3 years ago

While it seems there are many checks which ought to prevent various memory corruption situations it seems there's a double free that can be triggered still as of ecc9d87. With ASAN and some crafted input:

=================================================================
==2678633==ERROR: AddressSanitizer: attempting double-free on 0x6020000000d0 in thread T0:
    #0 0x4991ad in free (/home/kali/ytnef/ytnef/.libs/ytnef+0x4991ad)
    #1 0x7f0741856e4c in TNEFFree /home/kali/ytnef/lib/ytnef.c:979:3
    #2 0x4c934b in main /home/kali/ytnef/ytnef/main.c:146:5
    #3 0x7f07414f9d09 in __libc_start_main csu/../csu/libc-start.c:308:16
    #4 0x41f3b9 in _start (/home/kali/ytnef/ytnef/.libs/ytnef+0x41f3b9)

0x6020000000d0 is located 0 bytes inside of 2-byte region [0x6020000000d0,0x6020000000d2)
freed by thread T0 here:
    #0 0x4991ad in free (/home/kali/ytnef/ytnef/.libs/ytnef+0x4991ad)
    #1 0x7f074184d701 in TNEFSubjectHandler /home/kali/ytnef/lib/ytnef.c:306:5
    #2 0x7f07418590fb in TNEFParseFile /home/kali/ytnef/lib/ytnef.c:1075:10
    #3 0x4c958a in main /home/kali/ytnef/ytnef/main.c:140:9
    #4 0x7f07414f9d09 in __libc_start_main csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4995a2 in calloc (/home/kali/ytnef/ytnef/.libs/ytnef+0x4995a2)
    #1 0x7f074184d740 in TNEFSubjectHandler /home/kali/ytnef/lib/ytnef.c:310:24
    #2 0x7f07418590fb in TNEFParseFile /home/kali/ytnef/lib/ytnef.c:1075:10
    #3 0x4c958a in main /home/kali/ytnef/ytnef/main.c:140:9
    #4 0x7f07414f9d09 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: double-free (/home/kali/ytnef/ytnef/.libs/ytnef+0x4991ad) in free
==2678633==ABORTING

Manually instrumenting the code shows that indeed the same memory is freed twice:

=> TNEFSubjectHandler: freeing TNEF->subect.data (1 byte(s)) at 0x559159ed65a0
ERROR: invalid alloc size 255 at ytnef.c : 309, suspected corruption (exceeded 100 bytes)
=> TNEFFree: freeing memory at 0x559159ed65a0 of 1 byte(s)
double free or corruption (fasttop)

I have attached a minimal reproducer of this crash: doublefree.zip

carnil commented 3 years ago

This issue appears to have been assigned CVE-2021-3403