Closed nbars closed 5 years ago
I'm unable to reproduce this with valgrind. Which options did you use for compilation?
BTW, of course we are interested in solving this bug, but calling it an exploitable vulnerability is a bit of a stretch.. We are not getting a CVE report for this for sure.
It seems like something went wrong while minimizing this test case.
This test case only crashes if z3
is compiled with afl-clang-fast
.
LDFLAGS='-ldl -lgomp' CPPFLAGS="-g -DDEBUG" CXX=afl-clang-fast++ ./configure
Here is the not minimized test case: bug01.zip
Compiling:
LDFLAGS='-ldl -lgomp' CPPFLAGS="-g -DDEBUG" CXX=clang ./configure
Valgrind output:
./valgrind z3 bug01
==4176== Memcheck, a memory error detector
==4176== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==4176== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==4176== Command: ./z3 /tmp/bug01
==4176==
==4176== Use of uninitialised value of size 8
==4176== at 0x11925C7: sexpr::display(std::ostream&) const (sexpr.cpp:204)
==4176== by 0x26452E: sexpr_cmd::set_next_arg(cmd_context&, sexpr*) (dbg_cmds.cpp:245)
==4176== by 0xAC3D53: smt2::parser::parse_next_cmd_arg() (smt2parser.cpp:2879)
==4176== by 0xAC476B: smt2::parser::parse_ext_cmd(int, int) (smt2parser.cpp:2937)
==4176== by 0xAC6172: parse_cmd (smt2parser.cpp:3026)
==4176== by 0xAC6172: smt2::parser::operator()() (smt2parser.cpp:3138)
==4176== by 0xAB330F: parse_smt2_commands(cmd_context&, std::istream&, bool, params_ref const&, char const*) (smt2parser.cpp:3187)
==4176== by 0x25557B: read_smtlib2_commands(char const*) (smtlib_frontend.cpp:95)
==4176== by 0x237598: main (main.cpp:353)
==4176==
==4176== Invalid read of size 4
==4176== at 0x11925C7: sexpr::display(std::ostream&) const (sexpr.cpp:204)
==4176== by 0x26452E: sexpr_cmd::set_next_arg(cmd_context&, sexpr*) (dbg_cmds.cpp:245)
==4176== by 0xAC3D53: smt2::parser::parse_next_cmd_arg() (smt2parser.cpp:2879)
==4176== by 0xAC476B: smt2::parser::parse_ext_cmd(int, int) (smt2parser.cpp:2937)
==4176== by 0xAC6172: parse_cmd (smt2parser.cpp:3026)
==4176== by 0xAC6172: smt2::parser::operator()() (smt2parser.cpp:3138)
==4176== by 0xAB330F: parse_smt2_commands(cmd_context&, std::istream&, bool, params_ref const&, char const*) (smt2parser.cpp:3187)
==4176== by 0x25557B: read_smtlib2_commands(char const*) (smtlib_frontend.cpp:95)
==4176== by 0x237598: main (main.cpp:353)
==4176== Address 0x100000001 is not stack'd, malloc'd or (recently) free'd
==4176==
==4176==
==4176== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==4176== Access not within mapped region at address 0x100000001
==4176== at 0x11925C7: sexpr::display(std::ostream&) const (sexpr.cpp:204)
==4176== by 0x26452E: sexpr_cmd::set_next_arg(cmd_context&, sexpr*) (dbg_cmds.cpp:245)
==4176== by 0xAC3D53: smt2::parser::parse_next_cmd_arg() (smt2parser.cpp:2879)
==4176== by 0xAC476B: smt2::parser::parse_ext_cmd(int, int) (smt2parser.cpp:2937)
==4176== by 0xAC6172: parse_cmd (smt2parser.cpp:3026)
==4176== by 0xAC6172: smt2::parser::operator()() (smt2parser.cpp:3138)
==4176== by 0xAB330F: parse_smt2_commands(cmd_context&, std::istream&, bool, params_ref const&, char const*) (smt2parser.cpp:3187)
==4176== by 0x25557B: read_smtlib2_commands(char const*) (smtlib_frontend.cpp:95)
==4176== by 0x237598: main (main.cpp:353)
==4176== If you believe this happened as a result of a stack
==4176== overflow in your program's main thread (unlikely but
==4176== possible), you can try to increase the size of the
==4176== main thread stack using the --main-stacksize= flag.
==4176== The main thread stack size used in this run was 8388608.
==4176==
==4176== HEAP SUMMARY:
==4176== in use at exit: 2,942,347 bytes in 10,825 blocks
==4176== total heap usage: 34,454 allocs, 23,629 frees, 10,591,095 bytes allocated
==4176==
==4176== LEAK SUMMARY:
==4176== definitely lost: 0 bytes in 0 blocks
==4176== indirectly lost: 0 bytes in 0 blocks
==4176== possibly lost: 2,912,587 bytes in 10,801 blocks
==4176== still reachable: 29,760 bytes in 24 blocks
==4176== suppressed: 0 bytes in 0 blocks
==4176== Rerun with --leak-check=full to see details of leaked memory
==4176==
==4176== For counts of detected and suppressed errors, rerun with: -v
==4176== Use --track-origins=yes to see where uninitialised values come from
==4176== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
the zip file looks like junk (corrupted). It does not exercise the code mentioned in the trace. Furthermore, looks like stack overflow.
Version: Z3 version 4.8.3
Description: Z3 suffers from a double-free vulnerability, that might be abused to hijack the control flow by exploiting the heap allocator.
Steps to reproduce (payload is attached): z3 [payload]
ASAN-Report
Payload: bug.zip
Credits: Tim Blazytko Cornelius Aschermann Sergej Schumilo Nils Bars