Closed bsbontchev closed 1 year ago
This was fixed in https://github.com/abedra/libvault/commit/428dca23384220ef7ebf863892de699ef239bc9d. It looks like I didn't cut another release, so i'll get 0.53.0 out but you can use the master
branch in the mean time
Thanks. I will. Can you fix the others before making a release as they are security related?
Environment: Rocky 8, curl 7.61.1, libvault-0.52.0, Vault v1.8.2 Issue: After executing a VAULT request the libvault crashes due to memory corruption.
libvault.tar.gz When executing the attached program it crashes:
With out ASAN:
Connecting to : 127.0.0.1:8222
Trying 127.0.0.1...
TCP_NODELAY set
Connected to 127.0.0.1 (127.0.0.1) port 8222 (#0)
GET /v1/sys/seal-status HTTP/1.1 Host: 127.0.0.1:8222 Accept: / X-Vault-Token: token Content-Type: application/json
< HTTP/1.1 200 OK < Cache-Control: no-store < Content-Type: application/json < Date: Tue, 11 Apr 2023 18:45:43 GMT < Content-Length: 168 <
Connection #0 to host 127.0.0.1 left intact response : {"type":"shamir","initialized":false,"sealed":true,"t":0,"n":0,"progress":0,"nonce":"","version":"1.8.2","migration":false,"recovery_seal":false,"storage_type":"file"}
malloc(): unsorted double linked list corrupted Aborted (core dumped)
With ASAN:
Connecting to : 127.0.0.1:8222
Trying 127.0.0.1...
TCP_NODELAY set
Connected to 127.0.0.1 (127.0.0.1) port 8222 (#0)
GET /v1/sys/seal-status HTTP/1.1 Host: 127.0.0.1:8222 Accept: / X-Vault-Token: token Content-Type: application/json
< HTTP/1.1 200 OK < Cache-Control: no-store < Content-Type: application/json < Date: Tue, 11 Apr 2023 18:53:41 GMT < Content-Length: 168 <
Connection #0 to host 127.0.0.1 left intact
==2255562==ERROR: AddressSanitizer: attempting double-free on 0x604000000710 in thread T0:
0 0x7ff20de717e0 in __interceptor_free (/lib64/libasan.so.5+0xef7e0)
1 0x7ff20d1fbb69 (/lib64/libcurl.so.4+0x22b69)
2 0x7ff20d1fbe1e (/lib64/libcurl.so.4+0x22e1e)
3 0x7ff20d20a2e0 in curl_easy_cleanup (/lib64/libcurl.so.4+0x312e0)
4 0x7ff20cf5c48a in Vault::HttpClient::CurlWrapper::~CurlWrapper() (libvault.so.0+0x12248a)
5 0x7ff20cf5917f in Vault::HttpClient::executeRequest(Vault::Tiny<Vault::UrlDetail, std::cxx11::basic_string<char, std::char_traits, std::allocator > > const&, Vault::Tiny<Vault::TokenDetail, std:: cxx11::basic_string<char, std::char_traits, std::allocator > > const&, Vault::Tiny<Vault::NamespaceDetail, std::cxx11::basic_string<char, std::char_traits, std::allocator > > const&, std::function<void (void)> const&, std::function<curl_slist (curl_slist*)> const&, std::function<void (std:: cxx11::basic_string<char, std::char_traits, std::allocator >)> const&) const (libvault.so.0+0x11f17f)
6 0x7ff20cf585b5 in Vault::HttpClient::get(Vault::Tiny<Vault::UrlDetail, std::cxx11::basic_string<char, std::char_traits, std::allocator > > const&, Vault::Tiny<Vault::TokenDetail, std:: cxx11::basic_string<char, std::char_traits, std::allocator > > const&, Vault::Tiny<Vault::NamespaceDetail, std::__cxx11::basic_string<char, std::char_traits, std::allocator > > const&) const (libvault.so.0+0x11e5b5)
7 0x7ff20cf5d42c in Vault::HttpConsumer::get(Vault::Client const&, Vault::Tiny<Vault::UrlDetail, std::__cxx11::basic_string<char, std::char_traits, std::allocator > > const&) (libvault.so.0+0x12342c)
8 0x7ff20cf734a3 in Vault::Sys::sealStatusabi:cxx11%20AND%20statusCategory%20in%20(%22To%20Do%22%2C%20%22In%20Progress%22)%20AND%20status%20IN%20(%22Open%22%2C%22In%20Development%22)%20ORDER%20BY%20created%20DESC) (libvault.so.0+0x1394a3)
9 0x41d76f in SecureStorage::status() src/securestorage.cpp:67
10 0x41d345 in SecureStorage::connect() src/securestorage.cpp:42
11 0x41f30e in main src/securestorage.cpp:150
12 0x7ff20c897cf2 in __libc_start_main (/lib64/libc.so.6+0x3acf2)
13 0x41c85d in _start (/root/bbontchev/test/vault/test+0x41c85d)
0x604000000710 is located 0 bytes inside of 41-byte region [0x604000000710,0x604000000739) freed by thread T0 here:
0 0x7ff20de74688 in operator delete(void*) (/lib64/libasan.so.5+0xf2688)
previously allocated by thread T0 here:
0 0x7ff20ddbdda0 in strdup (/lib64/libasan.so.5+0x3bda0)
SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.5+0xef7e0) in __interceptor_free ==2255562==ABORTING Aborted (core dumped)
Most probably the issue is due to the following code: std::string url; curl_easygetinfo(curl, CURLINFO_EFFECTIVE_URL, &url);