search

corellium / usbfluxd

Redirects the standard usbmuxd socket to allow connections to local and remote usbmuxd instances so remote devices appear connected locally.
GNU General Public License v2.0
352 stars 48 forks source link

UAF in client_close #8

Open meme opened 3 years ago

meme commented 3 years ago

Looks like due to improper bookkeeping client_close is called twice for the same client, which has already been free'd, leading to a UAF.

ASan:

==33430==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000007a0
at pc 0x55d4554839b3 bp 0x7ffe3219c350 sp 0x7ffe3219c340
READ of size 4 at 0x6080000007a0 thread T0
    #0 0x55d4554839b2 in client_close /usbfluxd/usbfluxd/client.c:238
    #1 0x55d455485059 in client_notify_remote_close /usbfluxd/usbfluxd/client.c:390
    #2 0x55d4554922d8 in usbmux_remote_dispose /usbfluxd/usbfluxd/usbmux_remote.c:914
    #3 0x55d45549113a in remote_mark_dead /usbfluxd/usbfluxd/usbmux_remote.c:552
    #4 0x55d45549253d in usbmux_remote_mark_dead /usbfluxd/usbfluxd/usbmux_remote.c:933
    #5 0x55d4554956c2 in remote_process_recv /usbfluxd/usbfluxd/usbmux_remote.c:1231
    #6 0x55d4554967b6 in usbmux_remote_process /usbfluxd/usbfluxd/usbmux_remote.c:1343
    #7 0x55d455499526 in main_loop /usbfluxd/usbfluxd/main.c:159
    #8 0x55d45549a870 in main /usbfluxd/usbfluxd/main.c:477
    #9 0x7f3ed253bb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #10 0x55d45548295d in _start (/usr/local/sbin/usbfluxd+0xa95d)
0x6080000007a0 is located 0 bytes inside of 96-byte region [0x6080000007a0,0x608
000000800)
freed by thread T0 here:
    #0 0x7f3ed2932f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x55d455483c29 in client_close /usbfluxd/usbfluxd/client.c:254
    #2 0x55d45548b19d in client_process /usbfluxd/usbfluxd/client.c:1019
    #3 0x55d4554993cf in main_loop /usbfluxd/usbfluxd/main.c:156
    #4 0x55d45549a870 in main /usbfluxd/usbfluxd/main.c:477
    #5 0x7f3ed253bb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
previously allocated by thread T0 here:
    #0 0x7f3ed2933279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55d45548334c in client_accept /usbfluxd/usbfluxd/client.c:199
    #2 0x55d455499242 in main_loop /usbfluxd/usbfluxd/main.c:149
    #3 0x55d45549a870 in main /usbfluxd/usbfluxd/main.c:477
    #4 0x7f3ed253bb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
SUMMARY: AddressSanitizer: heap-use-after-free /usbfluxd/usbfluxd/client.c:238 in client_close
Shadow bytes around the buggy address:
  0x0c107fff80a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff80f0: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8110: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8120: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8130: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8140: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==33430==ABORTING
sbingner commented 1 year ago

This should now be fixed in master - if you can verify