search

haampie / libtree

ldd as a tree
MIT License
2.63k stars 60 forks source link

Segfaults when using many command-line arguments #54

Closed orbea closed 2 years ago

orbea commented 2 years ago

libtree: https://github.com/haampie/libtree/commit/7f7a39f5399142a5c91b05d637a593f7d8eb2009

Reading symbols from ./libtree...
(gdb) r /usr/lib64/jollygood/*
Starting program: /media/gittings/forks/libtree/libtree /usr/lib64/jollygood/*
/usr/lib64/jollygood/bsnes.so 
/usr/lib64/jollygood/cega.so 
/usr/lib64/jollygood/gambatte.so 
/usr/lib64/jollygood/genplus.so 
/usr/lib64/jollygood/jollycv.so 
/usr/lib64/jollygood/mednafen.so 
├── libz.so.1 [ld.so.conf]
├── libFLAC.so.8 [ld.so.conf]
│   └── libogg.so.0 [ld.so.conf]
└── libzstd.so.1 [ld.so.conf]
/usr/lib64/jollygood/mesens.so 
/usr/lib64/jollygood/mgba.so 
/usr/lib64/jollygood/nestopia.so 
/usr/lib64/jollygood/picodrive.so 
/usr/lib64/jollygood/prosystem.so 
/usr/lib64/jollygood/sameboy.so 
free(): invalid size

Program received signal SIGABRT, Aborted.
0x00007ffff7e02848 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7e02848 in raise () from /lib64/libc.so.6
#1  0x00007ffff7de9526 in abort () from /lib64/libc.so.6
#2  0x00007ffff7e48248 in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff7e5066a in malloc_printerr () from /lib64/libc.so.6
#4  0x00007ffff7e5207c in _int_free () from /lib64/libc.so.6
#5  0x00007ffff7e55ce4 in free () from /lib64/libc.so.6
#6  0x00007ffff7e3d83f in fclose@@GLIBC_2.2.5 () from /lib64/libc.so.6
#7  0x0000000000402c2b in recurse (
    current_file=0x7fffffffe62a "/usr/lib64/jollygood/vecx.so", depth=0, s=0x7fffffffde78, 
    parent_bits=EITHER, reason=...) at libtree.c:1154
#8  0x00000000004019e3 in print_tree (pathc=13, pathv=0x7fffffffe120, s=0x7fffffffde78)
    at libtree.c:1460
#9  0x0000000000401945 in main (argc=14, argv=0x7fffffffe120) at libtree.c:1625

Running the library on its own does not produce a segfault.

$ ./libtree /usr/lib64/jollygood/vecx.so
/usr/lib64/jollygood/vecx.so

Although I don't think its related for reference the libraries are from this project.

https://gitlab.com/jgemu

haampie commented 2 years ago

Can you run with -fsanitize=address?

orbea commented 2 years ago 
$ ./libtree /usr/lib64/jollygood/*
/usr/lib64/jollygood/bsnes.so 
/usr/lib64/jollygood/cega.so 
/usr/lib64/jollygood/gambatte.so 
/usr/lib64/jollygood/genplus.so 
/usr/lib64/jollygood/jollycv.so 
/usr/lib64/jollygood/mednafen.so 
├── libz.so.1 [ld.so.conf]
├── libFLAC.so.8 [ld.so.conf]
│   └── libogg.so.0 [ld.so.conf]
└── libzstd.so.1 [ld.so.conf]
/usr/lib64/jollygood/mesens.so 
/usr/lib64/jollygood/mgba.so 
/usr/lib64/jollygood/nestopia.so 
/usr/lib64/jollygood/picodrive.so 
/usr/lib64/jollygood/prosystem.so 
/usr/lib64/jollygood/sameboy.so 
=================================================================
==23028==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000140 at pc 0x0000004d3763 bp 0x7ffd378c02f0 sp 0x7ffd378c02e8
WRITE of size 8 at 0x611000000140 thread T0
    #0 0x4d3762 in visited_files_append /tmp/libtree/libtree.c:765:33
    #1 0x4ce48e in recurse /tmp/libtree/libtree.c:917:9
    #2 0x4cc86c in print_tree /tmp/libtree/libtree.c:1460:22
    #3 0x4cc4b3 in main /tmp/libtree/libtree.c:1625:12
    #4 0x7f16910e401c in __libc_start_main (/lib64/libc.so.6+0x2401c)
    #5 0x41f369 in _start /tmp/glibc-2.33/csu/../sysdeps/x86_64/start.S:120

0x611000000140 is located 0 bytes to the right of 256-byte region [0x611000000040,0x611000000140)
allocated by thread T0 here:
    #0 0x49a6fd in malloc /tmp/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x4cca90 in libtree_state_init /tmp/libtree/libtree.c:1441:22
    #2 0x4cc6de in print_tree /tmp/libtree/libtree.c:1451:5
    #3 0x4cc4b3 in main /tmp/libtree/libtree.c:1625:12
    #4 0x7f16910e401c in __libc_start_main (/lib64/libc.so.6+0x2401c)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/libtree/libtree.c:765:33 in visited_files_append
Shadow bytes around the buggy address:
  0x0c227fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8020: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c227fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==23028==ABORTING
haampie commented 2 years ago

Oof, it's missing sizeof(...) in the realloc. I was joking I should make -fsanitize=address an actual production level flag so nobody could blame me I should have used rust :laughing:.

haampie commented 2 years ago

Can you try again on the master branch? I've pushed a fix. Edit: seems there's still an issue...

haampie commented 2 years ago

Another fix was pushed, now it should work ;)

orbea commented 2 years ago

All good now with commit ced2987f07dba9e3890a2c0e17f1229b9c207984.

$ ./libtree /usr/lib64/jollygood/*
/usr/lib64/jollygood/bsnes.so 
/usr/lib64/jollygood/cega.so 
/usr/lib64/jollygood/gambatte.so 
/usr/lib64/jollygood/genplus.so 
/usr/lib64/jollygood/jollycv.so 
/usr/lib64/jollygood/mednafen.so 
├── libz.so.1 [ld.so.conf]
├── libFLAC.so.8 [ld.so.conf]
│   └── libogg.so.0 [ld.so.conf]
└── libzstd.so.1 [ld.so.conf]
/usr/lib64/jollygood/mesens.so 
/usr/lib64/jollygood/mgba.so 
/usr/lib64/jollygood/nestopia.so 
/usr/lib64/jollygood/picodrive.so 
/usr/lib64/jollygood/prosystem.so 
/usr/lib64/jollygood/sameboy.so 
/usr/lib64/jollygood/vecx.so

Thanks!