Memory allocation error

zhunki commented 7 years ago

==8466== ERROR: AddressSanitizer failed to allocate 0x7eff3000 (2130653184) bytes of LargeMmapAllocator: Cannot allocate memory
==8466== Process memory map follows:
    0x08048000-0x08098000   /home/b/asan/libplist/tools/plistutil
    0x08098000-0x08099000   /home/b/asan/libplist/tools/plistutil
    0x08099000-0x0809a000   /home/b/asan/libplist/tools/plistutil
    0x1ffff000-0x24000000   
    0x24000000-0x28000000   
    0x28000000-0x40000000   
    0xb5200000-0xb5300000   
    0xb5400000-0xb5500000   
    0xb5600000-0xb5700000   
    0xb5800000-0xb5900000   
    0xb5a00000-0xb5b00000   
    0xb5c00000-0xb5d00000   
    0xb5e00000-0xb5f00000   
    0xb5f8a000-0xb5f9b000   
    0xb5f9b000-0xb5fb7000   /lib/i386-linux-gnu/libgcc_s.so.1
    0xb5fb7000-0xb5fb8000   /lib/i386-linux-gnu/libgcc_s.so.1
    0xb5fb8000-0xb5fbb000   /lib/i386-linux-gnu/libdl-2.19.so
    0xb5fbb000-0xb5fbc000   /lib/i386-linux-gnu/libdl-2.19.so
    0xb5fbc000-0xb5fbd000   /lib/i386-linux-gnu/libdl-2.19.so
    0xb5fbd000-0xb6165000   /lib/i386-linux-gnu/libc-2.19.so
    0xb6165000-0xb6167000   /lib/i386-linux-gnu/libc-2.19.so
    0xb6167000-0xb6168000   /lib/i386-linux-gnu/libc-2.19.so
    0xb6168000-0xb616c000   
    0xb616c000-0xb6184000   /lib/i386-linux-gnu/libpthread-2.19.so
    0xb6184000-0xb6185000   /lib/i386-linux-gnu/libpthread-2.19.so
    0xb6185000-0xb6186000   /lib/i386-linux-gnu/libpthread-2.19.so
    0xb6186000-0xb6188000   
    0xb6188000-0xb61b4000   /usr/lib/i386-linux-gnu/libasan.so.0.0.0
    0xb61b4000-0xb61b5000   /usr/lib/i386-linux-gnu/libasan.so.0.0.0
    0xb61b5000-0xb61b6000   /usr/lib/i386-linux-gnu/libasan.so.0.0.0
    0xb61b6000-0xb7768000   
    0xb776d000-0xb777e000   
    0xb777e000-0xb7780000   [vvar]
    0xb7780000-0xb7782000   [vdso]
    0xb7782000-0xb77a2000   /lib/i386-linux-gnu/ld-2.19.so
    0xb77a2000-0xb77a3000   /lib/i386-linux-gnu/ld-2.19.so
    0xb77a3000-0xb77a4000   /lib/i386-linux-gnu/ld-2.19.so
    0xbf901000-0xbf922000   [stack]
==8466== End of process memory map.
==8466== AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:70 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0xb619a4b2 (/usr/lib/i386-linux-gnu/libasan.so.0+0x124b2)
    #1 0xb61a30dc (/usr/lib/i386-linux-gnu/libasan.so.0+0x1b0dc)
    #2 0xb61a6093 (/usr/lib/i386-linux-gnu/libasan.so.0+0x1e093)
    #3 0xb61902ed (/usr/lib/i386-linux-gnu/libasan.so.0+0x82ed)
    #4 0xb619e88b (/usr/lib/i386-linux-gnu/libasan.so.0+0x1688b)
    #5 0x80621a3 in parse_data_node /home/b/asan/libplist/src/bplist.c:408

poc.txt

    #6 0x80621a3 in parse_bin_node /home/b/asan/libplist/src/bplist.c:661
    #7 0x80621a3 in parse_bin_node_at_index /home/b/asan/libplist/src/bplist.c:759
    #8 0x8063780 in parse_dict_node /home/b/asan/libplist/src/bplist.c:461
    #9 0x8063780 in parse_bin_node /home/b/asan/libplist/src/bplist.c:701
    #10 0x8063780 in parse_bin_node_at_index /home/b/asan/libplist/src/bplist.c:759
    #11 0x8069760 in plist_from_bin /home/b/asan/libplist/src/bplist.c:853
    #12 0x804a324 in main /home/b/asan/libplist/tools/plistutil.c:150
    #13 0xb5fd6a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #14 0x804af35 in _start (/home/b/asan/libplist/tools/plistutil+0x804af35)

poc.txt

carnil commented 7 years ago

This is CVE-2017-6440

nikias commented 7 years ago

Should be fixed with https://github.com/libimobiledevice/libplist/commit/dccd9290745345896e3a4a73154576a599fd8b7b

libimobiledevice / libplist

Memory allocation error #99