==28640==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00000de88 at pc 0x000000470531 bp 0x7f367befedc0 sp 0x7f367befedb0
READ of size 8 at 0x60e00000de88 thread T1
0 0x470530 in getState /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_server/iso_server.c:115
#1 0x4714ec in IsoServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_server/iso_server.c:645
#2 0x47ac25 in MmsServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_mms/server/mms_server.c:461
#3 0x42aeca in IedServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/iec61850/server/impl/ied_server.c:668
#4 0x42a979 in singleThreadedServerThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/iec61850/server/impl/ied_server.c:566
#5 0x511398 in destroyAutomaticThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/hal/thread/linux/thread_linux.c:90
#6 0x7f367f0cb6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#7 0x7f367eaf841c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x60e00000de88 is located 8 bytes inside of 152-byte region [0x60e00000de80,0x60e00000df18)
freed by thread T0 here:
0 0x7f367f3792ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x511d88 in Memory_free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/hal/memory/lib_memory.c:82
#2 0x471a0e in IsoServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_server/iso_server.c:817
#3 0x47a2b5 in MmsServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_mms/server/mms_server.c:296
#4 0x42a5f8 in IedServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/iec61850/server/impl/ied_server.c:505
#5 0x416b3a in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/examples/iec61850_9_2_LE_example/iec61850_9_2_LE_example.c:126
#6 0x7f367ea1182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
0 0x7f367f37979a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x511d21 in Memory_calloc /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/hal/memory/lib_memory.c:59
#2 0x470f6d in IsoServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_server/iso_server.c:510
#3 0x479396 in MmsServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_mms/server/mms_server.c:55
#4 0x429f5c in IedServer_createWithConfig /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/iec61850/server/impl/ied_server.c:434
#5 0x42a53b in IedServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/iec61850/server/impl/ied_server.c:483
#6 0x416afc in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/examples/iec61850_9_2_LE_example/iec61850_9_2_LE_example.c:119
#7 0x7f367ea1182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Thread T1 created by T0 here:
0 0x7f367f317253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x511421 in Thread_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/hal/thread/linux/thread_linux.c:101
#2 0x42ab0d in IedServer_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/iec61850/server/impl/ied_server.c:595
#3 0x416b11 in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/examples/iec61850_9_2_LE_example/iec61850_9_2_LE_example.c:122
#4 0x7f367ea1182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-use-after-free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_server/iso_server.c:115 getState
Shadow bytes around the buggy address:
0x0c1c7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1c7fff9bd0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c7fff9be0: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1c7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==28640==ABORTING
Hi Team There is Heap Use After Free in iec61850_9_2_LE_example.c,
=================================================================================
Starting server failed! Exit.
==28640==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00000de88 at pc 0x000000470531 bp 0x7f367befedc0 sp 0x7f367befedb0 READ of size 8 at 0x60e00000de88 thread T1
0 0x470530 in getState /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_server/iso_server.c:115
0x60e00000de88 is located 8 bytes inside of 152-byte region [0x60e00000de80,0x60e00000df18) freed by thread T0 here:
0 0x7f367f3792ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
previously allocated by thread T0 here:
0 0x7f367f37979a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
Thread T1 created by T0 here:
0 0x7f367f317253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
SUMMARY: AddressSanitizer: heap-use-after-free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_server/iso_server.c:115 getState Shadow bytes around the buggy address: 0x0c1c7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c1c7fff9bd0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1c7fff9be0: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00 0x0c1c7fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c1c7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==28640==ABORTING