search

mz-automation / libiec61850

Official repository for libIEC61850, the open-source library for the IEC 61850 protocols
http://libiec61850.com/libiec61850
GNU General Public License v3.0
857 stars 459 forks source link

Heap Use After Free in iec61850_9_2_LE_example.c at v1.3.1 #107

Closed arunm2110 closed 5 years ago

arunm2110 commented 5 years ago

Hi Team There is Heap Use After Free in iec61850_9_2_LE_example.c,

=================================================================================

Starting server failed! Exit.

==28640==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00000de88 at pc 0x000000470531 bp 0x7f367befedc0 sp 0x7f367befedb0 READ of size 8 at 0x60e00000de88 thread T1

0 0x470530 in getState /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_server/iso_server.c:115

#1 0x4714ec in IsoServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_server/iso_server.c:645
#2 0x47ac25 in MmsServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_mms/server/mms_server.c:461
#3 0x42aeca in IedServer_waitReady /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/iec61850/server/impl/ied_server.c:668
#4 0x42a979 in singleThreadedServerThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/iec61850/server/impl/ied_server.c:566
#5 0x511398 in destroyAutomaticThread /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/hal/thread/linux/thread_linux.c:90
#6 0x7f367f0cb6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#7 0x7f367eaf841c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x60e00000de88 is located 8 bytes inside of 152-byte region [0x60e00000de80,0x60e00000df18) freed by thread T0 here:

0 0x7f367f3792ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)

#1 0x511d88 in Memory_free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/hal/memory/lib_memory.c:82
#2 0x471a0e in IsoServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_server/iso_server.c:817
#3 0x47a2b5 in MmsServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_mms/server/mms_server.c:296
#4 0x42a5f8 in IedServer_destroy /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/iec61850/server/impl/ied_server.c:505
#5 0x416b3a in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/examples/iec61850_9_2_LE_example/iec61850_9_2_LE_example.c:126
#6 0x7f367ea1182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:

0 0x7f367f37979a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)

#1 0x511d21 in Memory_calloc /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/hal/memory/lib_memory.c:59
#2 0x470f6d in IsoServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_server/iso_server.c:510
#3 0x479396 in MmsServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_mms/server/mms_server.c:55
#4 0x429f5c in IedServer_createWithConfig /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/iec61850/server/impl/ied_server.c:434
#5 0x42a53b in IedServer_create /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/iec61850/server/impl/ied_server.c:483
#6 0x416afc in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/examples/iec61850_9_2_LE_example/iec61850_9_2_LE_example.c:119
#7 0x7f367ea1182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Thread T1 created by T0 here:

0 0x7f367f317253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)

#1 0x511421 in Thread_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/hal/thread/linux/thread_linux.c:101
#2 0x42ab0d in IedServer_start /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/iec61850/server/impl/ied_server.c:595
#3 0x416b11 in main /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/examples/iec61850_9_2_LE_example/iec61850_9_2_LE_example.c:122
#4 0x7f367ea1182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/rootkill3r/fuzzing/61850/libiec61850-1.3.1/src/mms/iso_server/iso_server.c:115 getState Shadow bytes around the buggy address: 0x0c1c7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c1c7fff9bd0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1c7fff9be0: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00 0x0c1c7fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c1c7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==28640==ABORTING

mzillgith commented 5 years ago

Hi. I cannot reproduce the problem in latest v1.3 and v1.4 branch. I guess it is solved in the meantime.