search

nimble-code / Modex

a model extractor, to automatically extract Spin verification models from multi-threaded C code
20 stars 4 forks source link

Double Free in yyerror() #11

Closed AiDaiP closed 2 years ago

AiDaiP commented 2 years ago

Double Free in yyerror()

Description

Another Double Free, it is still related to fclose().

The poc is generated by my fuzzer so there maybe some garbage.

version

9aee55a

modex -V
MODEX Version 2.11 - 3 November 2017

System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

poc

base64 poc
I2luY2x1ZGUgPHB0CiNpbmNVdWRlIDxhCgovL2F5Ci8vCi8vCi8DIGxlCgp0eXBlZGVmIHN0kGpj
dCBFbnRyeSBFbnRyeTsKCnMEAHVjdCBFbnRycnkJKm5leHQ7CglFbnRyeQkqdGVtcDsJLyogdSAq
LwoJRW50cnkJKnRhaWwnCS8qYWQgKi8KCWludAl2ICpuaWwgPSAoRW50cnkgKikgMABACnZvaWQg
KgpydGxfcHV0KHZvaWQgKmFyZykKewlFbnRyeSAqcSwgKm5ldywgKnByZXYsIHNhbXBiZVs0XTv1
CGludCB2YWwsAAEAAAoJcSA9ICZoZWFkOwoKCWZvciAoeWFsID0gf////2FsIDwgMjsgdmFsKysp
Cgl7CW5ldyA9ICZzYW1wbGVbAP9sXTsKCQluZXctPnZhcHV0bHVlID0gdmFsKzE7CgoJCWQ+bmV4
dCwgbmlsLCBuZXh0LT50YWlsO3ByZXYtPnRlbXAgPSBuZWw7CgkJCXByZXYgPSBxLT50Z2lscS0+
dGFpbCwgcHJldiwgbkZ3KTsKCQl9IHdoaWxlICh4ID0AIP////8KAQlwT2V2LT5uZXh0ID0gbmV3
OwoJfQp9Cgp2b2lkICoKcnRsX2dldCh2b2lkICphcmcpCnsJRW50cnkgKnFPICpuZXh0LCAqZTsK
CWludCB2YWwxID0gMGRfY3JlOwoJaW50IHZhbDIgPSAwOxkJaW50IHg7CgoJcSAiICZoZWFkOwph
Z2FpbjoKCWRvIHsKCQluZXh0KT0gcS0+iGV4dDsKCQlpZiAobmV4dCA9PSBuaWwpCgkJCWdvdG8g
YWdhaXk7CgkJZSA9IG5leHQtPm5leHQ7eCA9IGNhcygmcS0+bmV4bGUgKHggPT0gMCk7CgoJaWYg
KHEtPm5leHQgPT0iAQBsICbiIGUgPT0gPScKCXsJ//8AAGNhcygmcS0+dGFpbCwkbmV4dCwgcSk7
CgkJaWYgKD0gMCkKCQl7CWNhcygmbmV4dC0+bmV4dCwgbmlsLCBuZXh0LT50ZW1wKTsKCXkJbmV4
dC1AAGVhaWwsIHByZXYsIG5ld25leCk7CgkJfSB3aGlsZSAoeG1wID0gMDsKbmV4dC0+bmV4dDsK
IHx0bF9wdWFk/39yZWF0ZSgmYywgMCwgcnRsX2dldD09ZGVmaW5lIE4gdmFsMSArIDEgfHwgbmV4
dC0+dmFsdWUgJmRldmFsMiArIDEpOwp2YWwxKys7CgllbHNlCgkJdmFsMisrOwoJZ290byBhZ2Fp
biYKfQoKaW50Cm1haW4odm87CgoJb29vb29vb29vb29vb29oZWFkLnRhaWwgPSAmaGVhZDsJLy8g
aW5pdI1lCgoJcHRocmVhZF9jcmVhdGUoJmEsIDAsIHJ0bF+AdXQsIDApOwpkX2NyZWF0ZSgmYSwg
MCwgfHRsX3B1YWT/f3JlYXRlKCZjLCAwLCBydGxfZ2V0LCAwKTsKCglyZXR1cm78MDsKfQo=

command

modex ./poc.c

Result

modex ./poc.c
MODEX Version 2.11 - 3 November 2017
./poc.c:2:2: error: invalid preprocessing directive #incUude
    2 | #incUude <a
      |  ^~~~~~~
./poc.c:11:13: warning: missing terminating ' character
   11 | s uct Entrry *next;
      |             ^
./poc.c:29:4: warning: missing terminating " character
   29 | }
      |    ^
./poc.c:7: Error (syntax error, unexpected DIV) before '/'
/ le
^
Error: Line 7: Illegal Character, ASCII: 003 (octal)
Error: Line 10: Illegal Character, ASCII: 004 (octal)
./poc.c:12: Warning - Unterminated char constant:
Binary file (standard input) matches
                     ^
Error: Line 19: Illegal Character, ASCII: 001 (octal)
./poc.c:26: Error (syntax error, unexpected IDENT, expecting SEMICOLON) before 'Identifier'
Binary file (standard input) matches
             ^
Error: Line 27: Illegal Character, ASCII: 031 (octal)
./poc.c:29: Unterminated string constant starting:
Binary file (standard input) matches
           ^
./poc.c:29: Error (syntax error, unexpected INVALID, expecting SEMICOLON) before 'String Constant'
Binary file (standard input) matches
           ^
./poc.c:33: Error (syntax error, unexpected SEMICOLON, expecting RPAREN) before ';'
Binary file (standard input) matches
                                     ^
./poc.c:36: Error (syntax error, unexpected IDENT, expecting SEMICOLON) before 'Identifier'
Binary file (standard input) matches
   ^
./poc.c:36: Error (syntax error, unexpected SEMICOLON, expecting RPAREN) before ';'
Binary file (standard input) matches
                          ^
./poc.c:39: Error (syntax error, unexpected ELSE) before 'else'
Binary file (standard input) matches
 ^
./poc.c:41: Error (syntax error, unexpected B_AND, expecting SEMICOLON) before '&'
Binary file (standard input) matches
           ^
./poc.c:45: Error (syntax error, unexpected SEMICOLON, expecting RPAREN or COMMA) before ';'
Binary file (standard input) matches
       ^
too many errors (10 detected)
./poc.c:50: Error (syntax error, unexpected IDENT, expecting SEMICOLON) before 'Identifier'
Binary file (standard input) matches
       ^
too many errors (11 detected)
free(): double free detected in tcache 2
[1]    1044549 abort      modex ./poc.c

gdb

pwndbg> si
0x000055555557ff39      1005                    fclose(yyin);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────[ REGISTERS ]──────────────────────────────────────
*RAX  0x5555555b96b0 —▸ 0x5555555ba8a0 ◂— 0x0
 RBX  0x55555558c110 (__libc_csu_init) ◂— endbr64
 RCX  0x0
 RDX  0x0
 RDI  0x7ffff7e5e4b0 (_IO_stdfile_2_lock) ◂— 0x0
 RSI  0x7fffffffaae0 ◂— "too many errors (11 detected)\nT, expecting SEMICOLON) before 'Identifier'\nBinary file (standard input) matches\n\ntches\n"
 R8   0x1e
 R9   0x1e
 R10  0x55555559512b ◂— ' detected)\n'
 R11  0x246
 R12  0x5555555585c0 (_start) ◂— endbr64
 R13  0x7fffffffe130 ◂— 0x2
 R14  0x0
 R15  0x0
 RBP  0x7fffffffd190 —▸ 0x7fffffffdc40 —▸ 0x7fffffffdc70 —▸ 0x7fffffffdef0 —▸ 0x7fffffffe040 ◂— ...
 RSP  0x7fffffffd180 —▸ 0x55555555acde (exit_scope+63) ◂— nop
*RIP  0x55555557ff39 (yyerror+215) ◂— mov    rdi, rax
───────────────────────────────────────[ DISASM ]────────────────────────────────────────
   0x55555557ff1e <yyerror+188>    lea    rsi, [rip + 0x151f3]
   0x55555557ff25 <yyerror+195>    mov    rdi, rax
   0x55555557ff28 <yyerror+198>    mov    eax, 0
   0x55555557ff2d <yyerror+203>    call   fprintf@plt                <fprintf@plt>

   0x55555557ff32 <yyerror+208>    mov    rax, qword ptr [rip + 0x2ef0f] <0x5555555aee48>
 ► 0x55555557ff39 <yyerror+215>    mov    rdi, rax                      <0x7ffff7e5e4b0>
   0x55555557ff3c <yyerror+218>    call   fclose@plt                <fclose@plt>

   0x55555557ff41 <yyerror+223>    mov    eax, 1
   0x55555557ff46 <yyerror+228>    jmp    yyerror+235                <yyerror+235>

   0x55555557ff48 <yyerror+230>    mov    eax, 0
   0x55555557ff4d <yyerror+235>    leave
────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────
In file: /home/aidai/model_checking/Modex/Src/lexer.l
   1000         err_cnt++;
   1001
   1002         if (preview == 0 && err_cnt >= 10)
   1003         {       fprintf(stderr,"too many errors (%d detected)\n",
   1004                         err_cnt);
 ► 1005                 fclose(yyin);
   1006                 return(1);
   1007         }
   1008         return(0);
   1009 }
   1010
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7fffffffd180 —▸ 0x55555555acde (exit_scope+63) ◂— nop
01:0008│     0x7fffffffd188 —▸ 0x7fffffffdbb0 ◂— 'syntax error, unexpected IDENT, expecting SEMICOLON'
02:0010│ rbp 0x7fffffffd190 —▸ 0x7fffffffdc40 —▸ 0x7fffffffdc70 —▸ 0x7fffffffdef0 —▸ 0x7fffffffe040 ◂— ...
03:0018│     0x7fffffffd198 —▸ 0x555555584577 (yyparse+16004) ◂— cmp    dword ptr [rbp - 0xa74], 2
04:0020│     0x7fffffffd1a0 ◂— 0x9000
05:0028│     0x7fffffffd1a8 ◂— 0x11d0000000a /* '\n' */
06:0030│     0x7fffffffd1b0 ◂— 0x10200000000
07:0038│     0x7fffffffd1b8 ◂— 0x0
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
 ► f 0   0x55555557ff39 yyerror+215
   f 1   0x555555584577 yyparse+16004
   f 2   0x5555555732be tree_parse+54
   f 3   0x55555555f3c1 process_input+756
   f 4   0x55555555f78b main+624
   f 5   0x7ffff7c970b3 __libc_start_main+243
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg>
0x000055555557ff3c      1005                    fclose(yyin);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────[ REGISTERS ]──────────────────────────────────────
 RAX  0x5555555b96b0 —▸ 0x5555555ba8a0 ◂— 0x0
 RBX  0x55555558c110 (__libc_csu_init) ◂— endbr64
 RCX  0x0
 RDX  0x0
*RDI  0x5555555b96b0 —▸ 0x5555555ba8a0 ◂— 0x0
 RSI  0x7fffffffaae0 ◂— "too many errors (11 detected)\nT, expecting SEMICOLON) before 'Identifier'\nBinary file (standard input) matches\n\ntches\n"
 R8   0x1e
 R9   0x1e
 R10  0x55555559512b ◂— ' detected)\n'
 R11  0x246
 R12  0x5555555585c0 (_start) ◂— endbr64
 R13  0x7fffffffe130 ◂— 0x2
 R14  0x0
 R15  0x0
 RBP  0x7fffffffd190 —▸ 0x7fffffffdc40 —▸ 0x7fffffffdc70 —▸ 0x7fffffffdef0 —▸ 0x7fffffffe040 ◂— ...
 RSP  0x7fffffffd180 —▸ 0x55555555acde (exit_scope+63) ◂— nop
*RIP  0x55555557ff3c (yyerror+218) ◂— call   0x5555555583d0
───────────────────────────────────────[ DISASM ]────────────────────────────────────────
   0x55555557ff25 <yyerror+195>    mov    rdi, rax
   0x55555557ff28 <yyerror+198>    mov    eax, 0
   0x55555557ff2d <yyerror+203>    call   fprintf@plt                <fprintf@plt>

   0x55555557ff32 <yyerror+208>    mov    rax, qword ptr [rip + 0x2ef0f] <0x5555555aee48>
   0x55555557ff39 <yyerror+215>    mov    rdi, rax
 ► 0x55555557ff3c <yyerror+218>    call   fclose@plt                <fclose@plt>
        stream: 0x5555555b96b0 —▸ 0x5555555ba8a0 ◂— 0x0

   0x55555557ff41 <yyerror+223>    mov    eax, 1
   0x55555557ff46 <yyerror+228>    jmp    yyerror+235                <yyerror+235>

   0x55555557ff48 <yyerror+230>    mov    eax, 0
   0x55555557ff4d <yyerror+235>    leave
   0x55555557ff4e <yyerror+236>    ret
────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────
In file: /home/aidai/model_checking/Modex/Src/lexer.l
   1000         err_cnt++;
   1001
   1002         if (preview == 0 && err_cnt >= 10)
   1003         {       fprintf(stderr,"too many errors (%d detected)\n",
   1004                         err_cnt);
 ► 1005                 fclose(yyin);
   1006                 return(1);
   1007         }
   1008         return(0);
   1009 }
   1010
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7fffffffd180 —▸ 0x55555555acde (exit_scope+63) ◂— nop
01:0008│     0x7fffffffd188 —▸ 0x7fffffffdbb0 ◂— 'syntax error, unexpected IDENT, expecting SEMICOLON'
02:0010│ rbp 0x7fffffffd190 —▸ 0x7fffffffdc40 —▸ 0x7fffffffdc70 —▸ 0x7fffffffdef0 —▸ 0x7fffffffe040 ◂— ...
03:0018│     0x7fffffffd198 —▸ 0x555555584577 (yyparse+16004) ◂— cmp    dword ptr [rbp - 0xa74], 2
04:0020│     0x7fffffffd1a0 ◂— 0x9000
05:0028│     0x7fffffffd1a8 ◂— 0x11d0000000a /* '\n' */
06:0030│     0x7fffffffd1b0 ◂— 0x10200000000
07:0038│     0x7fffffffd1b8 ◂— 0x0
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
 ► f 0   0x55555557ff3c yyerror+218
   f 1   0x555555584577 yyparse+16004
   f 2   0x5555555732be tree_parse+54
   f 3   0x55555555f3c1 process_input+756
   f 4   0x55555555f78b main+624
   f 5   0x7ffff7c970b3 __libc_start_main+243
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bin
tcachebins
0x1e0 [  2]: 0x5555555b96b0 —▸ 0x5555555ba8a0 ◂— 0x0
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
0xe00: 0x5555555b98f0 —▸ 0x7ffff7e5c1f0 (main_arena+1648) ◂— 0x5555555b98f0
nimble-code commented 2 years ago

Modex explicitly assumes that the C code it processes can be compiled error free with a standard compiler. It really isn't meant to be used, nor can it be expected to work, on random inputs.... So, this too goes into the stack of somewhat interesting, but non-actionable....