search

pantoniou / libfyaml

Fully feature complete YAML parser and emitter, supporting the latest YAML spec and passing the full YAML testsuite.
MIT License
241 stars 74 forks source link

Heap-use-after-free and dynamic-stack-buffer-overflow and when calling fy_document_build_from_file() #57

Closed bladchan closed 2 years ago

bladchan commented 2 years ago

Hi,

I also find an UAF bug and a dynamic-stack-buffer-overflow bug when doing experiments for AFLAPI.

Environment: Ubuntu 20.04 + gcc 9.4.0

Harness (attached: file named as "test_fy_document_build_from_file.c"):

#include <libfyaml.h>
#include <stdio.h>

int main(int argc, char** argv) {

    if(argc != 2) return 0;

    struct fy_document *fyd = NULL;
    fyd = fy_document_build_from_file(NULL, argv[1]);
    if (!fyd) {
        fprintf(stderr, "failed to build document");
        goto failed;
    }

failed:
    fy_document_destroy(fyd);
    return 0;

}

Poc: Poc2.zip

To reproduce: • Complie the hole project with ASAN:

CFLAGS="-fsanitize=address -g" ./bootstrap.sh
CFLAGS="-fsanitize=address -g" ./configure
make && sudo make install

• Complie the harness with ASAN:

gcc -fsanitize=address -o test_fy_document_build_from_file test_fy_document_build_from_file.c -lfyaml

• Run harness:

./test_fy_document_build_from_file ./UAF.yaml # for reporduce UAF
./test_fy_document_build_from_file ./dynamic-stack-buffer-overflow.yaml # for reporduce dynamic stack buffer overflow

About UAF, ASAN says:

UAF.yaml:3:18: error: cannot use tab for indentation of block entry
? a complex key
               :       
                 ^~~~~~~
=================================================================
==1614640==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000080 at pc 0x7f0adbbea7be bp 0x7ffed9c79870 sp 0x7ffed9c79860
READ of size 8 at 0x606000000080 thread T0
    #0 0x7f0adbbea7bd in list_del lib/fy-list.h:120
    #1 0x7f0adbbea7bd in fy_simple_key_list_del lib/fy-parse.h:79
    #2 0x7f0adbbea7bd in fy_simple_key_list_pop lib/fy-parse.h:79
    #3 0x7f0adbbea7bd in fy_simple_key_vacuum_internal lib/fy-types.c:31
    #4 0x7f0adbba6c75 in fy_parse_cleanup lib/fy-parse.c:842
    #5 0x7f0adbc2fd0e in fy_document_build_internal lib/fy-doc.c:3287
    #6 0x7f0adbc3030c in fy_document_build_from_file lib/fy-doc.c:3320
    #7 0x55bb3c28628b in main (/home/ubuntu/test/libfyaml/fuzz/test_fy_document_build_from_file+0x128b)
    #8 0x7f0adb9b2082 in __libc_start_main ../csu/libc-start.c:308
    #9 0x55bb3c28616d in _start (/home/ubuntu/test/libfyaml/fuzz/test_fy_document_build_from_file+0x116d)

0x606000000080 is located 0 bytes inside of 64-byte region [0x606000000080,0x6060000000c0)
freed by thread T0 here:
    #0 0x7f0adbdcf40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x7f0adbbea782 in fy_simple_key_vacuum_internal lib/fy-types.c:31
    #2 0x60600000007f  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7f0adbdcf808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7f0adbbea5f1 in fy_simple_key_alloc_simple_internal lib/fy-types.c:31
    #2 0x7f0adbbea5f1 in fy_simple_key_alloc_simple_internal lib/fy-types.c:31

SUMMARY: AddressSanitizer: heap-use-after-free lib/fy-list.h:120 in list_del
Shadow bytes around the buggy address:
  0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x0c0c7fff8010:[fd]fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c0c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1614640==ABORTING

About dynamic stack buffer overflow, ASAN says:

dynamic-stack-buffer-overflow.yaml:2:255: error: plain scalar is malformed UTF8

                                                                                                                                                                                                                                                                                                                                           ^

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     ~~~~~~~~~~~~~~~~
                                                                                                                   =================================================================
==1614738==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffdf6134cd5 at pc 0x7f73f2f75f3d bp 0x7ffdf6134ad0 sp 0x7ffdf6134278
WRITE of size 1793 at 0x7ffdf6134cd5 thread T0
    #0 0x7f73f2f75f3c in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
    #1 0x7f73f2e3a93e in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
    #2 0x7f73f2e3a93e in fy_diag_error_atom_display lib/fy-diag.c:789
    #3 0x7f73f2e3c236 in fy_diag_error_token_display lib/fy-diag.c:806
    #4 0x7f73f2e3c236 in fy_diag_error_token_display lib/fy-diag.c:801
    #5 0x7f73f2e3c236 in fy_diag_vreport lib/fy-diag.c:854
    #6 0x7f73f2e3ed3f in fy_reader_diag_report lib/fy-diag.c:1243
    #7 0x7f73f2e1ec4f in fy_reader_fetch_plain_scalar_handle lib/fy-parse.c:4261
    #8 0x7f73f2e261c3 in fy_fetch_plain_scalar lib/fy-parse.c:4707
    #9 0x7f73f2e2827f in fy_fetch_tokens lib/fy-parse.c:5022
    #10 0x7f73f2e2a057 in fy_scan_peek lib/fy-parse.c:5093
    #11 0x7f73f2e2a057 in fy_scan_peek lib/fy-parse.c:5038
    #12 0x7f73f2e2f6ac in fy_parse_internal lib/fy-parse.c:5989
    #13 0x7f73f2e84bff in fy_document_builder_load_document lib/fy-docbuilder.c:529
    #14 0x7f73f2e7b6be in fy_parse_load_document_with_builder lib/fy-doc.c:1940
    #15 0x7f73f2e7bacd in fy_document_build_internal lib/fy-doc.c:3242
    #16 0x7f73f2e7c30c in fy_document_build_from_file lib/fy-doc.c:3320
    #17 0x55698ebce28b in main (/home/ubuntu/test/libfyaml/fuzz/test_fy_document_build_from_file+0x128b)
    #18 0x7f73f2bfe082 in __libc_start_main ../csu/libc-start.c:308
    #19 0x55698ebce16d in _start (/home/ubuntu/test/libfyaml/fuzz/test_fy_document_build_from_file+0x116d)

Address 0x7ffdf6134cd5 is located in stack of thread T0
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
Shadow bytes around the buggy address:
  0x10003ec1e940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003ec1e950: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca
  0x10003ec1e960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003ec1e970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003ec1e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10003ec1e990: 00 00 00 00 00 00 00 00 00 00[05]cb cb cb cb cb
  0x10003ec1e9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003ec1e9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10003ec1e9c0: f1 f1 04 f2 00 00 00 00 00 00 00 00 00 00 00 f2
  0x10003ec1e9d0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003ec1e9e0: 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1614738==ABORTING
pantoniou commented 2 years ago

Everything should be fixed as of a398979df30fe65abd69400b6170b938c6709004

This was surprising because valgrind could not catch those bugs. Please test and let me know if they work for you.

And please if you have more fuzzing failures I'll be happy to take a look.

I really appreciate this, it's been getting really hard to break the library lately :)

bladchan commented 2 years ago

It seems that there is still a heap-use-after-free (UAF) bug mentioned above in https://github.com/pantoniou/libfyaml/commit/a398979df30fe65abd69400b6170b938c6709004. The good news is that no more overflow bugs can be detected.

Here is the poc: UAF.zip

ASAN says:

ubuntu@ubuntu:~/test/libfyaml/fuzz$ ./test_fy_document_build_from_file ./UAF.yaml 
./UAF.yaml:3:18: error: cannot use tab for indentation of block entry
? a complex key
               :       
                 ^~~~~~~
=================================================================
==3064162==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000080 at pc 0x7ffa2d58ad11 bp 0x7ffe1311b2b0 sp 0x7ffe1311b2a0
READ of size 8 at 0x606000000080 thread T0
    #0 0x7ffa2d58ad10 in list_del lib/fy-list.h:120
    #1 0x7ffa2d58bac2 in fy_simple_key_list_del lib/fy-parse.h:79
    #2 0x7ffa2d58bcf6 in fy_simple_key_list_pop lib/fy-parse.h:79
    #3 0x7ffa2d58c8e7 in fy_simple_key_vacuum_internal lib/fy-types.c:31
    #4 0x7ffa2d58c9ad in fy_parse_simple_key_vacuum lib/fy-types.c:31
    #5 0x7ffa2d53da2b in fy_parse_cleanup lib/fy-parse.c:842
    #6 0x7ffa2d60ad05 in fy_document_build_internal lib/fy-doc.c:3287
    #7 0x7ffa2d60b453 in fy_document_build_from_file lib/fy-doc.c:3320
    #8 0x565488ffb497 in main /home/ubuntu/test/libfyaml/fuzz/test_fy_document_build_from_file.c:9
    #9 0x7ffa2d341082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x565488ffb28d in _start (/home/ubuntu/test/libfyaml/fuzz/test_fy_document_build_from_file+0x128d)

0x606000000080 is located 0 bytes inside of 64-byte region [0x606000000080,0x6060000000c0)
freed by thread T0 here:
    #0 0x7ffa2d84040f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x7ffa2d58c8db in fy_simple_key_vacuum_internal lib/fy-types.c:31
    #2 0x7ffa2d58c9ad in fy_parse_simple_key_vacuum lib/fy-types.c:31
    #3 0x7ffa2d53da2b in fy_parse_cleanup lib/fy-parse.c:842
    #4 0x7ffa2d60ad05 in fy_document_build_internal lib/fy-doc.c:3287
    #5 0x7ffa2d60b453 in fy_document_build_from_file lib/fy-doc.c:3320
    #6 0x565488ffb497 in main /home/ubuntu/test/libfyaml/fuzz/test_fy_document_build_from_file.c:9
    #7 0x7ffa2d341082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7ffa2d840808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7ffa2d58c786 in fy_simple_key_alloc_simple_internal lib/fy-types.c:31
    #2 0x7ffa2d58c951 in fy_parse_simple_key_alloc_simple lib/fy-types.c:31
    #3 0x7ffa2d58cbbb in fy_parse_simple_key_alloc lib/fy-types.c:31
    #4 0x7ffa2d54312e in fy_save_simple_key lib/fy-parse.c:1479
    #5 0x7ffa2d543e8e in fy_save_simple_key_mark lib/fy-parse.c:1547
    #6 0x7ffa2d56c8d9 in fy_fetch_plain_scalar lib/fy-parse.c:4753
    #7 0x7ffa2d570eeb in fy_fetch_tokens lib/fy-parse.c:5022
    #8 0x7ffa2d5719d4 in fy_scan_peek lib/fy-parse.c:5093
    #9 0x7ffa2d5762d4 in fy_parse_internal lib/fy-parse.c:5524
    #10 0x7ffa2d580d5b in fy_parse_private lib/fy-parse.c:6419
    #11 0x7ffa2d63b926 in fy_document_builder_load_document lib/fy-docbuilder.c:529
    #12 0x7ffa2d5fe963 in fy_parse_load_document_with_builder lib/fy-doc.c:1940
    #13 0x7ffa2d5fed0b in fy_parse_load_document lib/fy-doc.c:1962
    #14 0x7ffa2d60a70c in fy_document_build_internal lib/fy-doc.c:3242
    #15 0x7ffa2d60b453 in fy_document_build_from_file lib/fy-doc.c:3320
    #16 0x565488ffb497 in main /home/ubuntu/test/libfyaml/fuzz/test_fy_document_build_from_file.c:9
    #17 0x7ffa2d341082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free lib/fy-list.h:120 in list_del
Shadow bytes around the buggy address:
  0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x0c0c7fff8010:[fd]fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c0c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3064162==ABORTING

Without ASAN instrumentation, this poc file will lead to a double-free issue, like this:

ubuntu@ubuntu:~/test/libfyaml/fuzz$ ./test_fy_document_build_from_file UAF.yaml
UAF.yaml:3:18: error: cannot use tab for indentation of block entry
? a complex key
               :       
                 ^~~~~~~
free(): double free detected in tcache 2
Aborted (core dumped)
pantoniou commented 2 years ago

It seems that there is still a heap-use-after-free (UAF) bug mentioned above in a398979. The good news is that no more overflow bugs can be detected.

Here is the poc: UAF.zip

ASAN says:

ubuntu@ubuntu:~/test/libfyaml/fuzz$ ./test_fy_document_build_from_file ./UAF.yaml 
./UAF.yaml:3:18: error: cannot use tab for indentation of block entry
? a complex key
               :       
                 ^~~~~~~
=================================================================
==3064162==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000080 at pc 0x7ffa2d58ad11 bp 0x7ffe1311b2b0 sp 0x7ffe1311b2a0
READ of size 8 at 0x606000000080 thread T0
    #0 0x7ffa2d58ad10 in list_del lib/fy-list.h:120
    #1 0x7ffa2d58bac2 in fy_simple_key_list_del lib/fy-parse.h:79
    #2 0x7ffa2d58bcf6 in fy_simple_key_list_pop lib/fy-parse.h:79
    #3 0x7ffa2d58c8e7 in fy_simple_key_vacuum_internal lib/fy-types.c:31
    #4 0x7ffa2d58c9ad in fy_parse_simple_key_vacuum lib/fy-types.c:31
    #5 0x7ffa2d53da2b in fy_parse_cleanup lib/fy-parse.c:842
    #6 0x7ffa2d60ad05 in fy_document_build_internal lib/fy-doc.c:3287
    #7 0x7ffa2d60b453 in fy_document_build_from_file lib/fy-doc.c:3320
    #8 0x565488ffb497 in main /home/ubuntu/test/libfyaml/fuzz/test_fy_document_build_from_file.c:9
    #9 0x7ffa2d341082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x565488ffb28d in _start (/home/ubuntu/test/libfyaml/fuzz/test_fy_document_build_from_file+0x128d)

0x606000000080 is located 0 bytes inside of 64-byte region [0x606000000080,0x6060000000c0)
freed by thread T0 here:
    #0 0x7ffa2d84040f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x7ffa2d58c8db in fy_simple_key_vacuum_internal lib/fy-types.c:31
    #2 0x7ffa2d58c9ad in fy_parse_simple_key_vacuum lib/fy-types.c:31
    #3 0x7ffa2d53da2b in fy_parse_cleanup lib/fy-parse.c:842
    #4 0x7ffa2d60ad05 in fy_document_build_internal lib/fy-doc.c:3287
    #5 0x7ffa2d60b453 in fy_document_build_from_file lib/fy-doc.c:3320
    #6 0x565488ffb497 in main /home/ubuntu/test/libfyaml/fuzz/test_fy_document_build_from_file.c:9
    #7 0x7ffa2d341082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7ffa2d840808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7ffa2d58c786 in fy_simple_key_alloc_simple_internal lib/fy-types.c:31
    #2 0x7ffa2d58c951 in fy_parse_simple_key_alloc_simple lib/fy-types.c:31
    #3 0x7ffa2d58cbbb in fy_parse_simple_key_alloc lib/fy-types.c:31
    #4 0x7ffa2d54312e in fy_save_simple_key lib/fy-parse.c:1479
    #5 0x7ffa2d543e8e in fy_save_simple_key_mark lib/fy-parse.c:1547
    #6 0x7ffa2d56c8d9 in fy_fetch_plain_scalar lib/fy-parse.c:4753
    #7 0x7ffa2d570eeb in fy_fetch_tokens lib/fy-parse.c:5022
    #8 0x7ffa2d5719d4 in fy_scan_peek lib/fy-parse.c:5093
    #9 0x7ffa2d5762d4 in fy_parse_internal lib/fy-parse.c:5524
    #10 0x7ffa2d580d5b in fy_parse_private lib/fy-parse.c:6419
    #11 0x7ffa2d63b926 in fy_document_builder_load_document lib/fy-docbuilder.c:529
    #12 0x7ffa2d5fe963 in fy_parse_load_document_with_builder lib/fy-doc.c:1940
    #13 0x7ffa2d5fed0b in fy_parse_load_document lib/fy-doc.c:1962
    #14 0x7ffa2d60a70c in fy_document_build_internal lib/fy-doc.c:3242
    #15 0x7ffa2d60b453 in fy_document_build_from_file lib/fy-doc.c:3320
    #16 0x565488ffb497 in main /home/ubuntu/test/libfyaml/fuzz/test_fy_document_build_from_file.c:9
    #17 0x7ffa2d341082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free lib/fy-list.h:120 in list_del
Shadow bytes around the buggy address:
  0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x0c0c7fff8010:[fd]fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c0c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3064162==ABORTING

Without ASAN instrumentation, this poc file will lead to a double-free issue, like this:

ubuntu@ubuntu:~/test/libfyaml/fuzz$ ./test_fy_document_build_from_file UAF.yaml
UAF.yaml:3:18: error: cannot use tab for indentation of block entry
? a complex key
               :       
                 ^~~~~~~
free(): double free detected in tcache 2
Aborted (core dumped)

Indeed. Fixed from 0bb4406b591ee773348aa161270a0c9596192dd2 onwards...

bladchan commented 2 years ago

Good! I rerun all testcases trigged UAF before with https://github.com/pantoniou/libfyaml/commit/0bb4406b591ee773348aa161270a0c9596192dd2. There is no more bug detected.