[physfs] physfs corruption (double free) in hardened version

Patrick Matthäi pmatthaei at debian.org
Sun May 1 13:35:49 EDT 2011


Package: libphysfs1
Severity: critical
Version: 2.0.2-2

Hello,

I have just uploaded a hardened version of physfs to Debian (with
fortify source, relro, pie and stack canary enabled).

I have attached a test program of a bug submitter, with that physfs
crashs, because of a double free exception, on amd64 (but not on i386).

Save it somewhere and then run:

$ rm bug
$ mkdir -p
testdir/dirnumber{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20}
$ gcc bug.c -lphysfs -o bug
$ ./bug

=>
me at exez:~/build$ LC_ALL=C ./bug
*** glibc detected *** ./bug: double free or corruption (fasttop):
0x00000000015a13c0 ***
======= Backtrace: =========
/lib/libc.so.6(+0x71ab6)[0x7fb8ffe80ab6]
/lib/libc.so.6(cfree+0x6c)[0x7fb8ffe8582c]
/usr/lib/libphysfs.so.1(PHYSFS_freeList+0x29)[0x7fb900177fd9]
./bug[0x40074b]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7fb8ffe2dc4d]
./bug[0x400649]
======= Memory map: ========
00400000-00401000 r-xp 00000000 08:31 8765828
 /home/me/build/bug
00600000-00601000 rw-p 00000000 08:31 8765828
 /home/me/build/bug
01599000-015ba000 rw-p 00000000 00:00 0
 [heap]
7fb8f8000000-7fb8f8021000 rw-p 00000000 00:00 0
7fb8f8021000-7fb8fc000000 ---p 00000000 00:00 0
7fb8ff9e2000-7fb8ff9f7000 r-xp 00000000 08:04 15343658
 /lib/libgcc_s.so.1
7fb8ff9f7000-7fb8ffbf7000 ---p 00015000 08:04 15343658
 /lib/libgcc_s.so.1
7fb8ffbf7000-7fb8ffbf8000 rw-p 00015000 08:04 15343658
 /lib/libgcc_s.so.1
7fb8ffbf8000-7fb8ffc0f000 r-xp 00000000 08:04 21389585
 /usr/lib/libz.so.1.2.3.4
7fb8ffc0f000-7fb8ffe0e000 ---p 00017000 08:04 21389585
 /usr/lib/libz.so.1.2.3.4
7fb8ffe0e000-7fb8ffe0f000 rw-p 00016000 08:04 21389585
 /usr/lib/libz.so.1.2.3.4
7fb8ffe0f000-7fb8fff67000 r-xp 00000000 08:04 15343758
 /lib/libc-2.11.2.so
7fb8fff67000-7fb900167000 ---p 00158000 08:04 15343758
 /lib/libc-2.11.2.so
7fb900167000-7fb90016b000 r--p 00158000 08:04 15343758
 /lib/libc-2.11.2.so
7fb90016b000-7fb90016c000 rw-p 0015c000 08:04 15343758
 /lib/libc-2.11.2.so
7fb90016c000-7fb900171000 rw-p 00000000 00:00 0
7fb900171000-7fb900192000 r-xp 00000000 08:04 21390125
 /usr/lib/libphysfs.so.2.0.2
7fb900192000-7fb900392000 ---p 00021000 08:04 21390125
 /usr/lib/libphysfs.so.2.0.2
7fb900392000-7fb900394000 r--p 00021000 08:04 21390125
 /usr/lib/libphysfs.so.2.0.2
7fb900394000-7fb900395000 rw-p 00023000 08:04 21390125
 /usr/lib/libphysfs.so.2.0.2
7fb900395000-7fb9003b3000 r-xp 00000000 08:04 24567820
 /lib/ld-2.11.2.so
7fb900598000-7fb90059b000 rw-p 00000000 00:00 0
7fb9005b0000-7fb9005b2000 rw-p 00000000 00:00 0
7fb9005b2000-7fb9005b3000 r--p 0001d000 08:04 24567820
 /lib/ld-2.11.2.so
7fb9005b3000-7fb9005b4000 rw-p 0001e000 08:04 24567820
 /lib/ld-2.11.2.so
7fb9005b4000-7fb9005b5000 rw-p 00000000 00:00 0
7fffbfce6000-7fffbfd07000 rw-p 00000000 00:00 0
 [stack]
7fffbfd3f000-7fffbfd40000 r-xp 00000000 00:00 0
 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
 [vsyscall]
Abgebrochen
me at exez:~/build$

<=

gdb output:

=>

me at exez:~/build$ LC_ALL=C gdb ./bug
GNU gdb (GDB) 7.2-debian
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/me/build/bug...(no debugging symbols
found)...done.
(gdb) run
Starting program: /home/me/build/bug
*** glibc detected *** /home/me/build/bug: double free or corruption
(fasttop): 0x00000000006093c0 ***
======= Backtrace: =========
/lib/libc.so.6(+0x71ab6)[0x7ffff78caab6]
/lib/libc.so.6(cfree+0x6c)[0x7ffff78cf82c]
/usr/lib/libphysfs.so.1(PHYSFS_freeList+0x29)[0x7ffff7bc1fd9]
/home/me/build/bug[0x40074b]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7ffff7877c4d]
/home/me/build/bug[0x400649]
======= Memory map: ========
00400000-00401000 r-xp 00000000 08:31 8765828
 /home/me/build/bug
00600000-00601000 rw-p 00000000 08:31 8765828
 /home/me/build/bug
00601000-00622000 rw-p 00000000 00:00 0
 [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0
7ffff742c000-7ffff7441000 r-xp 00000000 08:04 15343658
 /lib/libgcc_s.so.1
7ffff7441000-7ffff7641000 ---p 00015000 08:04 15343658
 /lib/libgcc_s.so.1
7ffff7641000-7ffff7642000 rw-p 00015000 08:04 15343658
 /lib/libgcc_s.so.1
7ffff7642000-7ffff7659000 r-xp 00000000 08:04 21389585
 /usr/lib/libz.so.1.2.3.4
7ffff7659000-7ffff7858000 ---p 00017000 08:04 21389585
 /usr/lib/libz.so.1.2.3.4
7ffff7858000-7ffff7859000 rw-p 00016000 08:04 21389585
 /usr/lib/libz.so.1.2.3.4
7ffff7859000-7ffff79b1000 r-xp 00000000 08:04 15343758
 /lib/libc-2.11.2.so
7ffff79b1000-7ffff7bb1000 ---p 00158000 08:04 15343758
 /lib/libc-2.11.2.so
7ffff7bb1000-7ffff7bb5000 r--p 00158000 08:04 15343758
 /lib/libc-2.11.2.so
7ffff7bb5000-7ffff7bb6000 rw-p 0015c000 08:04 15343758
 /lib/libc-2.11.2.so
7ffff7bb6000-7ffff7bbb000 rw-p 00000000 00:00 0
7ffff7bbb000-7ffff7bdc000 r-xp 00000000 08:04 21390125
 /usr/lib/libphysfs.so.2.0.2
7ffff7bdc000-7ffff7ddc000 ---p 00021000 08:04 21390125
 /usr/lib/libphysfs.so.2.0.2
7ffff7ddc000-7ffff7dde000 r--p 00021000 08:04 21390125
 /usr/lib/libphysfs.so.2.0.2
7ffff7dde000-7ffff7ddf000 rw-p 00023000 08:04 21390125
 /usr/lib/libphysfs.so.2.0.2
7ffff7ddf000-7ffff7dfd000 r-xp 00000000 08:04 24567820
 /lib/ld-2.11.2.so
7ffff7fe1000-7ffff7fe4000 rw-p 00000000 00:00 0
7ffff7ff9000-7ffff7ffb000 rw-p 00000000 00:00 0
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0
 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 0001d000 08:04 24567820
 /lib/ld-2.11.2.so
7ffff7ffd000-7ffff7ffe000 rw-p 0001e000 08:04 24567820
 /lib/ld-2.11.2.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0
 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
 [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff788b165 in raise () from /lib/libc.so.6
(gdb) bt
#0  0x00007ffff788b165 in raise () from /lib/libc.so.6
#1  0x00007ffff788df70 in abort () from /lib/libc.so.6
#2  0x00007ffff78c125b in ?? () from /lib/libc.so.6
#3  0x00007ffff78caab6 in ?? () from /lib/libc.so.6
#4  0x00007ffff78cf82c in free () from /lib/libc.so.6
#5  0x00007ffff7bc1fd9 in PHYSFS_freeList (list=0x609750) at
/tmp/buildd/libphysfs-2.0.2/physfs.c:872
#6  0x000000000040074b in main ()
(gdb)

<=

-- 
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

E-Mail: pmatthaei at debian.org
        patrick at linux-dev.org

Comment:
Always if we think we are right,
we were maybe wrong.
*/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bug.c
Type: text/x-csrc
Size: 205 bytes
Desc: not available
URL: <http://icculus.org/pipermail/physfs/attachments/20110501/1cc6b641/attachment.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://icculus.org/pipermail/physfs/attachments/20110501/1cc6b641/attachment.pgp>


More information about the physfs mailing list