[physfs] physfs corruption (double free) in hardened version
Christoph Nelles
evilazrael at evilazrael.de
Tue May 3 16:19:57 EDT 2011
Hi,
i just ran the test against a slight older version. I had no problem.
Three remarks:
1) recompile with debug info
2) use valgrind
3) add a PHYSFS_deinit() to clean up.
Am 01.05.2011 19:35, schrieb Patrick Matthäi:
> Package: libphysfs1
> Severity: critical
> Version: 2.0.2-2
>
> Hello,
>
> I have just uploaded a hardened version of physfs to Debian (with
> fortify source, relro, pie and stack canary enabled).
>
> I have attached a test program of a bug submitter, with that physfs
> crashs, because of a double free exception, on amd64 (but not on i386).
>
> Save it somewhere and then run:
>
> $ rm bug
> $ mkdir -p
> testdir/dirnumber{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20}
> $ gcc bug.c -lphysfs -o bug
> $ ./bug
>
> =>
> me at exez:~/build$ LC_ALL=C ./bug
> *** glibc detected *** ./bug: double free or corruption (fasttop):
> 0x00000000015a13c0 ***
> ======= Backtrace: =========
> /lib/libc.so.6(+0x71ab6)[0x7fb8ffe80ab6]
> /lib/libc.so.6(cfree+0x6c)[0x7fb8ffe8582c]
> /usr/lib/libphysfs.so.1(PHYSFS_freeList+0x29)[0x7fb900177fd9]
> ./bug[0x40074b]
> /lib/libc.so.6(__libc_start_main+0xfd)[0x7fb8ffe2dc4d]
> ./bug[0x400649]
> ======= Memory map: ========
> 00400000-00401000 r-xp 00000000 08:31 8765828
> /home/me/build/bug
> 00600000-00601000 rw-p 00000000 08:31 8765828
> /home/me/build/bug
> 01599000-015ba000 rw-p 00000000 00:00 0
> [heap]
> 7fb8f8000000-7fb8f8021000 rw-p 00000000 00:00 0
> 7fb8f8021000-7fb8fc000000 ---p 00000000 00:00 0
> 7fb8ff9e2000-7fb8ff9f7000 r-xp 00000000 08:04 15343658
> /lib/libgcc_s.so.1
> 7fb8ff9f7000-7fb8ffbf7000 ---p 00015000 08:04 15343658
> /lib/libgcc_s.so.1
> 7fb8ffbf7000-7fb8ffbf8000 rw-p 00015000 08:04 15343658
> /lib/libgcc_s.so.1
> 7fb8ffbf8000-7fb8ffc0f000 r-xp 00000000 08:04 21389585
> /usr/lib/libz.so.1.2.3.4
> 7fb8ffc0f000-7fb8ffe0e000 ---p 00017000 08:04 21389585
> /usr/lib/libz.so.1.2.3.4
> 7fb8ffe0e000-7fb8ffe0f000 rw-p 00016000 08:04 21389585
> /usr/lib/libz.so.1.2.3.4
> 7fb8ffe0f000-7fb8fff67000 r-xp 00000000 08:04 15343758
> /lib/libc-2.11.2.so
> 7fb8fff67000-7fb900167000 ---p 00158000 08:04 15343758
> /lib/libc-2.11.2.so
> 7fb900167000-7fb90016b000 r--p 00158000 08:04 15343758
> /lib/libc-2.11.2.so
> 7fb90016b000-7fb90016c000 rw-p 0015c000 08:04 15343758
> /lib/libc-2.11.2.so
> 7fb90016c000-7fb900171000 rw-p 00000000 00:00 0
> 7fb900171000-7fb900192000 r-xp 00000000 08:04 21390125
> /usr/lib/libphysfs.so.2.0.2
> 7fb900192000-7fb900392000 ---p 00021000 08:04 21390125
> /usr/lib/libphysfs.so.2.0.2
> 7fb900392000-7fb900394000 r--p 00021000 08:04 21390125
> /usr/lib/libphysfs.so.2.0.2
> 7fb900394000-7fb900395000 rw-p 00023000 08:04 21390125
> /usr/lib/libphysfs.so.2.0.2
> 7fb900395000-7fb9003b3000 r-xp 00000000 08:04 24567820
> /lib/ld-2.11.2.so
> 7fb900598000-7fb90059b000 rw-p 00000000 00:00 0
> 7fb9005b0000-7fb9005b2000 rw-p 00000000 00:00 0
> 7fb9005b2000-7fb9005b3000 r--p 0001d000 08:04 24567820
> /lib/ld-2.11.2.so
> 7fb9005b3000-7fb9005b4000 rw-p 0001e000 08:04 24567820
> /lib/ld-2.11.2.so
> 7fb9005b4000-7fb9005b5000 rw-p 00000000 00:00 0
> 7fffbfce6000-7fffbfd07000 rw-p 00000000 00:00 0
> [stack]
> 7fffbfd3f000-7fffbfd40000 r-xp 00000000 00:00 0
> [vdso]
> ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
> [vsyscall]
> Abgebrochen
> me at exez:~/build$
>
> <=
>
> gdb output:
>
> =>
>
> me at exez:~/build$ LC_ALL=C gdb ./bug
> GNU gdb (GDB) 7.2-debian
> Copyright (C) 2010 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu".
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>...
> Reading symbols from /home/me/build/bug...(no debugging symbols
> found)...done.
> (gdb) run
> Starting program: /home/me/build/bug
> *** glibc detected *** /home/me/build/bug: double free or corruption
> (fasttop): 0x00000000006093c0 ***
> ======= Backtrace: =========
> /lib/libc.so.6(+0x71ab6)[0x7ffff78caab6]
> /lib/libc.so.6(cfree+0x6c)[0x7ffff78cf82c]
> /usr/lib/libphysfs.so.1(PHYSFS_freeList+0x29)[0x7ffff7bc1fd9]
> /home/me/build/bug[0x40074b]
> /lib/libc.so.6(__libc_start_main+0xfd)[0x7ffff7877c4d]
> /home/me/build/bug[0x400649]
> ======= Memory map: ========
> 00400000-00401000 r-xp 00000000 08:31 8765828
> /home/me/build/bug
> 00600000-00601000 rw-p 00000000 08:31 8765828
> /home/me/build/bug
> 00601000-00622000 rw-p 00000000 00:00 0
> [heap]
> 7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0
> 7ffff0021000-7ffff4000000 ---p 00000000 00:00 0
> 7ffff742c000-7ffff7441000 r-xp 00000000 08:04 15343658
> /lib/libgcc_s.so.1
> 7ffff7441000-7ffff7641000 ---p 00015000 08:04 15343658
> /lib/libgcc_s.so.1
> 7ffff7641000-7ffff7642000 rw-p 00015000 08:04 15343658
> /lib/libgcc_s.so.1
> 7ffff7642000-7ffff7659000 r-xp 00000000 08:04 21389585
> /usr/lib/libz.so.1.2.3.4
> 7ffff7659000-7ffff7858000 ---p 00017000 08:04 21389585
> /usr/lib/libz.so.1.2.3.4
> 7ffff7858000-7ffff7859000 rw-p 00016000 08:04 21389585
> /usr/lib/libz.so.1.2.3.4
> 7ffff7859000-7ffff79b1000 r-xp 00000000 08:04 15343758
> /lib/libc-2.11.2.so
> 7ffff79b1000-7ffff7bb1000 ---p 00158000 08:04 15343758
> /lib/libc-2.11.2.so
> 7ffff7bb1000-7ffff7bb5000 r--p 00158000 08:04 15343758
> /lib/libc-2.11.2.so
> 7ffff7bb5000-7ffff7bb6000 rw-p 0015c000 08:04 15343758
> /lib/libc-2.11.2.so
> 7ffff7bb6000-7ffff7bbb000 rw-p 00000000 00:00 0
> 7ffff7bbb000-7ffff7bdc000 r-xp 00000000 08:04 21390125
> /usr/lib/libphysfs.so.2.0.2
> 7ffff7bdc000-7ffff7ddc000 ---p 00021000 08:04 21390125
> /usr/lib/libphysfs.so.2.0.2
> 7ffff7ddc000-7ffff7dde000 r--p 00021000 08:04 21390125
> /usr/lib/libphysfs.so.2.0.2
> 7ffff7dde000-7ffff7ddf000 rw-p 00023000 08:04 21390125
> /usr/lib/libphysfs.so.2.0.2
> 7ffff7ddf000-7ffff7dfd000 r-xp 00000000 08:04 24567820
> /lib/ld-2.11.2.so
> 7ffff7fe1000-7ffff7fe4000 rw-p 00000000 00:00 0
> 7ffff7ff9000-7ffff7ffb000 rw-p 00000000 00:00 0
> 7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0
> [vdso]
> 7ffff7ffc000-7ffff7ffd000 r--p 0001d000 08:04 24567820
> /lib/ld-2.11.2.so
> 7ffff7ffd000-7ffff7ffe000 rw-p 0001e000 08:04 24567820
> /lib/ld-2.11.2.so
> 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
> 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0
> [stack]
> ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
> [vsyscall]
>
> Program received signal SIGABRT, Aborted.
> 0x00007ffff788b165 in raise () from /lib/libc.so.6
> (gdb) bt
> #0 0x00007ffff788b165 in raise () from /lib/libc.so.6
> #1 0x00007ffff788df70 in abort () from /lib/libc.so.6
> #2 0x00007ffff78c125b in ?? () from /lib/libc.so.6
> #3 0x00007ffff78caab6 in ?? () from /lib/libc.so.6
> #4 0x00007ffff78cf82c in free () from /lib/libc.so.6
> #5 0x00007ffff7bc1fd9 in PHYSFS_freeList (list=0x609750) at
> /tmp/buildd/libphysfs-2.0.2/physfs.c:872
> #6 0x000000000040074b in main ()
> (gdb)
>
> <=
>
>
>
> _______________________________________________
> physfs mailing list
> physfs at icculus.org
> http://icculus.org/mailman/listinfo/physfs
--
Christoph Nelles
E-Mail : evilazrael at evilazrael.de
Jabber : eazrael at evilazrael.net ICQ : 78819723
PGP-Key : ID 0x424FB55B on subkeys.pgp.net
or http://evilazrael.net/pgp.txt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/physfs/attachments/20110503/144cad1a/attachment.htm>
More information about the physfs
mailing list