[Mesa-dev] [Bug 81992] New: mapi_stub->name points to caller memory leads heap-use-after-free bug

bugzilla-daemon Thu, 31 Jul 2014 22:46:56 -0700

https://bugs.freedesktop.org/show_bug.cgi?id=81992


          Priority: medium
            Bug ID: 81992
          Assignee: mesa-dev@lists.freedesktop.org
           Summary: mapi_stub->name points to caller memory leads
                    heap-use-after-free bug
          Severity: normal
    Classification: Unclassified
                OS: All
          Reporter: comicfan...@gmail.com
          Hardware: Other
            Status: NEW
           Version: git
         Component: GLX
           Product: Mesa

seems that mapi_stub->name just reference the caller memory instead of copy it.

code path:
glXGetProcessARB -> 
_glapi_get_proc_address->
_glapi_get_stub->
stub_find_dynamic->
stub_add_dynamic->

   stub->name = (const void *) name; -->reference the caller memory

when stub_find_dynamic at 

   for (i = 0; i < count; i++) {
      if (strcmp(name, (const char *) dynamic_stubs[i].name) == 0) { 
--->access caller memory
         stub = &dynamic_stubs[i];
         break;
      }
   }

if extension name is allocated at runtime and freed by caller,this bug fired:



    char *p=(char *)malloc(24);

    p[23]='\0';

    strcpy(p,"glFramebufferTextureEXT");

    glXGetProcAddressARB((unsigned char*)p);

    free(p);

    glXGetProcAddressARB((unsigned char*)"glFramebufferTextureEXT");

clang reports here:

==2640==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000c3a2
at pc 0x000000424971 bp 0x7fff00068ab0 sp 0x7fff00068268
READ of size 1 at 0x60300000c3a2 thread T0
    #0 0x424970 in strcmp
/run/media/wangxinyu/ubuntu-12-root/home/wangxinyu/llvmgit/clang_fedora/../projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:172
    #1 0x31f4e1225f in stub_find_dynamic (/lib64/libglapi.so.0+0x31f4e1225f)
    #2 0x31f4e120cd in _glapi_get_proc_address
(/lib64/libglapi.so.0+0x31f4e120cd)
    #3 0x31f5e1a718 in glXGetProcAddress (/lib64/libGL.so.1+0x31f5e1a718)
    #4 0x4a0906 in initialize() (/home/wangxinyu/glut/a.out+0x4a0906)
    #5 0x4a0f9c in main (/home/wangxinyu/glut/a.out+0x4a0f9c)

0x60300000c3a2 is located 2 bytes inside of 24-byte region
[0x60300000c3a0,0x60300000c3b8)
freed by thread T0 here:
    #0 0x48323b in free
/run/media/wangxinyu/ubuntu-12-root/home/wangxinyu/llvmgit/clang_fedora/../projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30
    #1 0x4a08f7 in initialize() (/home/wangxinyu/glut/a.out+0x4a08f7)
    #2 0x4a0f9c in main (/home/wangxinyu/glut/a.out+0x4a0f9c)


previously allocated by thread T0 here:
    #0 0x4834bb in __interceptor_malloc
/run/media/wangxinyu/ubuntu-12-root/home/wangxinyu/llvmgit/clang_fedora/../projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
    #1 0x4a078b in initialize() (/home/wangxinyu/glut/a.out+0x4a078b)
    #2 0x4a0f9c in main (/home/wangxinyu/glut/a.out+0x4a0f9c)
    #3 0x31e9621d64 in __libc_start_main (/lib64/libc.so.6+0x31e9621d64)

SUMMARY: AddressSanitizer: heap-use-after-free
/run/media/wangxinyu/ubuntu-12-root/home/wangxinyu/llvmgit/clang_fedora/../projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:172
strcmp
Shadow bytes around the buggy address:
  0x0c067fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9850: fa fa fa fa fa fa 00 00 00 06 fa fa 00 00 00 05
  0x0c067fff9860: fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa 00 00
=>0x0c067fff9870: 06 fa fa fa[fd]fd fd fa fa fa fd fd fd fd fa fa
  0x0c067fff9880: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fd
  0x0c067fff9890: fa fa fd fd fd fa fa fa 00 00 00 00 fa fa fd fd
  0x0c067fff98a0: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c067fff98b0: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fd
  0x0c067fff98c0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==2640==ABORTING

-- 
You are receiving this mail because:
You are the assignee for the bug.

_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-dev

[Mesa-dev] [Bug 81992] New: mapi_stub->name points to caller memory leads heap-use-after-free bug

Reply via email to