oss-sec mailing list archives
CVE-2016-9584: heap use-after-free on libical
From: Agustin Mista <mista.agustin () gmail com>
Date: Thu, 15 Dec 2016 14:38:19 +0000
We found a heap use-after-free in a recent revision of libical ( f3688b444f820cecf51b1539b0856a392c0fdb0f), using a specially crafted ics file. This bugs looks particularly dangerous since it allows to read a big chunk of the heap memory. The address sanitizer report is as follows: ==14573==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700001e394 at pc 0x00000044478e bp 0x7fffffffc4a0 sp 0x7fffffffbc28 READ of size 62 at 0x60700001e394 thread T0 #0 0x44478d (/home/agustin/Code/libical/build/src/test/parser+0x44478d) #1 0x444eb3 (/home/agustin/Code/libical/build/src/test/parser+0x444eb3) #2 0x4461f0 (/home/agustin/Code/libical/build/src/test/parser+0x4461f0) #3 0x7ffff7b519e8 (/home/agustin/Code/libical/build/lib/libical.so.2+ 0x19a9e8) #4 0x7ffff7b5a40f (/home/agustin/Code/libical/build/lib/libical.so.2+ 0x1a340f) #5 0x7ffff7add113 (/home/agustin/Code/libical/build/lib/libical.so.2+ 0x126113) #6 0x7ffff7a978ec (/home/agustin/Code/libical/build/lib/libical.so.2+ 0xe08ec) #7 0x7ffff7a97b4a (/home/agustin/Code/libical/build/lib/libical.so.2+ 0xe0b4a) #8 0x7ffff7a96f11 (/home/agustin/Code/libical/build/lib/libical.so.2+ 0xdff11) #9 0x4b8db7 (/home/agustin/Code/libical/build/src/test/parser+0x4b8db7) #10 0x7ffff61baf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #11 0x4b829c (/home/agustin/Code/libical/build/src/test/parser+0x4b829c) 0x60700001e394 is located 4 bytes inside of 66-byte region [0x60700001e390, 0x60700001e3d2) freed by thread T0 here: #0 0x49a99b (/home/agustin/Code/libical/build/src/test/parser+0x49a99b) #1 0x7ffff7abab48 (/home/agustin/Code/libical/build/lib/libical.so.2+ 0x103b48) #2 0x7ffff7ad0da1 (/home/agustin/Code/libical/build/lib/libical.so.2+ 0x119da1) #3 0x4b8cde (/home/agustin/Code/libical/build/src/test/parser+0x4b8cde) #4 0x7ffff61baf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) previously allocated by thread T0 here: #0 0x49ac1b (/home/agustin/Code/libical/build/src/test/parser+0x49ac1b) #1 0x7ffff7aba55a (/home/agustin/Code/libical/build/lib/libical.so.2+ 0x10355a) #2 0x7ffff7ad7777 (/home/agustin/Code/libical/build/lib/libical.so.2+ 0x120777) #3 0x7ffff7ad808a (/home/agustin/Code/libical/build/lib/libical.so.2+ 0x12108a) #4 0x7ffff7ad0220 (/home/agustin/Code/libical/build/lib/libical.so.2+ 0x119220) #5 0x4b8cde (/home/agustin/Code/libical/build/src/test/parser+0x4b8cde) #6 0x7ffff61baf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ?? Shadow bytes around the buggy address: 0x0c0e7fffbc20: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd 0x0c0e7fffbc30: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd 0x0c0e7fffbc40: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0e7fffbc50: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd 0x0c0e7fffbc60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa =>0x0c0e7fffbc70: fa fa[fd]fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0e7fffbc80: fd fd fd fd fd fd fd fd fd fd fa fa fa fa 00 00 0x0c0e7fffbc90: 00 00 00 00 00 00 03 fa fa fa fa fa fd fd fd fd 0x0c0e7fffbca0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd 0x0c0e7fffbcb0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0e7fffbcc0: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd And the backtrace is available here: #0 0x00007ffff61cfc37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff61d3028 in __GI_abort () at abort.c:89 #2 0x00000000004b1356 in __sanitizer::Abort() () #3 0x00000000004a2037 in __asan::AsanDie() () #4 0x00000000004a8a6f in __sanitizer::Die() () #5 0x00000000004a06cb in __asan::ScopedInErrorReport::~ScopedInErrorReport() () #6 0x00000000004a0211 in __asan_report_error () #7 0x00000000004447a9 in printf_common(void*, char const*, __va_list_tag*) () #8 0x0000000000444eb4 in vsnprintf () #9 0x00000000004461f1 in snprintf () #10 0x00007ffff7b519e9 in icalreqstattype_as_string_r (stat=...) at /home/agustin/Code/libical/src/libical/icaltypes.c:171 #11 0x00007ffff7b5a410 in icalvalue_as_ical_string_r (value=0x60e0000280c0) at /home/agustin/Code/libical/src/libical/icalvalue.c:1208 #12 0x00007ffff7add114 in icalproperty_as_ical_string_r (prop=0x6060000010a0) at /home/agustin/Code/libical/src/libical/icalproperty.c:442 #13 0x00007ffff7a978ed in icalcomponent_as_ical_string_r (impl=0x60700001e7f0) at /home/agustin/Code/libical/src/libical/icalcomponent.c:291 #14 0x00007ffff7a97b4b in icalcomponent_as_ical_string_r (impl=0x60700000ded0) at /home/agustin/Code/libical/src/libical/icalcomponent.c:300 #15 0x00007ffff7a96f12 in icalcomponent_as_ical_string (impl=0x60700000ded0) at /home/agustin/Code/libical/src/libical/icalcomponent.c:247 #16 0x00000000004b8db8 in main (argc=2, argv=0x7fffffffdf08) at /home/agustin/Code/libical/src/test/icaltestparser.c:109 It is worth to mention there is a very similar bug found (CVE-2016-5824) on the libical version used by Thunderbird but we think is *not* the same as this one. In fact, we've tested it on Thunderbird and it does *not* crash. The reproducer is available upon request. Unfortunately, there is no fix yet, but upstream is working on it. Regards.
Current thread:
- CVE-2016-9584: heap use-after-free on libical Agustin Mista (Dec 15)
- Re: CVE-2016-9584: heap use-after-free on libical Brandon Perry (Dec 15)
- Re: CVE-2016-9584: heap use-after-free on libical Brandon Perry (Dec 15)
- Re: CVE-2016-9584: heap use-after-free on libical Agustin Mista (Dec 19)
- Re: CVE-2016-9584: heap use-after-free on libical Brandon Perry (Dec 15)
- Re: CVE-2016-9584: heap use-after-free on libical Brandon Perry (Dec 15)