Use After Free in new_object in libredwg/libredwg
Valid
Reported on
Mar 22nd 2022
Description
Heap use after free in new_object function.
ASAN report:
=================================================================
==2514600==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000401d0 at pc 0x00000230a00e bp 0x7ffcfdbe1dd0 sp 0x7ffcfdbe1dc8
READ of size 2 at 0x6020000401d0 thread T0
#0 0x230a00d in new_object /root/vulreproduce/libredwg/src/in_dxf.c:9102:21
#1 0x22da646 in dxf_objects_read /root/vulreproduce/libredwg/src/in_dxf.c:12384:22
#2 0x22cef45 in dwg_read_dxf /root/vulreproduce/libredwg/src/in_dxf.c:12921:23
#3 0x4cbeca in dxf_read_file /root/vulreproduce/libredwg/src/dwg.c:381:13
#4 0x4c9511 in main /root/vulreproduce/libredwg/programs/dxfwrite.c
#5 0x7fb8058dd0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#6 0x41c42d in _start (/root/vulreproduce/libredwg/programs/dxfwrite+0x41c42d)
0x6020000401d0 is located 0 bytes inside of 16-byte region [0x6020000401d0,0x6020000401e0)
freed by thread T0 here:
#0 0x497422 in free (/root/vulreproduce/libredwg/programs/dxfwrite+0x497422)
#1 0x22d05fe in dxf_free_pair /root/vulreproduce/libredwg/src/in_dxf.c:546:3
previously allocated by thread T0 here:
#0 0x497802 in calloc (/root/vulreproduce/libredwg/programs/dxfwrite+0x497802)
#1 0x22ca634 in xcalloc /root/vulreproduce/libredwg/src/in_dxf.c:216:7
SUMMARY: AddressSanitizer: heap-use-after-free /root/vulreproduce/libredwg/src/in_dxf.c:9102:21 in new_object
Shadow bytes around the buggy address:
0x0c047fffffe0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047ffffff0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480000000: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480000010: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480000020: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c0480000030: fa fa fd fd fa fa fd fd fa fa[fd]fd fa fa fa fa
0x0c0480000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480000070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480000080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2514600==ABORTING
How can we reproduce the issue?
Compile command
CC="clang" CFLAGS="-O1 -g -fsanitize=address" ./configure --enable-release --disable-shared && make -j $(nproc)
reproduce command
poc: tests_65360.zip
unzip tests_65360.zip
./dxfwrite -I DXF -o /dev/null -y <poc_file>
Impact
latest commit and latest release
$ cat /etc/issue Ubuntu 20.04.3 LTS \n \l
References
We are processing your report and will contact the
libredwg
team within 24 hours.
2 years ago
We created a
GitHub Issue
asking the maintainers to create a
SECURITY.md
2 years ago
We have contacted a member of the
libredwg
team and are waiting to hear back
2 years ago
@peacock-doris - can you confirm which branch and commit you found these issues in?
@Jamie Slome I mention in report: it's is a hyperlink
https://github.com/LibreDWG/libredwg/commit/477fc5ba605546a167e34bdd43e2eba38f7692c0
We have sent a
fix follow up to the
libredwg
team.
We will try again in 7 days.
2 years ago
We have sent a
second
fix follow up to the
libredwg
team.
We will try again in 10 days.
2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation