View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000558 | file | General | public | 2024-09-03 08:34 | 2024-11-10 02:55 |
| Reporter | yancy | Assigned To | christos | ||
| Priority | high | Severity | crash | Reproducibility | always |
| Status | assigned | Resolution | open | ||
| Platform | x86 | OS | ubuntu | OS Version | 24.04 |
| Summary | 0000558: heap-use-after-free when call magic_buffer | ||||
| Description | I encountered a heap-use-after-free issue while running fuzz tests on the libmagic library. The issue is triggered during the LLVMFuzzerTestOneInput function when handling magic files. ==77789==ERROR: AddressSanitizer: heap-use-after-free on address 0x502000000010 at pc 0x5632f023bbb2 bp 0x7ffcbef2d6b0 sp 0x7ffcbef2ce38 READ of size 2 at 0x502000000010 thread T0 #0 0x5632f023bbb1 in printf_common(void*, char const*, __va_list_tag*) asan_interceptors.cpp.o 0000001 0x5632f023d77a in __fprintf_chk (/home/liyan/Test_libmagic/Test_libmagic_1+0x8f77a) (BuildId: 29d752196a895996a13081f8c32092656326bc50) 0000002 0x5632f02fca21 in fprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:79:10 0000003 0x5632f02fca21 in file_magwarn /home/liyan/Test_libmagic_1/file/build/src/../../src/print.c:288:10 0000004 0x5632f02ff7b2 in check_regex /home/liyan/Test_libmagic_1/file/build/src/../../src/funcs.c:707:3 0000005 0x5632f02ff7b2 in file_regcomp /home/liyan/Test_libmagic_1/file/build/src/../../src/funcs.c:722:6 0000006 0x5632f0303079 in alloc_regex /home/liyan/Test_libmagic_1/file/build/src/../../src/softmagic.c:2090:7 0000007 0x5632f0303079 in magiccheck /home/liyan/Test_libmagic_1/file/build/src/../../src/softmagic.c:2318:20 0000008 0x5632f030480d in match /home/liyan/Test_libmagic_1/file/build/src/../../src/softmagic.c:275:12 #9 0x5632f0305e27 in file_softmagic /home/liyan/Test_libmagic_1/file/build/src/../../src/softmagic.c:136:13 0000010 0x5632f02feb99 in file_buffer /home/liyan/Test_libmagic_1/file/build/src/../../src/funcs.c:460:7 0000011 0x5632f02f54eb in magic_buffer /home/liyan/Test_libmagic_1/file/build | ||||
| Steps To Reproduce | 1. Download the tar.gz file and decompress it, then (sudo) execute shell script 2. /Test_libmagic_1 crash-58657a07daab09f8e32dfc582bc5c891bbfdab63 3. Observe the error message | ||||
| Tags | magic | ||||
|
|
|
|
|
I ran this test (similar to yours except the load commented out), and with your crash file as an argument and it does not fail for me. Test_libmagic.c (1,130 bytes)
#include <stdio.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <err.h>
// Library header file
#include <magic.h>
int
main(int argc, char *argv[])
{
static magic_t magic = NULL;
struct stat st;
int fd = open(argv[1], O_RDONLY);
if (fstat(fd, &st) == -1)
err(1, "fstat");
size_t size = st.st_size;
void *data = mmap(NULL, size, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0);
if (data == (void *)-1)
err(1, "mmap");
// Open magic database
if (magic == NULL)
{
magic = magic_open(MAGIC_NONE);
if (magic == NULL)
{
err(1, "magic_open");
}
#if 0
const char *mfile = "/path/to/magic";
if (magic_load(magic, mfile) == -1)
{
err(1, "magic_load");
}
#endif
}
if (size == 0)
return 0;
// Get magic descriptor
magic_descriptor(magic, fileno(fmemopen((void *)data, size, "rb")));
// Load magic buffers
magic_load_buffers(magic, (void **)&data, &size, 1);
// Analyze magic buffer
magic_buffer(magic, data, size);
return 0;
}
|
|
|
could not reproduce. |
|
|
Thank you for your efforts in testing the code. I would like to clarify a few points regarding the reproducibility of the crash. 1.Reproducibility with LLVMFuzzerTestOneInput The issue I reported is indeed reproducible when using the LLVMFuzzerTestOneInput function with the fuzzing input. The crash is triggered during the execution of magic_buffer due to a heap-use-after-free error. This behavior has been consistently observed in my testing environment with the provided code. 2.Why the int main version does not reproduce The reason the crash does not occur when using the int main version of the code is due to the differences in how the input data is handled. Specifically, in the main() version, data is read from a file using mmap(), which provides a more stable memory mapping and does not rely on dynamic memory allocations or stream handling (e.g., fmemopen()) like the one in LLVMFuzzerTestOneInput. The code in LLVMFuzzerTestOneInput is more prone to memory access issues, especially when subjected to fuzzing input, which could explain why the crash does not occur in the main() version. 3.Next Steps and Further Verification I kindly ask that you use the original code with LLVMFuzzerTestOneInput to further investigate the issue. Given the reproducibility of the crash, I believe there may be a deeper vulnerability that requires closer inspection. It would be greatly appreciated if you could use the provided code and the fuzzing input to verify if the potential bug can be identified and addressed. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-09-03 08:34 | yancy | New Issue | |
| 2024-09-03 08:34 | yancy | Tag Attached: magic | |
| 2024-09-03 08:34 | yancy | File Added: Test_libmagic_1.tar.gz | |
| 2024-11-09 22:40 | christos | Note Added: 0004078 | |
| 2024-11-09 22:40 | christos | File Added: Test_libmagic.c | |
| 2024-11-09 22:40 | christos | Assigned To | => christos |
| 2024-11-09 22:40 | christos | Status | new => assigned |
| 2024-11-09 22:41 | christos | Status | assigned => feedback |
| 2024-11-09 22:41 | christos | Note Added: 0004079 | |
| 2024-11-10 02:55 | yancy | Note Added: 0004092 | |
| 2024-11-10 02:55 | yancy | Status | feedback => assigned |
