usbfluxd
usbfluxd copied to clipboard
Published
20 hours ago •
corellium
corellium
UAF in client_close
Looks like due to improper bookkeeping client_close is called twice for the same client, which has already been free'd, leading to a UAF.
ASan:
==33430==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000007a0
at pc 0x55d4554839b3 bp 0x7ffe3219c350 sp 0x7ffe3219c340
READ of size 4 at 0x6080000007a0 thread T0
#0 0x55d4554839b2 in client_close /usbfluxd/usbfluxd/client.c:238
#1 0x55d455485059 in client_notify_remote_close /usbfluxd/usbfluxd/client.c:390
#2 0x55d4554922d8 in usbmux_remote_dispose /usbfluxd/usbfluxd/usbmux_remote.c:914
#3 0x55d45549113a in remote_mark_dead /usbfluxd/usbfluxd/usbmux_remote.c:552
#4 0x55d45549253d in usbmux_remote_mark_dead /usbfluxd/usbfluxd/usbmux_remote.c:933
#5 0x55d4554956c2 in remote_process_recv /usbfluxd/usbfluxd/usbmux_remote.c:1231
#6 0x55d4554967b6 in usbmux_remote_process /usbfluxd/usbfluxd/usbmux_remote.c:1343
#7 0x55d455499526 in main_loop /usbfluxd/usbfluxd/main.c:159
#8 0x55d45549a870 in main /usbfluxd/usbfluxd/main.c:477
#9 0x7f3ed253bb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#10 0x55d45548295d in _start (/usr/local/sbin/usbfluxd+0xa95d)
0x6080000007a0 is located 0 bytes inside of 96-byte region [0x6080000007a0,0x608
000000800)
freed by thread T0 here:
#0 0x7f3ed2932f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x55d455483c29 in client_close /usbfluxd/usbfluxd/client.c:254
#2 0x55d45548b19d in client_process /usbfluxd/usbfluxd/client.c:1019
#3 0x55d4554993cf in main_loop /usbfluxd/usbfluxd/main.c:156
#4 0x55d45549a870 in main /usbfluxd/usbfluxd/main.c:477
#5 0x7f3ed253bb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
previously allocated by thread T0 here:
#0 0x7f3ed2933279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55d45548334c in client_accept /usbfluxd/usbfluxd/client.c:199
#2 0x55d455499242 in main_loop /usbfluxd/usbfluxd/main.c:149
#3 0x55d45549a870 in main /usbfluxd/usbfluxd/main.c:477
#4 0x7f3ed253bb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
SUMMARY: AddressSanitizer: heap-use-after-free /usbfluxd/usbfluxd/client.c:238 in client_close
Shadow bytes around the buggy address:
0x0c107fff80a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff80b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff80c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff80d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff80e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff80f0: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff8100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff8110: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff8120: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff8130: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff8140: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==33430==ABORTING
