Use After Free in new_object in libredwg/libredwg

Valid

Reported on

Mar 22nd 2022


Description

Heap use after free in new_object function.

ASAN report:

=================================================================
==2514600==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000401d0 at pc 0x00000230a00e bp 0x7ffcfdbe1dd0 sp 0x7ffcfdbe1dc8
READ of size 2 at 0x6020000401d0 thread T0
    #0 0x230a00d in new_object /root/vulreproduce/libredwg/src/in_dxf.c:9102:21
    #1 0x22da646 in dxf_objects_read /root/vulreproduce/libredwg/src/in_dxf.c:12384:22
    #2 0x22cef45 in dwg_read_dxf /root/vulreproduce/libredwg/src/in_dxf.c:12921:23
    #3 0x4cbeca in dxf_read_file /root/vulreproduce/libredwg/src/dwg.c:381:13
    #4 0x4c9511 in main /root/vulreproduce/libredwg/programs/dxfwrite.c
    #5 0x7fb8058dd0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x41c42d in _start (/root/vulreproduce/libredwg/programs/dxfwrite+0x41c42d)

0x6020000401d0 is located 0 bytes inside of 16-byte region [0x6020000401d0,0x6020000401e0)
freed by thread T0 here:
    #0 0x497422 in free (/root/vulreproduce/libredwg/programs/dxfwrite+0x497422)
    #1 0x22d05fe in dxf_free_pair /root/vulreproduce/libredwg/src/in_dxf.c:546:3

previously allocated by thread T0 here:
    #0 0x497802 in calloc (/root/vulreproduce/libredwg/programs/dxfwrite+0x497802)
    #1 0x22ca634 in xcalloc /root/vulreproduce/libredwg/src/in_dxf.c:216:7

SUMMARY: AddressSanitizer: heap-use-after-free /root/vulreproduce/libredwg/src/in_dxf.c:9102:21 in new_object
Shadow bytes around the buggy address:
  0x0c047fffffe0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047ffffff0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480000000: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480000010: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480000020: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c0480000030: fa fa fd fd fa fa fd fd fa fa[fd]fd fa fa fa fa
  0x0c0480000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480000070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480000080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2514600==ABORTING

How can we reproduce the issue?

Compile command

CC="clang" CFLAGS="-O1 -g -fsanitize=address" ./configure --enable-release --disable-shared && make -j $(nproc)

reproduce command

poc: tests_65360.zip

unzip tests_65360.zip
./dxfwrite -I DXF -o /dev/null -y <poc_file>

Impact

latest commit and latest release

$ cat /etc/issue Ubuntu 20.04.3 LTS \n \l

References

We are processing your report and will contact the libredwg team within 24 hours. 2 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the libredwg team and are waiting to hear back 2 months ago
libredwg/libredwg maintainer validated this vulnerability 2 months ago
peacock-doris has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome
2 months ago

Admin


@peacock-doris - can you confirm which branch and commit you found these issues in?

peacock-doris
2 months ago

Researcher


@Jamie Slome I mention in report: it's is a hyperlink

latest commit

https://github.com/LibreDWG/libredwg/commit/477fc5ba605546a167e34bdd43e2eba38f7692c0

We have sent a fix follow up to the libredwg team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the libredwg team. We will try again in 10 days. 2 months ago
libredwg/libredwg maintainer confirmed that a fix has been merged on fa4a34 2 months ago
The fix bounty has been dropped
to join this conversation