compiling pidgin causes python to read freed memory

Joseph Bisch joseph.bisch at gmail.com
Fri Apr 14 13:02:01 EDT 2017 

Hi again,

When compiling Pidgin with a Python 3 compiled with ASan, ASan detects
a use after free. Specifically, Python is reading from memory that Gnt
had prematurely freed.

Analysis:

My guess is that the issue is caused by freeing the name variable
immediately after Py_SetProgramName() is called. Later, ASan triggers
on the Py_Initialize() call.

https://bitbucket.org/pidgin/main/src/107c6c2342ffd03ad2eae7a838f6b01adcf49291/finch/libgnt/gntwm.c?at=default&fileviewer=file-view-default#gntwm.c-1582

Note that the Python documentation for the Py_SetProgramName()
function explicitly states that the contents of the argument should
not change for the duration of the program's execution.

Joseph

ASan output:

=================================================================
==27341==ERROR: AddressSanitizer: heap-use-after-free on address
0x60200001fd70 at pc 0x000000447f71 bp 0x7ffe72c11d20 sp
0x7ffe72c114d0
READ of size 16 at 0x60200001fd70 thread T0
    #0 0x447f70 in __interceptor_wcslen
/home/joseph/aur/llvm-svn/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:591
    #1 0x7fedc4c65bed  (/usr/lib/libpython3.6m.so.1.0+0x224bed)
    #2 0x7fedc4c66739  (/usr/lib/libpython3.6m.so.1.0+0x225739)
    #3 0x7fedc4c67000 in Py_GetProgramFullPath
(/usr/lib/libpython3.6m.so.1.0+0x226000)
    #4 0x7fedc4c64826 in _PySys_Init (/usr/lib/libpython3.6m.so.1.0+0x223826)
    #5 0x7fedc4c31150 in _Py_InitializeEx_Private
(/usr/lib/libpython3.6m.so.1.0+0x1f0150)
    #6 0x7fedc5c5ec65 in gnt_wm_class_init
/home/joseph/pidgin-fuzz/main2/finch/libgnt/gntwm.c:1587:3
    #7 0x7fedc34eb4d6 in g_type_class_ref (/usr/lib/libgobject-2.0.so.0+0x304d6)
    #8 0x50b781 in dump_properties
/home/joseph/pidgin-fuzz/main2/finch/libgnt/tmp-introspectwzbhauez/Gnt-2.9.c:137:15
    #9 0x50aab7 in dump_object_type
/home/joseph/pidgin-fuzz/main2/finch/libgnt/tmp-introspectwzbhauez/Gnt-2.9.c:260:3
    #10 0x50aab7 in dump_type
/home/joseph/pidgin-fuzz/main2/finch/libgnt/tmp-introspectwzbhauez/Gnt-2.9.c:402
    #11 0x50aab7 in dump_irepository
/home/joseph/pidgin-fuzz/main2/finch/libgnt/tmp-introspectwzbhauez/Gnt-2.9.c:547
    #12 0x50aab7 in main
/home/joseph/pidgin-fuzz/main2/finch/libgnt/tmp-introspectwzbhauez/Gnt-2.9.c:610
    #13 0x7fedc2801510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
    #14 0x41a8c9 in _start
(/home/joseph/pidgin-fuzz/main2/finch/libgnt/tmp-introspectwzbhauez/.libs/lt-Gnt-2.9+0x41a8c9)

0x60200001fd70 is located 0 bytes inside of 16-byte region
[0x60200001fd70,0x60200001fd80)
freed by thread T0 here:
    #0 0x4d0af0 in __interceptor_cfree.localalias.1
/home/joseph/aur/llvm-svn/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:54
    #1 0x7fedc5c5ec60 in gnt_wm_class_init
/home/joseph/pidgin-fuzz/main2/finch/libgnt/gntwm.c:1583:3
    #2 0x7fedc34eb4d6 in g_type_class_ref (/usr/lib/libgobject-2.0.so.0+0x304d6)

previously allocated by thread T0 here:
    #0 0x4d0ca8 in __interceptor_malloc
/home/joseph/aur/llvm-svn/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7fedc2ff3bb8 in g_malloc (/usr/lib/libglib-2.0.so.0+0x4fbb8)
    #2 0x7fedc34eb4d6 in g_type_class_ref (/usr/lib/libgobject-2.0.so.0+0x304d6)

SUMMARY: AddressSanitizer: heap-use-after-free
/home/joseph/aur/llvm-svn/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:591
in __interceptor_wcslen
Shadow bytes around the buggy address:
  0x0c047fffbf50: fa fa 00 00 fa fa 00 04 fa fa 00 04 fa fa 00 00
  0x0c047fffbf60: fa fa 03 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fffbf70: fa fa 00 00 fa fa 03 fa fa fa 00 00 fa fa 00 00
  0x0c047fffbf80: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 03 fa
  0x0c047fffbf90: fa fa 00 00 fa fa 00 00 fa fa 03 fa fa fa 00 00
=>0x0c047fffbfa0: fa fa 00 00 fa fa 00 03 fa fa 00 03 fa fa[fd]fd
  0x0c047fffbfb0: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa 00 00
  0x0c047fffbfc0: fa fa 00 01 fa fa 00 01 fa fa 00 00 fa fa 00 fa
  0x0c047fffbfd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffbfe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffbff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27341==ABORTING
Command '['/home/joseph/pidgin-fuzz/main2/finch/libgnt/tmp-introspectwzbhauez/Gnt-2.9',
'--introspect-dump=/home/joseph/pidgin-fuzz/main2/finch/libgnt/tmp-introspectwzbhauez/functions.txt,/home/joseph/pidgin-fuzz/main2/finch/libgnt/tmp-introspectwzbhauez/dump.xml']'
returned non-zero exit status 1.
make[5]: *** [/usr/share/gobject-introspection-1.0/Makefile.introspection:156:
Gnt-2.9.gir] Error 1

More information about the security mailing list