View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000683fileGeneralpublic2025-09-25 04:412025-09-25 04:41
Reporterhgarrereyn Assigned To 
PrioritylowSeverityminorReproducibilityalways
Status newResolutionopen 
Summary0000683: heap uaf in file_magwarn
DescriptionThe following testcase triggers a heap use-after-free in the diagnostic path of `magic_list`. Specifically it looks like the filename for a magic db is `strdup`'ed during loading and then freed if there is an error. But somehow retained and referenced in subsequent `magic_` error paths.

The following testcase demonstrates the issue on the most recent commit `7ed3febf`:

```cpp
#include <cstdio>
#include <cstdlib>
#include <cstdint>
#include <cstring>
#include <unistd.h>
#include <fcntl.h>

extern "C" {
#include "magic.h"
}

static char *write_to_temp_file(const char *data, size_t len) {
    char tmpl[] = "/tmp/libmagicXXXXXX";
    int fd = mkstemp(tmpl);
    if (fd < 0) return nullptr;
    ssize_t off = 0;
    while (off < (ssize_t)len) {
        ssize_t w = write(fd, data + off, len - off);
        if (w <= 0) break;
        off += w;
    }
    close(fd);
    return strdup(tmpl);
}

int main() {
    magic_t ms = magic_open(0);
    if (!ms) return 0;

    char *p1 = write_to_temp_file("aaaaaaaa", 8);
    (void)magic_check(ms, p1);

    char *p2 = write_to_temp_file("bbbbbbbb", 8);
    (void)magic_list(ms, p2);

    return 0;
}
```

**crash report**
```
==200==ERROR: AddressSanitizer: heap-use-after-free on address 0x503000000070 at pc 0x555bada2c602 bp 0x7ffe9f21be60 sp 0x7ffe9f21b5e8
READ of size 2 at 0x503000000070 thread T0
    #0 0x555bada2c601 in printf_common(void*, char const*, __va_list_tag*) asan_interceptors.cpp.o
    0000001 0x555bada2e05b in fprintf (/fuzz/workspace/6c7d8a7f+0x5205b) (BuildId: f3b091eaf84df69d55e59fe4a16350182aaa4a20)
    0000002 0x7f50a30fd072 in file_magwarn /fuzz/src/src/print.c:288:10
    0000003 0x7f50a30bc673 in apprentice_1 /fuzz/src/src/apprentice.c:503:4
    0000004 0x7f50a30bc673 in file_apprentice /fuzz/src/src/apprentice.c:780:13
    0000005 0x555badae3755 in main /fuzz/workspace/6c7d8a7f.cpp:38:11
    0000006 0x7f50a2b54d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    0000007 0x7f50a2b54e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    0000008 0x555bada08334 in _start (/fuzz/workspace/6c7d8a7f+0x2c334) (BuildId: f3b091eaf84df69d55e59fe4a16350182aaa4a20)

0x503000000070 is located 0 bytes inside of 20-byte region [0x503000000070,0x503000000084)
freed by thread T0 here:
    #0 0x555badaa4436 in free (/fuzz/workspace/6c7d8a7f+0xc8436) (BuildId: f3b091eaf84df69d55e59fe4a16350182aaa4a20)
    0000001 0x7f50a30bba69 in file_apprentice /fuzz/src/src/apprentice.c:755:2
    0000002 0x555badae3755 in main /fuzz/workspace/6c7d8a7f.cpp:38:11
    0000003 0x7f50a2b54d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x555bada8c51d in strdup (/fuzz/workspace/6c7d8a7f+0xb051d) (BuildId: f3b091eaf84df69d55e59fe4a16350182aaa4a20)
    0000001 0x7f50a30bba72 in file_apprentice /fuzz/src/src/apprentice.c:756:22
    0000002 0x555badae3658 in main /fuzz/workspace/6c7d8a7f.cpp:33:11
    0000003 0x7f50a2b54d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free asan_interceptors.cpp.o in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x502ffffffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x502ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x502ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x502fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x502fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x503000000000: fa fa 00 00 00 fa fa fa 00 00 04 fa fa fa[fd]fd
  0x503000000080: fd fa fa fa fd fd fd fa fa fa 00 00 04 fa fa fa
  0x503000000100: 00 00 04 fa fa fa fd fd fd fa fa fa fa fa fa fa
  0x503000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==200==ABORTING
```
Steps To ReproduceCompile and run the testcase.
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2025-09-25 04:41 hgarrereyn New Issue