Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Use after free (or assert triggered) with failed allocations in openssl

C
curl
Submitted None
Actions:
View on HackerOne
Reported by catenacyber

Vulnerability Details

Technical details and impact analysis

Use After Free
## Summary: [summary of the vulnerability] A heap use after free (or assertion) can be triggered if some allocations fail I am not sure you consider allocations failures to be part of security issues, and I am not sure the issue lies in curl or in openssl, but I still think you want something to be fixed. [Statement clarifying if an AI was used to find the issue or generate the report] I did not use AI ## Affected version [Which curl/libcurl version are you using to reproduce? On which platform? `curl -V` typically generates good output to include] Using commit 48c6927f3b708fc6b6c0cd65d7971380798c8696 ## Steps To Reproduce: [add details for how we can reproduce the issue] Use https://github.com/curl/curl-fuzzer/pull/173 and see the failed runs Run `FUZZ_VERBOSE=1 /out/curl_fuzzer_http repro` with repro being `echo AJ4AAAACfkIAAQAAAAVAMT86PQ== | base64 -d > repro` I see the following stack traces ``` failed malloc(32) #0 0x561a08afee21 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3 #1 0x561a08b33df2 in nalloc_backtrace_exclude(unsigned long, char const*) /src/curl_fuzzer/nallocinc.c:250:9 #2 0x561a08b33df2 in nalloc_fail(unsigned long, char const*) /src/curl_fuzzer/nallocinc.c:278:13 #3 0x561a08b3416e in malloc /src/curl_fuzzer/nallocinc.c:342:9 #4 0x561a090ff417 in CRYPTO_malloc /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/mem.c:211:11 #5 0x561a090ff417 in CRYPTO_zalloc /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/mem.c:231:11 #6 0x561a09192f2a in sk_reserve /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/stack/stack.c:199:25 #7 0x561a091934a8 in OPENSSL_sk_insert /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/stack/stack.c:269:10 #8 0x561a090f75da in numname_insert /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:237:10 #9 0x561a090f75da in namemap_add_name /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:267:19 #10 0x561a090f8716 in ossl_namemap_add_name /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:302:18 #11 0x561a090f8716 in get_legacy_evp_names /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:406:15 #12 0x561a090efb56 in doall_util_fn /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/lhash/lhash.c:208:17 #13 0x561a090efb56 in OPENSSL_LH_doall_arg_thunk /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/lhash/lhash.c:239:5 #14 0x561a091290b9 in lh_OBJ_NAME_doall_OBJ_DOALL /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/objects/o_names.c:289:1 #15 0x561a091290b9 in OBJ_NAME_do_all /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/objects/o_names.c:300:5 #16 0x561a090f686f in ossl_namemap_stored /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:507:9 #17 0x561a090a485a in inner_evp_generic_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/evp_fetch.c:261:29 #18 0x561a090a4679 in evp_generic_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/evp_fetch.c:403:14 #19 0x561a090922a2 in EVP_MD_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:1166:9 #20 0x561a090922a2 in evp_md_init_internal /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:266:26 #21 0x561a08cfa599 in my_sha256_init /src/curl/lib/sha256.c:87:7 #22 0x561a08cfa599 in Curl_sha256it /src/curl/lib/sha256.c:497:12 #23 0x561a08ccbee8 in calc_payload_hash /src/curl/lib/http_aws_sigv4.c:455:12 #24 0x561a08ccaaca in Curl_output_aws_sigv4 /src/curl/lib/http_aws_sigv4.c:795:16 #25 0x561a08c9c7ce in output_auth_headers /src/curl/lib/http.c:639:14 #26 0x561a08c9c366 in Curl_http_output_auth /src/curl/lib/http.c:819:14 #27 0x561a08c95db2 in Curl_http /src/curl/lib/http.c:2736:14 #28 0x561a08b89613 in multi_do /src/curl/lib/multi.c:1649:14 #29 0x561a08b89613 in state_do /src/curl/lib/multi.c:2042:14 #30 0x561a08b89613 in multi_runsingle /src/curl/lib/multi.c:2476:12 #31 0x561a08b867b4 in curl_multi_perform /src/curl/lib/multi.c:2739:18 #32 0x561a08b35543 in fuzz_handle_transfer(fuzz_data*) /src/curl_fuzzer/curl_fuzzer.cc:348:3 #33 0x561a08b3491d in LLVMFuzzerTestOneInput /src/curl_fuzzer/curl_fuzzer.cc:103:3 #34 0x561a089e8660 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13 #35 0x561a089d38d5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6 #36 0x561a089d936f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9 #37 0x561a08a04612 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #38 0x7fb95db7e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d) #39 0x561a089cbabd in _start (/out/curl_fuzzer_http+0x60cabd) failed malloc(14) #0 0x561a08afee21 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3 #1 0x561a08b33df2 in nalloc_backtrace_exclude(unsigned long, char const*) /src/curl_fuzzer/nallocinc.c:250:9 #2 0x561a08b33df2 in nalloc_fail(unsigned long, char const*) /src/curl_fuzzer/nallocinc.c:278:13 #3 0x561a08b3416e in malloc /src/curl_fuzzer/nallocinc.c:342:9 #4 0x561a090ff2be in CRYPTO_malloc /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/mem.c:211:11 #5 0x561a091034f5 in CRYPTO_strdup /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/o_str.c:28:11 #6 0x561a090f75c7 in numname_insert /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:234:20 #7 0x561a090f75c7 in namemap_add_name /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:267:19 #8 0x561a090f8716 in ossl_namemap_add_name /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:302:18 #9 0x561a090f8716 in get_legacy_evp_names /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:406:15 #10 0x561a090efb56 in doall_util_fn /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/lhash/lhash.c:208:17 #11 0x561a090efb56 in OPENSSL_LH_doall_arg_thunk /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/lhash/lhash.c:239:5 #12 0x561a091290b9 in lh_OBJ_NAME_doall_OBJ_DOALL /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/objects/o_names.c:289:1 #13 0x561a091290b9 in OBJ_NAME_do_all /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/objects/o_names.c:300:5 #14 0x561a090f686f in ossl_namemap_stored /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:507:9 #15 0x561a090a485a in inner_evp_generic_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/evp_fetch.c:261:29 #16 0x561a090a4679 in evp_generic_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/evp_fetch.c:403:14 #17 0x561a090922a2 in EVP_MD_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:1166:9 #18 0x561a090922a2 in evp_md_init_internal /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:266:26 #19 0x561a08cfa599 in my_sha256_init /src/curl/lib/sha256.c:87:7 #20 0x561a08cfa599 in Curl_sha256it /src/curl/lib/sha256.c:497:12 #21 0x561a08ccbee8 in calc_payload_hash /src/curl/lib/http_aws_sigv4.c:455:12 #22 0x561a08ccaaca in Curl_output_aws_sigv4 /src/curl/lib/http_aws_sigv4.c:795:16 #23 0x561a08c9c7ce in output_auth_headers /src/curl/lib/http.c:639:14 #24 0x561a08c9c366 in Curl_http_output_auth /src/curl/lib/http.c:819:14 #25 0x561a08c95db2 in Curl_http /src/curl/lib/http.c:2736:14 #26 0x561a08b89613 in multi_do /src/curl/lib/multi.c:1649:14 #27 0x561a08b89613 in state_do /src/curl/lib/multi.c:2042:14 #28 0x561a08b89613 in multi_runsingle /src/curl/lib/multi.c:2476:12 #29 0x561a08b867b4 in curl_multi_perform /src/curl/lib/multi.c:2739:18 #30 0x561a08b35543 in fuzz_handle_transfer(fuzz_data*) /src/curl_fuzzer/curl_fuzzer.cc:348:3 #31 0x561a08b3491d in LLVMFuzzerTestOneInput /src/curl_fuzzer/curl_fuzzer.cc:103:3 #32 0x561a089e8660 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13 #33 0x561a089d38d5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6 #34 0x561a089d936f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9 #35 0x561a08a04612 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #36 0x7fb95db7e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d) #37 0x561a089cbabd in _start (/out/curl_fuzzer_http+0x60cabd) failed malloc(104) #0 0x561a08afee21 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3 #1 0x561a08b33df2 in nalloc_backtrace_exclude(unsigned long, char const*) /src/curl_fuzzer/nallocinc.c:250:9 #2 0x561a08b33df2 in nalloc_fail(unsigned long, char const*) /src/curl_fuzzer/nallocinc.c:278:13 #3 0x561a08b3416e in malloc /src/curl_fuzzer/nallocinc.c:342:9 #4 0x561a090ff2be in CRYPTO_malloc /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/mem.c:211:11 #5 0x561a0943477e in alloc_new_value /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/hashtable/hashtable.c:604:11 #6 0x561a0943477e in ossl_ht_insert /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/hashtable/hashtable.c:638:14 #7 0x561a090f7812 in namemap_add_name /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:276:11 #8 0x561a090f8716 in ossl_namemap_add_name /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:302:18 #9 0x561a090f8716 in get_legacy_evp_names /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:406:15 #10 0x561a090efb56 in doall_util_fn /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/lhash/lhash.c:208:17 #11 0x561a090efb56 in OPENSSL_LH_doall_arg_thunk /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/lhash/lhash.c:239:5 #12 0x561a091290b9 in lh_OBJ_NAME_doall_OBJ_DOALL /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/objects/o_names.c:289:1 #13 0x561a091290b9 in OBJ_NAME_do_all /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/objects/o_names.c:300:5 #14 0x561a090f686f in ossl_namemap_stored /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:507:9 #15 0x561a090a485a in inner_evp_generic_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/evp_fetch.c:261:29 #16 0x561a090a4679 in evp_generic_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/evp_fetch.c:403:14 #17 0x561a090922a2 in EVP_MD_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:1166:9 #18 0x561a090922a2 in evp_md_init_internal /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:266:26 #19 0x561a08cfa599 in my_sha256_init /src/curl/lib/sha256.c:87:7 #20 0x561a08cfa599 in Curl_sha256it /src/curl/lib/sha256.c:497:12 #21 0x561a08ccbee8 in calc_payload_hash /src/curl/lib/http_aws_sigv4.c:455:12 #22 0x561a08ccaaca in Curl_output_aws_sigv4 /src/curl/lib/http_aws_sigv4.c:795:16 #23 0x561a08c9c7ce in output_auth_headers /src/curl/lib/http.c:639:14 #24 0x561a08c9c366 in Curl_http_output_auth /src/curl/lib/http.c:819:14 #25 0x561a08c95db2 in Curl_http /src/curl/lib/http.c:2736:14 #26 0x561a08b89613 in multi_do /src/curl/lib/multi.c:1649:14 #27 0x561a08b89613 in state_do /src/curl/lib/multi.c:2042:14 #28 0x561a08b89613 in multi_runsingle /src/curl/lib/multi.c:2476:12 #29 0x561a08b867b4 in curl_multi_perform /src/curl/lib/multi.c:2739:18 #30 0x561a08b35543 in fuzz_handle_transfer(fuzz_data*) /src/curl_fuzzer/curl_fuzzer.cc:348:3 #31 0x561a08b3491d in LLVMFuzzerTestOneInput /src/curl_fuzzer/curl_fuzzer.cc:103:3 #32 0x561a089e8660 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13 #33 0x561a089d38d5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6 #34 0x561a089d936f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9 #35 0x561a08a04612 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #36 0x7fb95db7e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d) #37 0x561a089cbabd in _start (/out/curl_fuzzer_http+0x60cabd) crypto/core_namemap.c:277: OpenSSL internal error: Assertion failed: ret != 0 ==181== ERROR: libFuzzer: deadly signal #0 0x561a08afee21 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3 #1 0x561a08a03db8 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5 #2 0x561a089e7153 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:231:3 #3 0x7fb95def841f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 9753720502573b97dbac595b61fd72c2df18e078) #4 0x7fb95db9d00a in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300a) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d) #5 0x7fb95db7c858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d) #6 0x561a090f8c8e in OPENSSL_die /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/cryptlib.c:260:5 #7 0x561a090f795f in ossl_assert_int /src/curl_fuzzer/build/openssl/src/openssl_external/include/internal/common.h:47:9 #8 0x561a090f795f in namemap_add_name /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:277:10 #9 0x561a090f8716 in ossl_namemap_add_name /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:302:18 #10 0x561a090f8716 in get_legacy_evp_names /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:406:15 #11 0x561a090efb56 in doall_util_fn /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/lhash/lhash.c:208:17 #12 0x561a090efb56 in OPENSSL_LH_doall_arg_thunk /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/lhash/lhash.c:239:5 #13 0x561a091290b9 in lh_OBJ_NAME_doall_OBJ_DOALL /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/objects/o_names.c:289:1 #14 0x561a091290b9 in OBJ_NAME_do_all /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/objects/o_names.c:300:5 #15 0x561a090f686f in ossl_namemap_stored /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:507:9 #16 0x561a090a485a in inner_evp_generic_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/evp_fetch.c:261:29 #17 0x561a090a4679 in evp_generic_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/evp_fetch.c:403:14 #18 0x561a090922a2 in EVP_MD_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:1166:9 #19 0x561a090922a2 in evp_md_init_internal /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:266:26 #20 0x561a08cfa599 in my_sha256_init /src/curl/lib/sha256.c:87:7 #21 0x561a08cfa599 in Curl_sha256it /src/curl/lib/sha256.c:497:12 #22 0x561a08ccbee8 in calc_payload_hash /src/curl/lib/http_aws_sigv4.c:455:12 #23 0x561a08ccaaca in Curl_output_aws_sigv4 /src/curl/lib/http_aws_sigv4.c:795:16 #24 0x561a08c9c7ce in output_auth_headers /src/curl/lib/http.c:639:14 #25 0x561a08c9c366 in Curl_http_output_auth /src/curl/lib/http.c:819:14 #26 0x561a08c95db2 in Curl_http /src/curl/lib/http.c:2736:14 #27 0x561a08b89613 in multi_do /src/curl/lib/multi.c:1649:14 #28 0x561a08b89613 in state_do /src/curl/lib/multi.c:2042:14 #29 0x561a08b89613 in multi_runsingle /src/curl/lib/multi.c:2476:12 #30 0x561a08b867b4 in curl_multi_perform /src/curl/lib/multi.c:2739:18 #31 0x561a08b35543 in fuzz_handle_transfer(fuzz_data*) /src/curl_fuzzer/curl_fuzzer.cc:348:3 #32 0x561a08b3491d in LLVMFuzzerTestOneInput /src/curl_fuzzer/curl_fuzzer.cc:103:3 #33 0x561a089e8660 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13 #34 0x561a089d38d5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6 #35 0x561a089d936f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9 #36 0x561a08a04612 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #37 0x7fb95db7e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d) #38 0x561a089cbabd in _start (/out/curl_fuzzer_http+0x60cabd) ``` The CI run shows ``` ================================================================= ==23==ERROR: AddressSanitizer: heap-use-after-free on address 0x50700001f528 at pc 0x55df6b54ed4a bp 0x7ffcfa45d090 sp 0x7ffcfa45d088 READ of size 8 at 0x50700001f528 thread T0 SCARINESS: 51 (8-byte-read-heap-use-after-free) #0 0x55df6b54ed49 in EVP_DigestUpdate /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:390:15 #1 0x55df6b150692 in Curl_HMAC_init /src/curl/lib/hmac.c:92:5 #2 0x55df6b150ccb in Curl_hmacit /src/curl/lib/hmac.c:154:5 #3 0x55df6b1876a8 in Curl_output_aws_sigv4 /src/curl/lib/http_aws_sigv4.c:925:3 #4 0x55df6b1587ce in output_auth_headers /src/curl/lib/http.c:639:14 #5 0x55df6b158366 in Curl_http_output_auth /src/curl/lib/http.c:819:14 #6 0x55df6b151db2 in Curl_http /src/curl/lib/http.c:2736:14 #7 0x55df6b045613 in multi_do /src/curl/lib/multi.c:1649:14 #8 0x55df6b045613 in state_do /src/curl/lib/multi.c:2042:14 #9 0x55df6b045613 in multi_runsingle /src/curl/lib/multi.c:2476:12 #10 0x55df6b0427b4 in curl_multi_perform /src/curl/lib/multi.c:2739:18 #11 0x55df6aff1543 in fuzz_handle_transfer(fuzz_data*) /src/curl_fuzzer/curl_fuzzer.cc:348:3 #12 0x55df6aff091d in LLVMFuzzerTestOneInput /src/curl_fuzzer/curl_fuzzer.cc:103:3 #13 0x55df6aea4660 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13 #14 0x55df6aea3e85 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7 #15 0x55df6aea5e12 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:829:7 #16 0x55df6aea6102 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3 #17 0x55df6ae9523b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6 #18 0x55df6aec0612 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #19 0x7f49f5d65082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58) #20 0x55df6ae87abd in _start (build-out/curl_fuzzer_http+0x60cabd) DEDUP_TOKEN: EVP_DigestUpdate--Curl_HMAC_init--Curl_hmacit 0x50700001f528 is located 24 bytes inside of 72-byte region [0x50700001f510,0x50700001f558) freed by thread T0 here: #0 0x55df6afb0196 in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 #1 0x55df6b1b66db in my_sha256_init /src/curl/lib/sha256.c:88:5 #2 0x55df6b15055e in Curl_HMAC_init /src/curl/lib/hmac.c:86:3 #3 0x55df6b150ccb in Curl_hmacit /src/curl/lib/hmac.c:154:5 #4 0x55df6b1876a8 in Curl_output_aws_sigv4 /src/curl/lib/http_aws_sigv4.c:925:3 #5 0x55df6b1587ce in output_auth_headers /src/curl/lib/http.c:639:14 #6 0x55df6b158366 in Curl_http_output_auth /src/curl/lib/http.c:819:14 #7 0x55df6b151db2 in Curl_http /src/curl/lib/http.c:2736:14 #8 0x55df6b045613 in multi_do /src/curl/lib/multi.c:1649:14 #9 0x55df6b045613 in state_do /src/curl/lib/multi.c:2042:14 #10 0x55df6b045613 in multi_runsingle /src/curl/lib/multi.c:2476:12 #11 0x55df6b0427b4 in curl_multi_perform /src/curl/lib/multi.c:2739:18 #12 0x55df6aff1543 in fuzz_handle_transfer(fuzz_data*) /src/curl_fuzzer/curl_fuzzer.cc:348:3 #13 0x55df6aff091d in LLVMFuzzerTestOneInput /src/curl_fuzzer/curl_fuzzer.cc:103:3 #14 0x55df6aea4660 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13 #15 0x55df6aea3e85 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7 #16 0x55df6aea5e12 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:829:7 #17 0x55df6aea6102 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3 #18 0x55df6ae9523b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6 #19 0x55df6aec0612 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #20 0x7f49f5d65082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58) DEDUP_TOKEN: __interceptor_free--my_sha256_init--Curl_HMAC_init previously allocated by thread T0 here: #0 0x55df6afb042f in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3 #1 0x55df6aff01a7 in malloc /src/curl_fuzzer/nallocinc.c:346:12 #2 0x55df6b5bb417 in CRYPTO_malloc /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/mem.c:211:11 #3 0x55df6b5bb417 in CRYPTO_zalloc /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/mem.c:231:11 #4 0x55df6b1b6669 in my_sha256_init /src/curl/lib/sha256.c:83:22 #5 0x55df6b15055e in Curl_HMAC_init /src/curl/lib/hmac.c:86:3 #6 0x55df6b150ccb in Curl_hmacit /src/curl/lib/hmac.c:154:5 #7 0x55df6b1876a8 in Curl_output_aws_sigv4 /src/curl/lib/http_aws_sigv4.c:925:3 #8 0x55df6b1587ce in output_auth_headers /src/curl/lib/http.c:639:14 #9 0x55df6b158366 in Curl_http_output_auth /src/curl/lib/http.c:819:14 #10 0x55df6b151db2 in Curl_http /src/curl/lib/http.c:2736:14 #11 0x55df6b045613 in multi_do /src/curl/lib/multi.c:1649:14 #12 0x55df6b045613 in state_do /src/curl/lib/multi.c:2042:14 #13 0x55df6b045613 in multi_runsingle /src/curl/lib/multi.c:2476:12 #14 0x55df6b0427b4 in curl_multi_perform /src/curl/lib/multi.c:2739:18 #15 0x55df6aff1543 in fuzz_handle_transfer(fuzz_data*) /src/curl_fuzzer/curl_fuzzer.cc:348:3 #16 0x55df6aff091d in LLVMFuzzerTestOneInput /src/curl_fuzzer/curl_fuzzer.cc:103:3 #17 0x55df6aea4660 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13 #18 0x55df6aea3e85 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7 #19 0x55df6aea5e12 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:829:7 #20 0x55df6aea6102 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3 #21 0x55df6ae9523b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6 #22 0x55df6aec0612 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #23 0x7f49f5d65082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58) DEDUP_TOKEN: __interceptor_malloc--malloc--CRYPTO_malloc SUMMARY: AddressSanitizer: heap-use-after-free /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:390:15 in EVP_DigestUpdate Shadow bytes around the buggy address: 0x50700001f280: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd 0x50700001f300: fd fd fd fd fd fd fa fa fa fa 00 00 00 00 00 00 0x50700001f380: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd 0x50700001f400: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fa 0x50700001f480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x50700001f500: fa fa fd fd fd[fd]fd fd fd fd fd fa fa fa fa fa 0x50700001f580: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd 0x50700001f600: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00 0x50700001f680: 00 00 00 00 00 00 fa fa fa fa fd fd fd fd fd fd 0x50700001f700: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd 0x50700001f780: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==23==ABORTING ``` ## Supporting Material/References: [list any additional material (e.g. screenshots, logs, etc.)] * [attachment / reference] ## Impact ## Summary:

Report Details

Additional information and metadata

State

Closed

Substate

Informative

Submitted

Weakness

Use After Free