Closed Bug 1275787 Opened 8 years ago Closed 2 years ago

Libical attempting free on address which was not malloc()-ed

Categories

(Calendar :: Internal Components, defect)

Product:
Calendar
Component:
Internal Components
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: bperry.volatile, Unassigned)

Details

Attachments

(1 file)

crashes.zip
28.88 KB, application/zip
Details
Attached file crashes.zip — 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

Steps to reproduce:

Attached are test cases used to crash libical 0.47 (exploiting the same bug but with different paths). However, I do not believe Thunderbird is vulnerable to this bug as it doesn't call icalparser_add_line as far as I can tell.

http://mxr.mozilla.org/comm-central/search?string=icalparser_add_line

This is only to file a bug report in pair with my other crashes which could be reached from thunderbird, and they should be on the record. It has more details on building libical with ASan for reproduction. (https://bugzilla.mozilla.org/show_bug.cgi?id=1275400)



Actual results:

An example stack trace

 AddressSanitizer: attempting free on address which was not malloc()-ed: 0x602000003670 in thread T0
    #0 0x7fc8dbebe6aa in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x986aa)
    #1 0x7fc8dbbedc62 in icalmemory_free_buffer (/root/tmp/libical-0.47/build/lib/libical.so.0+0x31c62)
    #2 0x7fc8dbbf13be in icalparser_add_line (/root/tmp/libical-0.47/build/lib/libical.so.0+0x353be)
    #3 0x400c6a in main (/root/tmp/libical-0.47/build/src/test/parser+0x400c6a)
    #4 0x7fc8db812a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #5 0x400ad8 in _start (/root/tmp/libical-0.47/build/src/test/parser+0x400ad8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: bad-free ??:0 __interceptor_free



Expected results:

Shouldn't crash.
I meant to create this as a sec bug
Group: mail-core-security
Same goes for this bug.

See bug 1275400 comment 10.
Like I said, these were only against 0.47 and were reported simply because they were in the same version as was reportedly used in Thunderbird. I did not see them in latest.
I also don't believe this is worthy of a bug bounty. I am reporting this only for visibility since it seems to affect the version in use by Thunderbird.
Group: mail-core-security
Component: Untriaged → General
Product: Thunderbird → Calendar
Component: General → Internal Components

libical has now been removed - bug 1787097.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: