[Lynx-dev] use-after-free bug in cookie handling

[Thorsten Glaser]

Hi again,

I disabled the fatal signal handler because I recently got a lot
of core dumps and wanted to get rid of them.

#0  scan_cookie_sublist (hostname=0xa6c88b20 "www.fanfiction.net",
    path=0xa8c2c9c0 "/s/8396246/15", port=443, sublist=0x9d0c6e50, header=0x0, 
secure=1)
    at /usr/src/gnu/usr.bin/lynx/src/LYCookie.c:726
726             co = (cookie *) hl->object;
(gdb) print hl
$1 = (HTList *) 0xdfdfdfdf
(gdb) bt
#0  scan_cookie_sublist (hostname=0xa6c88b20 "www.fanfiction.net",
    path=0xa8c2c9c0 "/s/8396246/15", port=443, sublist=0x9d0c6e50, header=0x0, 
secure=1)
    at /usr/src/gnu/usr.bin/lynx/src/LYCookie.c:726
#1  0x1c079cfb in LYAddCookieHeader (hostname=0xa6c88b20 "www.fanfiction.net",
    path=0xa8c2c9c0 "/s/8396246/15", port=443, secure=1)
    at /usr/src/gnu/usr.bin/lynx/src/LYCookie.c:1886
#2  0x1c08fb41 in HTLoadHTTP (arg=0xa8c08b40 
"https://www.fanfiction.net/s/8396246/15";,
    anAnchor=0xa1869d00, format_out=0xab102290, sink=0x0)
    at /usr/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTP.c:1360
#3  0x1c08d214 in HTLoad (addr=0xa9954b40 
"https://www.fanfiction.net/s/8396246/15";,
    anchor=0xa1869d00, format_out=0xab102290, sink=0x0)
    at /usr/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTAccess.c:706
#4  0x1c08d695 in HTLoadDocument (
    full_address=0xa9954b40 "https://www.fanfiction.net/s/8396246/15";,
    anchor=0xa1869d00, format_out=0xab102290, sink=0x0)
    at /usr/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTAccess.c:939
#5  0x1c08dc9d in HTLoadAbsolute (docaddr=0xcfbf9254)
    at /usr/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTAccess.c:1121
#6  0x1c025331 in getfile (doc=0x3c063000, target=0x2f8f8690)
    at /usr/src/gnu/usr.bin/lynx/src/LYGetFile.c:806
#7  0x1c03291f in mainloop () at /usr/src/gnu/usr.bin/lynx/src/LYMainLoop.c:5842
#8  0x1c027a4d in main (argc=1, argv=0xcfbf9710)
    at /usr/src/gnu/usr.bin/lynx/src/LYMain.c:2248

From man malloc:

     J       "Junk". Fill some junk into the area allocated. Currently junk is
             bytes of 0xd0 when allocating; this is pronounced "Duh". :-)
             Freed chunks are filled with 0xdf.

So this is a classical use-after-free.

Interestingly enough… “where does this come from?”

(gdb) print sublist
$2 = (HTList *) 0x9d0c6e50
(gdb) print *sublist
$3 = {object = 0x0, next = 0xa75cd480}
(gdb) print *sublist->next
$4 = {object = 0x9c548b80, next = 0xab1027c0}
(gdb) print *sublist->next->next
$5 = {object = 0x9da46840, next = 0x0}

This looks like the classical “object removed from list, free’d,
then used to continue traversing the list” bug. And, indeed, there
is a call to HTList_removeObject() in the loop!

I believe I’m seeing those crashes more oftenly because more of
the servers expire their cookies earlier now.

bye,
//mirabilos
-- 
“The final straw, to be honest, was probably my amazement at the volume of
petty, peevish whingeing certain of your peers are prone to dish out on
d-devel, telling each other how to talk more like a pretty princess, as though
they were performing some kind of public service.” (someone to me, privately)