git clone https://github.com/hasherezade/bearparser.git
mkdir build
cd build
export CXXFLAGS="-fsanitize=address -static-libasan -g"
cmake ../bearparser
make -j 8
./commander/bearcommander ./poc
g++ (Ubuntu 11.2.0-19ubuntu1) 11.2.0
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
=================================================================
==4013525==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000003198 at pc 0x55e654fb4839 bp 0x7fffcf4473d0 sp 0x7fffcf4473c0
READ of size 8 at 0x607000003198 thread T0
#0 0x55e654fb4838 in ResourceLeafWrapper::getExe() /tmp/bearparser/parser/include/bearparser/pe/rsrc/../ResourceLeafWrapper.h:42
#1 0x55e654fb4570 in ResourceContentFactory::makeResContentWrapper(pe::resource_type, ResourceLeafWrapper*) /tmp/bearparser/parser/pe/rsrc/ResourceContentFactory.cpp:9
#2 0x55e654fa6815 in ResourcesAlbum::wrapLeafsContent() /tmp/bearparser/parser/pe/rsrc/ResourcesAlbum.cpp:78
#3 0x55e654f57383 in PEFile::wrap(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:116
#4 0x55e654f562ad in PEFile::PEFile(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:50
#5 0x55e654f56032 in PEFileBuilder::build(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:36
#6 0x55e654f4dfb0 in ExeFactory::build(AbstractByteBuffer*, ExeFactory::exe_type) /tmp/bearparser/parser/ExeFactory.cpp:51
#7 0x55e654f21cae in main /tmp/bearparser/commander/main.cpp:74
#8 0x7effb7367d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7effb7367e3f in __libc_start_main_impl ../csu/libc-start.c:392
#10 0x55e654e4ba74 in _start (/tmp/build/commander/bearcommander+0x40a74)
0x607000003198 is located 8 bytes inside of 72-byte region [0x607000003190,0x6070000031d8)
freed by thread T0 here:
#0 0x55e654ede16f in operator delete(void*, unsigned long) (/tmp/build/commander/bearcommander+0xd316f)
#1 0x55e654fa10bc in ResourceLeafWrapper::~ResourceLeafWrapper() /tmp/bearparser/parser/include/bearparser/pe/ResourceLeafWrapper.h:25
#2 0x55e654f9fc76 in ResourceEntryWrapper::clear() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:154
#3 0x55e654fa15ca in ResourceEntryWrapper::~ResourceEntryWrapper() /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:86
#4 0x55e654fa15f5 in ResourceEntryWrapper::~ResourceEntryWrapper() /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:86
#5 0x55e654f9f5ec in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:93
#6 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
#7 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
#8 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
#9 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
#10 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
#11 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
#12 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
#13 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
#14 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
#15 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
#16 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
#17 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
#18 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
#19 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
#20 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
#21 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
#22 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
#23 0x55e654f57197 in PEFile::wrap(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:108
#24 0x55e654f562ad in PEFile::PEFile(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:50
#25 0x55e654f56032 in PEFileBuilder::build(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:36
#26 0x55e654f4dfb0 in ExeFactory::build(AbstractByteBuffer*, ExeFactory::exe_type) /tmp/bearparser/parser/ExeFactory.cpp:51
#27 0x55e654f21cae in main /tmp/bearparser/commander/main.cpp:74
#28 0x7effb7367d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x55e654edd107 in operator new(unsigned long) (/tmp/build/commander/bearcommander+0xd2107)
#1 0x55e654f9fe8b in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:172
#2 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
#3 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
#4 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
#5 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
#6 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
#7 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
#8 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
#9 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
#10 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
#11 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
#12 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
#13 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
#14 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
#15 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
#16 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
#17 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
#18 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
#19 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
#20 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
#21 0x55e654f57197 in PEFile::wrap(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:108
#22 0x55e654f562ad in PEFile::PEFile(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:50
#23 0x55e654f56032 in PEFileBuilder::build(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:36
#24 0x55e654f4dfb0 in ExeFactory::build(AbstractByteBuffer*, ExeFactory::exe_type) /tmp/bearparser/parser/ExeFactory.cpp:51
#25 0x55e654f21cae in main /tmp/bearparser/commander/main.cpp:74
#26 0x7effb7367d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-use-after-free /tmp/bearparser/parser/include/bearparser/pe/rsrc/../ResourceLeafWrapper.h:42 in ResourceLeafWrapper::getExe()
Shadow bytes around the buggy address:
0x0c0e7fff85e0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0e7fff85f0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff8600: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8610: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e7fff8620: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
=>0x0c0e7fff8630: fa fa fd[fd]fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8640: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
0x0c0e7fff8650: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0e7fff8660: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff8670: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8680: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4013525==ABORTING