Skip to content

crypto/tl/tlbc.cpp: Bad-free #1563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
stasos24 opened this issue Mar 20, 2025 · 0 comments
Open

crypto/tl/tlbc.cpp: Bad-free #1563

stasos24 opened this issue Mar 20, 2025 · 0 comments

Comments

@stasos24
Copy link

stasos24 commented Mar 20, 2025
edited
Loading

Description

Looks like there is 'os' corruption in 'show'
Because without 'show' asan doesnt trigger

ton/crypto/tl/tlbc.cpp

Lines 1810 to 1818 in 303e92b

unsigned long long Constructor::compute_tag() const {
std::ostringstream os;
show(os, 10);
unsigned crc = td::crc32(td::Slice{os.str()});
if (verbosity > 2) {
std::cerr << "crc32('" << os.str() << "') = " << std::hex << crc << std::dec << std::endl;
}
return ((unsigned long long)crc << 32) | 0x80000000;
}

POC

./build/crypto/tlbc crypto/block/block.tlb

Asan Logs:

==62==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x56154ef0f390 in thread T0
    #0 0x56154d7fd8cf in operator delete(void*, unsigned long) (/tmp/test/build/crypto/tlbc+0x1008cf)
    #1 0x56154d8cab40 in __gnu_cxx::new_allocator<char>::deallocate(char*, unsigned long) /usr/include/c++/11/ext/new_allocator.h:145
    #2 0x56154d8cab40 in std::allocator<char>::deallocate(char*, unsigned long) /usr/include/c++/11/bits/allocator.h:199
    #3 0x56154d8cab40 in std::allocator_traits<std::allocator<char> >::deallocate(std::allocator<char>&, char*, unsigned long) /usr/include/c++/11/bits/alloc_traits.h:496
    #4 0x56154d8cab40 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_destroy(unsigned long) /usr/include/c++/11/bits/basic_string.h:245
    #5 0x56154d8cab40 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_dispose() /usr/include/c++/11/bits/basic_string.h:240
    #6 0x56154d8cab40 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() /usr/include/c++/11/bits/basic_string.h:672
    #7 0x56154d8cab40 in tlbc::Constructor::compute_tag() const /tmp/test/crypto/tl/tlbc.cpp:1813
    #8 0x56154d8cbd85 in tlbc::Constructor::check_assign_tag() /tmp/test/crypto/tl/tlbc.cpp:1831
    #9 0x56154d96dec5 in tlbc::Type::bind_constructor(src::SrcLocation const&, tlbc::Constructor*) /tmp/test/crypto/tl/tlbc.cpp:1933
    #10 0x56154d98090c in tlbc::parse_constructor_def(src::Lexer&) /tmp/test/crypto/tl/tlbc.cpp:2400
    #11 0x56154d982e39 in tlbc::parse_source(std::istream*, src::FileDescr*) /tmp/test/crypto/tl/tlbc.cpp:2423
    #12 0x56154d984927 in tlbc::parse_source_file(char const*) /tmp/test/crypto/tl/tlbc.cpp:2439
    #13 0x56154d768311 in main /tmp/test/crypto/tl/tlbc.cpp:3132
    #14 0x7f94d1dd1d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #15 0x7f94d1dd1e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #16 0x56154d76c124 in _start (/tmp/test/build/crypto/tlbc+0x6f124)

Address 0x56154ef0f390 is a wild pointer.
SUMMARY: AddressSanitizer: bad-free (/tmp/test/build/crypto/tlbc+0x1008cf) in operator delete(void*, unsigned long)
==62==ABORTING
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stasos24