./jq -nf ./heap-use-after-free.jq
""
=================================================================
==887917==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000010580 at pc 0x644bd835c590 bp 0x7ffecd528a90 sp 0x7ffecd528a88
READ of size 1 at 0x603000010580 thread T0
#0 0x644bd835c58f in f_strflocaltime /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/builtin.c:1826:18
#1 0x644bd827259f in jq_next /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/execute.c:918:21
#2 0x644bd8262fab in process /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/main.c:175:31
#3 0x644bd826140c in main /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/main.c:656:11
#4 0x7bdd8c229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0x7bdd8c229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#6 0x644bd819d854 in _start (/home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/jq+0xd4854) (BuildId: 325d5e767ada37cba0c87cb5561b85a14514bfee)
0x603000010580 is located 16 bytes inside of 17-byte region [0x603000010570,0x603000010581)
freed by thread T0 here:
#0 0x644bd82203f2 in free (/home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/jq+0x1573f2) (BuildId: 325d5e767ada37cba0c87cb5561b85a14514bfee)
#1 0x644bd829d7f7 in jv_mem_free /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/jv_alloc.c:180:3
#2 0x644bd8285aa1 in jv_free /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/jv.c
#3 0x644bd835c230 in f_strflocaltime /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/builtin.c:1824:3
#4 0x644bd827259f in jq_next /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/execute.c:918:21
#5 0x644bd8262fab in process /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/main.c:175:31
#6 0x644bd826140c in main /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/main.c:656:11
#7 0x7bdd8c229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
previously allocated by thread T0 here:
#0 0x644bd822069e in __interceptor_malloc (/home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/jq+0x15769e) (BuildId: 325d5e767ada37cba0c87cb5561b85a14514bfee)
#1 0x644bd829d05c in jv_mem_alloc /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/jv_alloc.c:142:13
#2 0x644bd828aaab in jvp_string_alloc /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/jv.c:1106:19
#3 0x644bd828aaab in jvp_string_new /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/jv.c:1138:19
#4 0x644bd828aaab in jv_string_sized /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/jv.c:1281:5
#5 0x644bd828aaab in jv_string /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/jv.c:1290:10
#6 0x644bd8354d59 in f_format /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/builtin.c:658:15
#7 0x644bd827259f in jq_next /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/execute.c:918:21
#8 0x644bd8262fab in process /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/main.c:175:31
#9 0x644bd826140c in main /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/main.c:656:11
#10 0x7bdd8c229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/src/builtin.c:1826:18 in f_strflocaltime
Shadow bytes around the buggy address:
0x0c067fffa060: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa
0x0c067fffa070: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c067fffa080: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
0x0c067fffa090: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c067fffa0a0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
=>0x0c067fffa0b0:[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffa0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffa0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffa0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffa0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffa100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==887917==ABORTING
sofiaaberegg Reporter
Summary
A heap use after free vulnerability exists within the function
f_strflocaltimeof/src/builtin.c.PoC
PoC command:
./jq -nf ./heap-use-after-free.jqTest File: heap-use-after-free.zip
Version: jq-1.8.0-2-g62cafa2-dirty
Build flags:
--disable-shared --with-oniguruma=builtin CC=afl-clang-fast 'CFLAGS=-O1 -fno-omit-frame-pointer -gline-tables-only -Wno-error=enum-constexpr-conversion -Wno-error=incompatible-function-pointer-types -Wno-error=int-conversion -Wno-error=deprecated-declarations -Wno-error=implicit-function-declaration -Wno-error=implicit-int -Wno-error=vla-cxx-extension -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link'ASAN Output