Version of the software
netcdf-c commit: f1d2504c29099cec967756e6357fd3219ca1f415
Environmental information
OS: Ubuntu 22.04.5 LTS
Kernel: Linux 6.8.0-90-generic x86_64
Compiler: GCC 11.4.0
glibc: 2.35
Bug Description
Running ncdump -x on a NetCDF input file triggers double free or corruption (out) and aborts. The crash occurs in the XML dumping path inside do_ncdumpx().
Steps to Reproduce
The PoC attachment contains the input file that triggers the issue:
PoC.zip
COMMAND LINE: ./ncdump -x Double_Free_01
Expected behavior
ncdump should safely reject fail NetCDF inputs and terminate with an error message instead of aborting due to memory corruption.
Stack trace
(gdb) r
Starting program: /root/GraphDissect/benchmarks/netcdf/ncdump/ncdump -x /root/GraphDissect/benchmarks/netcdf/ncdump/SIGABRT.PC.794b0d8af9fc.STACK.18f8e31fa7.CODE.-6.ADDR.0.INSTR.mov____%eax,%r13d.fuzz
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/x86_64-linux-gnu/libthread_db.so.1".
double free or corruption (out)
Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=127476118714304) at ./nptl/pthread_kill.c:44
44 ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=127476118714304) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=127476118714304) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=127476118714304, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x000073f05ad16476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x000073f05acfc7f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x000073f05ad5d677 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x73f05aeafb77 "%s\n") at ../sysdeps/posix/libc_fatal.c:156
#6 0x000073f05ad74cfc in malloc_printerr (str=str@entry=0x73f05aeb2790 "double free or corruption (out)") at ./malloc/malloc.c:5664
#7 0x000073f05ad76e70 in _int_free (av=0x73f05aeeec80 <main_arena>, p=0x20e6d480, have_lock=) at ./malloc/malloc.c:4588
#8 0x000073f05ad79453 in __GI___libc_free (mem=) at ./malloc/malloc.c:3391
#9 0x0000000000437e03 in do_ncdumpx ()
#10 0x0000000000436bf5 in main ()
(gdb)
Version of the software
netcdf-c commit: f1d2504c29099cec967756e6357fd3219ca1f415
Environmental information
OS: Ubuntu 22.04.5 LTS
Kernel: Linux 6.8.0-90-generic x86_64
Compiler: GCC 11.4.0
glibc: 2.35
Bug Description
Running ncdump -x on a NetCDF input file triggers double free or corruption (out) and aborts. The crash occurs in the XML dumping path inside do_ncdumpx().
Steps to Reproduce
The PoC attachment contains the input file that triggers the issue:
PoC.zip
COMMAND LINE: ./ncdump -x Double_Free_01
Expected behavior
ncdump should safely reject fail NetCDF inputs and terminate with an error message instead of aborting due to memory corruption.
Stack trace
double free or corruption (out)(gdb) r
Starting program: /root/GraphDissect/benchmarks/netcdf/ncdump/ncdump -x /root/GraphDissect/benchmarks/netcdf/ncdump/SIGABRT.PC.794b0d8af9fc.STACK.18f8e31fa7.CODE.-6.ADDR.0.INSTR.mov____%eax,%r13d.fuzz
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=127476118714304) at ./nptl/pthread_kill.c:44
44 ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=127476118714304) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=127476118714304) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=127476118714304, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x000073f05ad16476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x000073f05acfc7f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x000073f05ad5d677 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x73f05aeafb77 "%s\n") at ../sysdeps/posix/libc_fatal.c:156
#6 0x000073f05ad74cfc in malloc_printerr (str=str@entry=0x73f05aeb2790 "double free or corruption (out)") at ./malloc/malloc.c:5664
#7 0x000073f05ad76e70 in _int_free (av=0x73f05aeeec80 <main_arena>, p=0x20e6d480, have_lock=) at ./malloc/malloc.c:4588
#8 0x000073f05ad79453 in __GI___libc_free (mem=) at ./malloc/malloc.c:3391
#9 0x0000000000437e03 in do_ncdumpx ()
#10 0x0000000000436bf5 in main ()
(gdb)