Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAG8b5tRjAg5iioDo18JpJdvNQDdtdaZBU_GcPacnqHDCGBcp2A@mail.gmail.com>
Date: Fri, 11 Jan 2019 23:44:02 +0530
From: Dhiraj Mishra <mishra.dhiraj95@...il.com>
To: oss-security@...ts.openwall.com
Subject: Memory leak in libiec61850

Hi List,

## Summary:
An issue has been found in libIEC61850 v1.3.1. Memory_malloc and
Memory_calloc in hal/memory/lib_memory.c have memory leaks when called from
mms/iso_mms/common/mms_value.c, server/mms_mapping/mms_mapping.c, and
server/mms_mapping/mms_sv.c (via common/string_utilities.c), as
demonstrated by iec61850_9_2_LE_example.c.

## Snip code from mms_value.c#L1583-L1600:
    self->value.visibleString.buf = (char*) GLOBAL_MALLOC(size + 1);

    if (self->value.visibleString.buf == NULL) {
        GLOBAL_FREEMEM(self);
        self = NULL;
        goto exit_function;
    }

    self->value.visibleString.buf[0] = 0;

    exit_function:
    return self;
}

MmsValue*
MmsValue_newVisibleStringWithSize(int size)
{

## Memory leak:

==23314==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 260 byte(s) in 2 object(s) allocated from:
    #0 0x7fd669c33b50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55f220071c7c in Memory_malloc
/home/input0/Desktop/libiec61850/hal/memory/lib_memory.c:47
    #2 0x55f21ff7390d in MmsValue_newStringWithSize
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1583
    #3 0x55f21ff73a80 in MmsValue_newVisibleStringWithSize
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1600
    #4 0x55f21ff72d0d in MmsValue_newDefaultValue
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1457
    #5 0x55f21ff72203 in MmsValue_newStructure
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1391
    #6 0x55f21ffafcf7 in LIBIEC61850_SV_createSVControlBlocks
/home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_sv.c:428
    #7 0x55f21ff8df69 in createNamedVariableFromLogicalNode
/home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1090
    #8 0x55f21ff8ea2f in createMmsDomainFromIedDevice
/home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1193
    #9 0x55f21ff8ec8d in createMmsDataModel
/home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1215
    #10 0x55f21ff8f2ef in createMmsModelFromIedModel
/home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1298
    #11 0x55f21ff8f5a8 in MmsMapping_create
/home/input0/Desktop/libiec61850/src/iec61850/server/mms_mapping/mms_mapping.c:1344
    #12 0x55f21ff7a565 in IedServer_createWithConfig
/home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:430
    #13 0x55f21ff7abcb in IedServer_create
/home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:483
    #14 0x55f21ff66cf7 in main
/home/input0/Desktop/libiec61850/examples/iec61850_9_2_LE_example/iec61850_9_2_LE_example.c:119
    #15 0x7fd6691c8b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

Direct leak of 216 byte(s) in 17 object(s) allocated from:
    #0 0x7fd669c33d38 in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38)
    #1 0x55f220071cb5 in Memory_calloc
/home/input0/Desktop/libiec61850/hal/memory/lib_memory.c:59
    #2 0x55f21ff72045 in MmsValue_newStructure
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1386
    #3 0x55f21ff72ecd in MmsValue_newDefaultValue
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1479
    #4 0x55f21ff72203 in MmsValue_newStructure
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1391
    #5 0x55f21ff72ecd in MmsValue_newDefaultValue
/home/input0/Desktop/libiec61850/src/mms/iso_mms/common/mms_value.c:1479
    #6 0x55f21ff791b4 in createMmsServerCache
/home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:207
    #7 0x55f21ff7aa4d in IedServer_createWithConfig
/home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:453
    #8 0x55f21ff7abcb in IedServer_create
/home/input0/Desktop/libiec61850/src/iec61850/server/impl/ied_server.c:483
    #9 0x55f21ff66cf7 in main
/home/input0/Desktop/libiec61850/examples/iec61850_9_2_LE_example/iec61850_9_2_LE_example.c:119
    #10 0x7fd6691c8b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
.....

Later CVE-2019-6138 was assigned to this issue.


Thank you
@mishradhiraj_

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.