libbabl 0.1.62 Broken Double-Free Detection

CVE Category Price Severity
CVE-2020-111002 CWE-415 $5,000 High
Author Risk Exploitation Type Date
Unknown High Local 2020-12-15
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/S:C/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

libbabl 0.1.62 Broken Double-Free Detection
# Exploit Title: libbabl 0.1.62 - Broken Double Free Detection (PoC)
# Date: December 14, 2020
# Exploit Author: Carter Yagemann
# Vendor Homepage:
# Software Link:
# Version: libbabl 0.1.62 and newer
# Tested on: Debian Buster (Linux 4.19.0-9-amd64)
# Compile: gcc -Ibabl-0.1 -lbabl-0.1 babl-0.1.62_babl_free.c

 * Babl has an interesting way of managing buffers allocated and freed using babl_malloc()
 * and babl_free(). This is the structure of its allocations (taken from babl-memory.c):
 * typedef struct
 * {
 *   char  *signature;
 *   size_t size;
 *   int  (*destructor)(void *ptr);
 * } BablAllocInfo;
 * signature is used to track whether a chunk was allocated by babl, and if so, whether
 * it is currently allocated or freed. This is done by either pointing it to the global
 * string "babl-memory" or "So long and thanks for all the fish." (babl-memory.c:44).
 * Using this signature, babl can detect bad behavior's like double free (babl-memory.c:173):
 * void
 * babl_free (void *ptr,
 *            ...)
 * {
 *   ...
 *       if (freed == BAI (ptr)->signature)
 *         fprintf (stderr, "\nbabl:double free detected\n");
 * Or so the developers think. As it turns out, because babl internally uses libc's malloc()
 * and free(), which has its own data that it stores within freed chunks, most systems will
 * overwrite babl's signature variable upon freeing, breaking the double free detection.
 * The simple PoC below demonstrates this:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#include <babl/babl-memory.h>

int main(int argc, char **argv) {
    void *buf = babl_malloc(42);
    // BUG: reports an "unknown" pointer warning when the following is clea=
rly a double free

    return 0;

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.