double-free in bobj.c

[m4drat]

Hi! We've been fuzzing your project and found the following error in librz/bin/bobj.c:142

Work environment

OS: Ubuntu 20.04
File format: -
rizin version: 4b38597

Bug description

Heap double-free in librz/bin/bobj.c:142:3

Steps to reproduce

1. Build docker container from https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/rizin: sudo docker build -t oss-sydr-fuzz-rizin .

2. Run docker container: sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-rizin /bin/bash

3. Execute rizin with crashing input (we sent all crashing inputs to you by email):
   /rizin-fuzzing/libfuzzer-asan/bin/rizin -qq crash-ec0c253b75cf3a89faf1b217cb8f94463852493c

4. You will see the following output:

=================================================================
==2491485==ERROR: AddressSanitizer: attempting double-free on 0x60600003fa40 in thread T0:
    #0 0x498a32 in free (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x498a32)
    #1 0xae69c3 in rz_bin_reloc_storage_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:142:3
    #2 0xae69c3 in rz_bin_object_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:201:2
    #3 0xad73c7 in rz_bin_file_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bfile.c:64:2
    #4 0x4fcf7a in rz_list_delete /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/util/list.c:166:3
    #5 0x4fcf7a in rz_list_purge /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/util/list.c:126:3
    #6 0x4fcf7a in rz_list_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/util/list.c:139:3
    #7 0xadffdd in rz_bin_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bin.c:449:2
    #8 0x10254a9 in rz_core_fini /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/core.c:2658:2
    #9 0x1025b48 in rz_core_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/core.c:2684:2
    #10 0x5b6ac6 in rz_main_rizin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/main/rizin.c:1503:2
    #11 0x7fe47324a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x41da3d in _start (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x41da3d)

0x60600003fa40 is located 0 bytes inside of 64-byte region [0x60600003fa40,0x60600003fa80)
freed by thread T0 here:
    #0 0x498a32 in free (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x498a32)
    #1 0x4fcf7a in rz_list_delete /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/util/list.c:166:3
    #2 0x4fcf7a in rz_list_purge /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/util/list.c:126:3
    #3 0x4fcf7a in rz_list_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/util/list.c:139:3

previously allocated by thread T0 here:
    #0 0x498e12 in calloc (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x498e12)
    #1 0xb6b102 in load_buffer /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/p/bin_qnx.c:131:22
    #2 0xae7004 in rz_bin_object_new /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:300:8

SUMMARY: AddressSanitizer: double-free (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x498a32) in free
==2491485==ABORTING

[wargio]

can you just upload the binary here so we can simply test this? same for all the other issues.

[m4drat]

Okay, I will do that. Here is the crash for this one: crash-ec0c253b75cf3a89faf1b217cb8f94463852493c.zip