libbabl Broken Double Free Vulnerability Allows Memory Corruption and Code Execution

A vulnerability in libbabl version 0.1.62 creates a broken double free detection issue, allowing attackers to bypass memory safety checks. This vulnerability arises from signature overwriting in freed memory chunks, enabling potential memory corruption and code execution. Attackers can exploit this by calling the babl_free() function twice on the same pointer without triggering any detection, as the overwriting of libbabl's signature field by libc's malloc metadata disrupts the double free detection mechanism.

Impact

Exploitation of this vulnerability can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by compiling a program that uses libbabl's memory management functions. After allocating a memory chunk with babl_malloc(), the chunk can be freed twice using babl_free(). The first call successfully frees the memory, but the second call, which attempts to free the same pointer again, does not trigger a double free warning as expected. This behavior demonstrates the vulnerability, as it bypasses the library's built-in memory safety checks.