[Bug 266827] corrupt message can cause wild pointer read in hastd

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 04 Oct 2022 20:39:31 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266827

            Bug ID: 266827
           Summary: corrupt message can cause wild pointer read in hastd
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #237079 text/plain
         mime type:

Created attachment 237079
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=237079&action=edit
crash a hastd server with a bad nv string dsize

hastd's nv_validate() uses a value from a received packet as an array
index without sufficient checking:

                dsize = NVH_DSIZE(nvh);
                ...
                case NV_TYPE_STRING:
                        data = NVH_DATA(nvh);
                        if (data[dsize - 1] != '\0') {

I've attached a demo that passes 2^32-1 as dsize:

# cat hast.conf 
listen tcp://0.0.0.0
resource r {
  on myhostname {
    local /tmp/hast.data
    remote tcp://127.0.0.1
  }
}
# touch /tmp/hast.data
# sudo /sbin/hastd -F -d -c hast.conf &
# cc hastd1a.c
# ./a.out
# wait
[1]    Segmentation fault            /sbin/hastd -F -d -c hast.conf

Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
nv_validate (nv=0x80183d000, extrap=extrap@entry=0x7fffffffe518) at
/usr/src/sbin/hastd/nv.c:312
312                             if (data[dsize - 1] != '\0') {
(gdb) where
#0  nv_validate (nv=0x80183d000, extrap=extrap@entry=0x7fffffffe518)
    at /usr/src/sbin/hastd/nv.c:312
#1  0x000000000103b38c in nv_ntoh (eb=eb@entry=0x801863000)
    at /usr/src/sbin/hastd/nv.c:390
#2  0x00000000010360f8 in hast_proto_recv_hdr (conn=0x801853040, 
    nvp=nvp@entry=0x7fffffffe5b0) at /usr/src/sbin/hastd/hast_proto.c:161
#3  0x0000000001037932 in listen_accept (lst=lst@entry=0x80183e000)
    at /usr/src/sbin/hastd/hastd.c:790
#4  0x0000000001037325 in main_loop () at /usr/src/sbin/hastd/hastd.c:1148
#5  0x0000000001036f68 in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/sbin/hastd/hastd.c:1337

-- 
You are receiving this mail because:
You are the assignee for the bug.