[Bug 266827] corrupt message can cause wild pointer read in hastd
Date: Tue, 04 Oct 2022 20:39:31 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266827
Bug ID: 266827
Summary: corrupt message can cause wild pointer read in hastd
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Attachment #237079 text/plain
mime type:
Created attachment 237079
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=237079&action=edit
crash a hastd server with a bad nv string dsize
hastd's nv_validate() uses a value from a received packet as an array
index without sufficient checking:
dsize = NVH_DSIZE(nvh);
...
case NV_TYPE_STRING:
data = NVH_DATA(nvh);
if (data[dsize - 1] != '\0') {
I've attached a demo that passes 2^32-1 as dsize:
# cat hast.conf
listen tcp://0.0.0.0
resource r {
on myhostname {
local /tmp/hast.data
remote tcp://127.0.0.1
}
}
# touch /tmp/hast.data
# sudo /sbin/hastd -F -d -c hast.conf &
# cc hastd1a.c
# ./a.out
# wait
[1] Segmentation fault /sbin/hastd -F -d -c hast.conf
Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
nv_validate (nv=0x80183d000, extrap=extrap@entry=0x7fffffffe518) at
/usr/src/sbin/hastd/nv.c:312
312 if (data[dsize - 1] != '\0') {
(gdb) where
#0 nv_validate (nv=0x80183d000, extrap=extrap@entry=0x7fffffffe518)
at /usr/src/sbin/hastd/nv.c:312
#1 0x000000000103b38c in nv_ntoh (eb=eb@entry=0x801863000)
at /usr/src/sbin/hastd/nv.c:390
#2 0x00000000010360f8 in hast_proto_recv_hdr (conn=0x801853040,
nvp=nvp@entry=0x7fffffffe5b0) at /usr/src/sbin/hastd/hast_proto.c:161
#3 0x0000000001037932 in listen_accept (lst=lst@entry=0x80183e000)
at /usr/src/sbin/hastd/hastd.c:790
#4 0x0000000001037325 in main_loop () at /usr/src/sbin/hastd/hastd.c:1148
#5 0x0000000001036f68 in main (argc=<optimized out>, argv=<optimized out>)
at /usr/src/sbin/hastd/hastd.c:1337
--
You are receiving this mail because:
You are the assignee for the bug.