[I] [Bug] RSA SHM: unchecked ctrlDataOffset/msgBodyOffset leads to OOB read/write and crash (celix)

Mon, 29 Dec 2025 18:23:50 -0800 


yxscc opened a new issue, #813:
URL: https://github.com/apache/celix/issues/813

   ## Summary
   `rsa_shm_server.c` trusts `rsa_shm_msg_t.ctrlDataOffset/msgBodyOffset` from 
the client and maps `base + offset` without any bounds check against the shared 
memory size. A crafted message with a huge offset makes the server 
dereference/write far outside the mapped SHM region, causing a crash (SIGSEGV) 
and potential memory corruption.
   
   ## Component
   - Files:
     - 
`bundles/remote_services/remote_service_admin_shm_v2/rsa_shm/src/rsa_shm_server.c`
     - 
`bundles/remote_services/remote_service_admin_shm_v2/shm_pool/src/shm_cache.c`
   - Affected API: RSA SHM transport message handling (not deprecated).
   
   ## Root Cause
   - The server only checks basic struct size/negative offsets but never 
validates that `ctrlDataOffset` / `msgBodyOffset` fall within the actual SHM 
segment.
   - `shmCache_getMemoryPtr` simply returns `base + offset` without verifying 
the mapped length.
   - The worker thread then locks/writes through these unchecked pointers, 
leading to OOB access and crash.
   
   ### Key code excerpts
   ```
   
286:338:bundles/remote_services/remote_service_admin_shm_v2/rsa_shm/src/rsa_shm_server.c
   msgCtrl = shmCache_getMemoryPtr(server->shmCache, msgInfo.shmId, 
msgInfo.ctrlDataOffset);
   ...
   char *msgBody = shmCache_getMemoryPtr(server->shmCache, msgInfo.shmId, 
msgInfo.msgBodyOffset);
   ...
   memcpy(dest, src, bytes); // dest points to unchecked msgBody
   ```
   
   ```
   
139:178:bundles/remote_services/remote_service_admin_shm_v2/shm_pool/src/shm_cache.c
   void * shmCache_getMemoryPtr(shm_cache_t *shmCache, int shmId, ssize_t 
memoryOffset) {
       ...
       ptr = shmBlock->shmStartAddr + memoryOffset; // no bounds check vs SHM 
size
   }
   ```
   
   ## Reproduction
   1) Build PoC (crafted large offsets):
      ```bash
      cd /home/ConCord/targets/celix && gcc -pthread poc/rsa_shm_oob_poc.c -o 
poc/rsa_shm_oob_poc
      ```
   2) Run:
      ```bash
      /home/ConCord/targets/celix/poc/rsa_shm_oob_poc
      ```
   3) Observed: process crashes with SIGSEGV (exit 139). Log shows OOB pointer:
      ```
      About to write via OOB pointer 0x7f... (base=0x7f... size=4096)
      ```
      The write to `base + offset` exceeds the SHM mapping and faults.
   
   ## Impact
   - Remote client can crash the RSA SHM server by sending a crafted message 
with large offsets.
   - Potential memory corruption if offsets land in a mapped area (undefined 
behavior).
   - DoS is trivial; exploitation risk exists because the server performs 
unchecked writes.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to