Hello,

opening the attached sample config input file with dnsmasq results in a 
SIGABRT. The input file is fuzzed with american fuzzy 
lop http://lcamtuf.coredump.cx/afl/.

version:

commit b2a9c571ebb333acbaa6bd752142df6821cb410c

how to reproduce:

$ ./src/dnsmasq --test -C <attached config file>

Output (memory map/bt):

dnsmasq: bad option at line 8 of /tmp/dnsmasq_crash
*** Error in `./src/dnsmasq': double free or corruption (out): 
0x0000000000ebc680 ***
======= Backtrace: =========
/usr/lib/libc.so.6(+0x722ab)[0x7f5e308612ab]
/usr/lib/libc.so.6(+0x7890e)[0x7f5e3086790e]
/usr/lib/libc.so.6(+0x7911e)[0x7f5e3086811e]
/usr/lib/libc.so.6(_IO_setb+0x4b)[0x7f5e3086522b]
/usr/lib/libc.so.6(_IO_file_close_it+0xae)[0x7f5e3086385e]
/usr/lib/libc.so.6(fclose+0x1bf)[0x7f5e30856def]
/usr/lib/libc.so.6(+0xac5ad)[0x7f5e3089b5ad]
/usr/lib/libc.so.6(+0xab5f9)[0x7f5e3089a5f9]
/usr/lib/libc.so.6(+0xab8dd)[0x7f5e3089a8dd]
/usr/lib/libc.so.6(__vsyslog_chk+0xd4)[0x7f5e308d6114]
./src/dnsmasq[0x4966ab]
./src/dnsmasq[0x4976b2]
./src/dnsmasq[0x422f71]
./src/dnsmasq[0x42159a]
./src/dnsmasq[0x424c3d]
./src/dnsmasq[0x457557]
/usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7f5e3080f511]
./src/dnsmasq[0x40331a]
======= Memory map: ========
00400000-004d2000 r-xp 00000000 fe:03 12073597                           
src/dnsmasq
006d1000-006d2000 r--p 000d1000 fe:03 12073597                           
src/dnsmasq
006d2000-006d4000 rw-p 000d2000 fe:03 12073597                           
src/dnsmasq
006d4000-006e4000 rw-p 00000000 00:00 0 
00eb8000-00ed9000 rw-p 00000000 00:00 0                                  [heap]
7f5e2c000000-7f5e2c021000 rw-p 00000000 00:00 0 
7f5e2c021000-7f5e30000000 ---p 00000000 00:00 0 
7f5e305d8000-7f5e305ee000 r-xp 00000000 fe:02 306247                     
/usr/lib/libgcc_s.so.1
7f5e305ee000-7f5e307ed000 ---p 00016000 fe:02 306247                     
/usr/lib/libgcc_s.so.1
7f5e307ed000-7f5e307ee000 r--p 00015000 fe:02 306247                     
/usr/lib/libgcc_s.so.1
7f5e307ee000-7f5e307ef000 rw-p 00016000 fe:02 306247                     
/usr/lib/libgcc_s.so.1
7f5e307ef000-7f5e3098a000 r-xp 00000000 fe:02 264297                     
/usr/lib/libc-2.25.so
7f5e3098a000-7f5e30b89000 ---p 0019b000 fe:02 264297                     
/usr/lib/libc-2.25.so
7f5e30b89000-7f5e30b8d000 r--p 0019a000 fe:02 264297                     
/usr/lib/libc-2.25.so
7f5e30b8d000-7f5e30b8f000 rw-p 0019e000 fe:02 264297                     
/usr/lib/libc-2.25.so
7f5e30b8f000-7f5e30b93000 rw-p 00000000 00:00 0 
7f5e30b93000-7f5e30bb6000 r-xp 00000000 fe:02 264298                     
/usr/lib/ld-2.25.so
7f5e30d7a000-7f5e30d7c000 rw-p 00000000 00:00 0 
7f5e30db4000-7f5e30db5000 rw-p 00000000 00:00 0 
7f5e30db5000-7f5e30db6000 r--p 00022000 fe:02 264298                     
/usr/lib/ld-2.25.so
7f5e30db6000-7f5e30db7000 rw-p 00023000 fe:02 264298                     
/usr/lib/ld-2.25.so
7f5e30db7000-7f5e30db8000 rw-p 00000000 00:00 0 
7fffcf4f4000-7fffcf515000 rw-p 00000000 00:00 0                          [stack]
7fffcf53f000-7fffcf541000 r--p 00000000 00:00 0                          [vvar]
7fffcf541000-7fffcf543000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  
[vsyscall]
[1]    25674 abort (core dumped)  ./src/dnsmasq --test -C /tmp/dnsmasq_crash

gdb:

Program terminated with signal SIGABRT, Aborted.
#0  0x00007f5e30822a10 in raise () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007f5e30822a10 in raise () from /usr/lib/libc.so.6
#1  0x00007f5e3082413a in abort () from /usr/lib/libc.so.6
#2  0x00007f5e308612b0 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007f5e3086790e in malloc_printerr () from /usr/lib/libc.so.6
#4  0x00007f5e3086811e in _int_free () from /usr/lib/libc.so.6
#5  0x00007f5e3086522b in __GI__IO_setb () from /usr/lib/libc.so.6
#6  0x00007f5e3086385e in __GI__IO_file_close_it () from /usr/lib/libc.so.6
#7  0x00007f5e30856def in fclose@@GLIBC_2.2.5 () from /usr/lib/libc.so.6
#8  0x00007f5e3089b5ad in __tzfile_read () from /usr/lib/libc.so.6
#9  0x00007f5e3089a5f9 in tzset_internal () from /usr/lib/libc.so.6
#10 0x00007f5e3089a8dd in __tz_convert () from /usr/lib/libc.so.6
#11 0x00007f5e308d6114 in __vsyslog_chk () from /usr/lib/libc.so.6
#12 0x00000000004966ab in my_syslog (priority=2, format=0x4cb3b6 "%s") at 
log.c:340
#13 0x00000000004976b2 in die (message=0x4cb3b6 "%s", arg1=0xeb8010 "bad option 
at line 8 of /tmp/dnsmasq_crash", exit_code=1) at log.c:469
#14 0x0000000000422f71 in read_file (file=<optimized out>, f=<optimized out>, 
hard_opt=<optimized out>) at option.c:4310
#15 0x000000000042159a in one_file (file=0xeb8eb0 "/tmp/dnsmasq_crash", 
hard_opt=0) at option.c:4396
#16 0x0000000000424c3d in read_opts (argc=4, argv=0x7fffcf513728, 
compile_opts=<optimized out>) at option.c:4733
#17 0x0000000000457557 in main (argc=2, argv=0x7fffcf5128d0) at dnsmasq.c:89

Regards,
Stephan
-- 
Stephan Zeisberg
Security Researcher

m: stephan.zeisb...@splone.com
pgp: 3C2B 7189 9C16 1E71 5BFB 8690 2C3F EF24 6DBF B588

splone UG (haftungsbeschränkt)
c/o Freie Universität Berlin
Malteserstr. 74-100
12249 Berlin
https://splone.com
HRB 166495 Amtsgericht Charlottenburg
USt-Identnummer: DE300454199

twitter: http://twitter.com/sploneberlin

Confidentiality: This e-mail contains confidential information intended
only for the addressee. If you are not the intended recipient you may
not disclose, copy, use or otherwise distribute the content of this
email.

Attachment: dnsmasq_crash
Description: Binary data

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to