Hi!
I have been playing with oss-fuzz project over one week. I think many of
them might be invalid, because failures are caused by wrong fuzzing.
More precisely by incomplete initialization used when fuzzing. I have
created fix for one [1]. I have attached patch, which seems prevents
such failures. I am not 100% sure resize_packet should never increase
udp message to larger packet than received. But because it does not have
other limit available but plen, I used that as a top. I am confident
that is correct limit of usable buffer in handling tcp response.
But I think CVE-2021-45955
<https://access.redhat.com/security/cve/CVE-2021-45955> might be a valid
one. It seems no proper bound is checked on pseudo header reinsertion.
Patch attached.
My attempts to build fuzzers with debuggable code were partially
successful. I have pushed the code I use for started fuzzing at oss-fuzz
branch [2]. I just source fuzz/env-rpm.sh, then fuzz/build.sh to create
fuzzers.
It seems all functions crashing in extract_name are invalid, because too
small buffer is used in fuzzer. And it correctly detects it would write
behind allocated space. I haven't met them after [1] were applied.
Should I create better integration to dnsmasq upstream project? It seems
to be interesting way of checking possible inputs to dnsmasq. Has anyone
other been successful in fuzzing something themselves? Have you been
able to validate details using reproducers?
Cheers,
Petr
1. https://github.com/google/oss-fuzz/pull/7293
2. https://github.com/InfrastructureServices/dnsmasq/tree/oss-fuzz/fuzz
On 2/14/22 23:32, Hauke Mehrtens wrote:
> Hi,
>
> Our CVE checking scripts in OpenWrt found the following recently
> opened CVEs against dnsmasq:
> https://nvd.nist.gov/vuln/detail/CVE-2021-45951
> https://nvd.nist.gov/vuln/detail/CVE-2021-45952
> https://nvd.nist.gov/vuln/detail/CVE-2021-45953
> https://nvd.nist.gov/vuln/detail/CVE-2021-45954
> https://nvd.nist.gov/vuln/detail/CVE-2021-45955
> https://nvd.nist.gov/vuln/detail/CVE-2021-45956
> https://nvd.nist.gov/vuln/detail/CVE-2021-45957
>
> We think these CVE reports are wrong and should get rejected.
Not all of them. How were they validated? How do you know they are
wrong? Have you reproduced and debugged them?
>
> Hauke
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
From 16b7aee2a6a75d1de712eb786451c3b7725476c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemen...@redhat.com>
Date: Wed, 16 Feb 2022 15:48:16 +0100
Subject: [PATCH] Prevent writing behind packet size on resize_packet
Packet length is limitation of extended header position. Do not insert
pseudoheader after packet limit. We do not have any indication there is
still allocated buffer with memory available, even when that is usually
safe.
---
src/rfc1035.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 34eaf0a..d91dd73 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -346,7 +346,8 @@ size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *phea
return plen;
/* restore pseudoheader */
- if (pheader && ntohs(header->arcount) == 0)
+ if (pheader && ntohs(header->arcount) == 0 &&
+ (ansp + hlen - (unsigned char *)header) <= plen)
{
/* must use memmove, may overlap */
memmove(ansp, pheader, hlen);
--
2.34.1
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
