Re: NULL Pointer Dereference in help()
Erik Auerswald writes: > On Thu, Dec 23, 2021 at 09:15:59PM +0800, AiDai wrote: >> Line 1: # NULL Pointer Dereference in help() at >> inetutils/telnet/commands.c:3094 > > Thanks for fuzzing GNU inetutils! Hi AiDai and Erik. Thanks for the report, debugging and patch! I installed your fixes and a regression self-check: https://git.savannah.gnu.org/gitweb/?p=inetutils.git;a=commitdiff;h=0e5767771a89498f8a9fa65733321b5e1107cace https://git.savannah.gnu.org/gitweb/?p=inetutils.git;a=commitdiff;h=fe1c596e029cab03271190674fe715d2d0ed8d26 https://git.savannah.gnu.org/gitweb/?p=inetutils.git;a=commitdiff;h=9a2a28719e9f84e8bc6506e50d5e7d0735ace1d7 /Simon signature.asc Description: PGP signature
Re: NULL Pointer Dereference in help()
Hi, On Thu, Dec 23, 2021 at 09:15:59PM +0800, AiDai wrote: > Line 1: # NULL Pointer Dereference in help() at > inetutils/telnet/commands.c:3094 Thanks for fuzzing GNU inetutils! > AiDai 于2021年12月23日周四 21:13写道: > > > **command:** > > > > ``` > > ./telnet < ./poc > > ``` > > > >> ## Description > >> > >> A NULL Pointer Dereference was discovered in help() at > >> inetutils/telnet/commands.c:3094. The vulnerability causes a segmentation > >> fault and application crash. This problem occurs when asking for the help text for the help command using the name "help" instead of "?": $ telnet/telnet telnet> help ? print help information telnet> help help Segmentation fault (core dumped) The cause is no help text for "help" in cmdtab2. This is valid according to the comments describing "struct Command": typedef struct { const char *name; /* command name */ const char *help; /* help string (NULL for no help) */ int (*handler) ();/* routine which executes command */ int needconnect; /* Do we need to be connected to execute? */ } Command; But the code in help() only checks this when given no arguments, not with arguments to "help". The first attached patch "inetutils-telnet-dont_print_nonexistent_help.patch" fixes this. This is the correct fix for this issue. The second attached patch "inetutils-telnet-use_help_helptext.patch" adds the existing help text for the help command to cmdtab2. This also fixes the NULL pointer dereference, but only for the "help" entry. This suffices currently, because this is the only entry without a help text, but providing no help text is intended as valid and thus must be handled. Thus this is intended to improve the user experience, not as a fix for following a NULL pointer into chaos and madness. Thanks, Erik -- Golden rule #12: When the comments do not match the code, they probably are both wrong. -- Steven Rostedt diff --git a/telnet/commands.c b/telnet/commands.c index 9e04944f..3b05800f 100644 --- a/telnet/commands.c +++ b/telnet/commands.c @@ -3090,7 +3090,7 @@ help (int argc, char *argv[]) printf ("?Ambiguous help command %s\n", arg); else if (c == (Command *) 0) printf ("?Invalid help command %s\n", arg); - else + else if (c->help) printf ("%s\n", c->help); } return 0; diff --git a/telnet/commands.c b/telnet/commands.c index 9e04944f..4cd01beb 100644 --- a/telnet/commands.c +++ b/telnet/commands.c @@ -2931,7 +2931,7 @@ static char crmodhelp[] = "deprecated command -- use 'toggle crmod' instead"; static char escapehelp[] = "deprecated command -- use 'set escape' instead"; static Command cmdtab2[] = { - {"help", 0, help, 0}, + {"help", helphelp, help, 0}, {"escape", escapehelp, setescape, 0}, {"crmod", crmodhelp, togcrmod, 0}, {NULL, NULL, NULL, 0}
Re: NULL Pointer Dereference in help()
**command:** ``` ./telnet < ./poc ``` AiDai 于2021年12月23日周四 21:11写道: > # NULL Pointer Dereference in setnmap() at cmds.c:2303 > > ## Description > > A NULL Pointer Dereference was discovered in help() at > inetutils/telnet/commands.c:3094. The vulnerability causes a segmentation > fault and application crash. > > **version** > > ``` > ./telnet --version > telnet (GNU inetutils) 2.2.16-cf091 > Copyright (C) 2021 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later < > https://gnu.org/licenses/gpl.html>. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Written by many authors. > ``` > > **System information** > Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz > > ## Proof of Concept > > **poc** > > ``` > base64 poc > > ID8JCQn/CQn/CQj/CQlkCQkJCQnwCQkJCQloCQkJCQn/CQlkCQkJCQnwCQkJ7ekJCQkJ > CQkJCeoICQkZCQkJKiwJCQkJCQkJCQkJCQk= > ``` > > **command:** > > ``` > ./ftp < ./poc > ``` > > **Result** > > ``` > ./telnet < poc > telnet> ?Invalid help command � > ?Invalid help command � > ?Invalid help command > display operating parameters > ?Invalid help command � > [3]398703 segmentation fault ./telnet < poc > ``` > > **gdb** > > ``` > Breakpoint 2, 0xdbd3 in help (argc=8, argv=0x5557c130 > ) at commands.c:3094 > 3094printf ("%s\n", c->help); > LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA > [ REGISTERS > ]─ > *RAX 0x0 > *RBX 0x5557b480 (cmdtab2) —▸ 0x55571232 ◂— 0x6f6400706c6568 /* > 'help' */ > RCX 0x0 > *RDX 0xc6 > *RDI 0x0 > *RSI 0x555719cc ◂— 0x646f6d7263 /* 'crmod' */ > R8 0x0 > *R9 0x18 > R10 0x55572ee2 ◂— 0x2500454d4f48000a /* '\n' */ > R11 0x246 > *R12 0x5557befd (line+29) ◂— 0x090909090068 /* 'h' */ > R13 0x7fffe210 ◂— 0x1 > R14 0x0 > R15 0x0 > RBP 0x7fffe060 —▸ 0x7fffe090 —▸ 0x7fffe120 ◂— 0x0 > RSP 0x7fffe040 —▸ 0x5557c130 (margv+48) —▸ 0x5557befd > (line+29) ◂— 0x090909090068 /* 'h' */ > RIP 0xdbd3 (help+212) ◂— call 0x9790 > ──[ DISASM > ]── >0xdbcc movrax, qword ptr [rbx + 8] >0xdbd0 movrdi, rax > ► 0xdbd3 call puts@plt > s: 0x0 > >0xdbd8 subdword ptr [rbp - 0x14], 1 >0xdbdc cmpdword ptr [rbp - 0x14], 0 >0xdbe0 jg help+116 > >0xdbe2 moveax, 0 >0xdbe7 addrsp, 0x10 >0xdbeb poprbx >0xdbec popr12 >0xdbee poprbp > ──[ SOURCE (CODE) > ]─── > In file: /root/disk2/fuzzing/inetutils/inetutils/telnet/commands.c >3089 if (Ambiguous (c)) >3090 printf ("?Ambiguous help command %s\n", arg); >3091 else if (c == (Command *) 0) >3092 printf ("?Invalid help command %s\n", arg); >3093 else > ► 3094 printf ("%s\n", c->help); >3095 } >3096 return 0; >3097 } >3098 >3099 static char *rcname = 0; > ──[ STACK > ]─── > 00:│ rsp 0x7fffe040 —▸ 0x5557c130 (margv+48) —▸ 0x5557befd > (line+29) ◂— 0x090909090068 /* 'h' */ > 01:0008│ 0x7fffe048 ◂— 0x85557bee1 > 02:0010│ 0x7fffe050 —▸ 0x5557b440 (cmdtab+480) —▸ > 0x5557121b ◂— 0x616c70736944003f /* '?' */ > 03:0018│ 0x7fffe058 —▸ 0x9d20 (_start) ◂— endbr64 > 04:0020│ rbp 0x7fffe060 —▸ 0x7fffe090 —▸ 0x7fffe120 ◂— 0x0 > 05:0028│ 0x7fffe068 —▸ 0xdab9 (command+550) ◂— test eax, > eax > 06:0030│ 0x7fffe070 ◂— 0x0 > 07:0038│ 0x7fffe078 ◂— 0x1 > [ BACKTRACE > ]─ > ► f 0 0xdbd3 help+212 >f 1 0xdab9 command+550 >f 2 0xe3c8 main+776 >f 3 0x77db50b3 __libc_start_main+243 > > ── > pwndbg> bt > #0 0xdbd3 in help (argc=8, argv=0x5557c130 ) at > commands.c:3094 > #1 0xdab9 in command (top=1, tbuf=0x0, cnt=0) at > commands.c:3044 > #2 0xe3c8 in main (argc=0, argv=0x7fffe220) at main.c:423 > #3 0x77db50b3 in __libc_start_main (main=0xe0c0 , > argc=1, argv=0x7fffe218, init=, fini=, > rtld_fini=, stack_end=0x7fffe208) at > ../csu/libc-start.c:308 > #4 0x9d4e in _start () > ``` > > crash > > ``` > Program received signal SIGSEGV, Segmentation
NULL Pointer Dereference in help()
# NULL Pointer Dereference in setnmap() at cmds.c:2303 ## Description A NULL Pointer Dereference was discovered in help() at inetutils/telnet/commands.c:3094. The vulnerability causes a segmentation fault and application crash. **version** ``` ./telnet --version telnet (GNU inetutils) 2.2.16-cf091 Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later < https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by many authors. ``` **System information** Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz ## Proof of Concept **poc** ``` base64 poc ID8JCQn/CQn/CQj/CQlkCQkJCQnwCQkJCQloCQkJCQn/CQlkCQkJCQnwCQkJ7ekJCQkJ CQkJCeoICQkZCQkJKiwJCQkJCQkJCQkJCQk= ``` **command:** ``` ./ftp < ./poc ``` **Result** ``` ./telnet < poc telnet> ?Invalid help command � ?Invalid help command � ?Invalid help command display operating parameters ?Invalid help command � [3]398703 segmentation fault ./telnet < poc ``` **gdb** ``` Breakpoint 2, 0xdbd3 in help (argc=8, argv=0x5557c130 ) at commands.c:3094 3094printf ("%s\n", c->help); LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA [ REGISTERS ]─ *RAX 0x0 *RBX 0x5557b480 (cmdtab2) —▸ 0x55571232 ◂— 0x6f6400706c6568 /* 'help' */ RCX 0x0 *RDX 0xc6 *RDI 0x0 *RSI 0x555719cc ◂— 0x646f6d7263 /* 'crmod' */ R8 0x0 *R9 0x18 R10 0x55572ee2 ◂— 0x2500454d4f48000a /* '\n' */ R11 0x246 *R12 0x5557befd (line+29) ◂— 0x090909090068 /* 'h' */ R13 0x7fffe210 ◂— 0x1 R14 0x0 R15 0x0 RBP 0x7fffe060 —▸ 0x7fffe090 —▸ 0x7fffe120 ◂— 0x0 RSP 0x7fffe040 —▸ 0x5557c130 (margv+48) —▸ 0x5557befd (line+29) ◂— 0x090909090068 /* 'h' */ RIP 0xdbd3 (help+212) ◂— call 0x9790 ──[ DISASM ]── 0xdbcc movrax, qword ptr [rbx + 8] 0xdbd0 movrdi, rax ► 0xdbd3 call puts@plt s: 0x0 0xdbd8 subdword ptr [rbp - 0x14], 1 0xdbdc cmpdword ptr [rbp - 0x14], 0 0xdbe0 jg help+116 0xdbe2 moveax, 0 0xdbe7 addrsp, 0x10 0xdbeb poprbx 0xdbec popr12 0xdbee poprbp ──[ SOURCE (CODE) ]─── In file: /root/disk2/fuzzing/inetutils/inetutils/telnet/commands.c 3089 if (Ambiguous (c)) 3090 printf ("?Ambiguous help command %s\n", arg); 3091 else if (c == (Command *) 0) 3092 printf ("?Invalid help command %s\n", arg); 3093 else ► 3094 printf ("%s\n", c->help); 3095 } 3096 return 0; 3097 } 3098 3099 static char *rcname = 0; ──[ STACK ]─── 00:│ rsp 0x7fffe040 —▸ 0x5557c130 (margv+48) —▸ 0x5557befd (line+29) ◂— 0x090909090068 /* 'h' */ 01:0008│ 0x7fffe048 ◂— 0x85557bee1 02:0010│ 0x7fffe050 —▸ 0x5557b440 (cmdtab+480) —▸ 0x5557121b ◂— 0x616c70736944003f /* '?' */ 03:0018│ 0x7fffe058 —▸ 0x9d20 (_start) ◂— endbr64 04:0020│ rbp 0x7fffe060 —▸ 0x7fffe090 —▸ 0x7fffe120 ◂— 0x0 05:0028│ 0x7fffe068 —▸ 0xdab9 (command+550) ◂— test eax, eax 06:0030│ 0x7fffe070 ◂— 0x0 07:0038│ 0x7fffe078 ◂— 0x1 [ BACKTRACE ]─ ► f 0 0xdbd3 help+212 f 1 0xdab9 command+550 f 2 0xe3c8 main+776 f 3 0x77db50b3 __libc_start_main+243 ── pwndbg> bt #0 0xdbd3 in help (argc=8, argv=0x5557c130 ) at commands.c:3094 #1 0xdab9 in command (top=1, tbuf=0x0, cnt=0) at commands.c:3044 #2 0xe3c8 in main (argc=0, argv=0x7fffe220) at main.c:423 #3 0x77db50b3 in __libc_start_main (main=0xe0c0 , argc=1, argv=0x7fffe218, init=, fini=, rtld_fini=, stack_end=0x7fffe208) at ../csu/libc-start.c:308 #4 0x9d4e in _start () ``` crash ``` Program received signal SIGSEGV, Segmentation fault. __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65 65 ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory. LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA [ REGISTERS ]─ RAX 0x0 RBX 0x5557b480 (cmdtab2) —▸
[bug #61725] NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094
URL: <https://savannah.gnu.org/bugs/?61725> Summary: NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094 Project: GNU Networking Utilities Submitted by: aidai Submitted on: Thu 23 Dec 2021 02:13:56 PM UTC Category: None Severity: 3 - Normal Item Group: None Status: None Privacy: Public Assigned to: None Open/Closed: Open Discussion Lock: Any ___ Details: # NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094 ## Description A NULL Pointer Dereference was discovered in help() at inetutils/telnet/commands.c:3094. The vulnerability causes a segmentation fault and application crash. **version** ``` ./telnet --version telnet (GNU inetutils) 2.2.16-cf091 Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by many authors. ``` **System information** Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz ## Proof of Concept **poc** ``` base64 poc ID8JCQn/CQn/CQj/CQlkCQkJCQnwCQkJCQloCQkJCQn/CQlkCQkJCQnwCQkJ7ekJCQkJ CQkJCeoICQkZCQkJKiwJCQkJCQkJCQkJCQk= ``` **command:** ``` ./telnet < ./poc ``` **Result** ``` ./telnet < poc telnet> ?Invalid help command � ?Invalid help command � ?Invalid help command display operating parameters ?Invalid help command � [3]398703 segmentation fault ./telnet < poc ``` **gdb** ``` Breakpoint 2, 0xdbd3 in help (argc=8, argv=0x5557c130 ) at commands.c:3094 3094printf ("%s\n", c->help); LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA [ REGISTERS ]─ *RAX 0x0 *RBX 0x5557b480 (cmdtab2) —▸ 0x55571232 ◂— 0x6f6400706c6568 /* 'help' */ RCX 0x0 *RDX 0xc6 *RDI 0x0 *RSI 0x555719cc ◂— 0x646f6d7263 /* 'crmod' */ R8 0x0 *R9 0x18 R10 0x55572ee2 ◂— 0x2500454d4f48000a /* '\n' */ R11 0x246 *R12 0x5557befd (line+29) ◂— 0x090909090068 /* 'h' */ R13 0x7fffe210 ◂— 0x1 R14 0x0 R15 0x0 RBP 0x7fffe060 —▸ 0x7fffe090 —▸ 0x7fffe120 ◂— 0x0 RSP 0x7fffe040 —▸ 0x5557c130 (margv+48) —▸ 0x5557befd (line+29) ◂— 0x090909090068 /* 'h' */ RIP 0xdbd3 (help+212) ◂— call 0x9790 ──[ DISASM ]── 0xdbcc movrax, qword ptr [rbx + 8] 0xdbd0 movrdi, rax ► 0xdbd3 call puts@plt s: 0x0 0xdbd8 subdword ptr [rbp - 0x14], 1 0xdbdc cmpdword ptr [rbp - 0x14], 0 0xdbe0 jg help+116 0xdbe2 moveax, 0 0xdbe7 addrsp, 0x10 0xdbeb poprbx 0xdbec popr12 0xdbee poprbp ──[ SOURCE (CODE) ]─── In file: /root/disk2/fuzzing/inetutils/inetutils/telnet/commands.c 3089 if (Ambiguous (c)) 3090 printf ("?Ambiguous help command %s\n", arg); 3091 else if (c == (Command *) 0) 3092 printf ("?Invalid help command %s\n", arg); 3093 else ► 3094 printf ("%s\n", c->help); 3095 } 3096 return 0; 3097 } 3098 3099 static char *rcname = 0; ──[ STACK ]─── 00:│ rsp 0x7fffe040 —▸ 0x5557c130 (margv+48) —▸ 0x5557befd (line+29) ◂— 0x090909090068 /* 'h' */ 01:0008│ 0x7fffe048 ◂— 0x85557bee1 02:0010│ 0x7fffe050 —▸ 0x5557b440 (cmdtab+480) —▸ 0x5557121b ◂— 0x616c70736944003f /* '?' */ 03:0018│ 0x7fffe058 —▸ 0x9d20 (_start) ◂— endbr64 04:0020│ rbp 0x7fffe060 —▸ 0x7fffe090 —▸ 0x7fffe120 ◂— 0x0 05:0028│ 0x7fffe068 —▸ 0xdab9 (command+550) ◂— test eax, eax 06:0030│ 0x7fffe070 ◂— 0x0 07:0038│ 0x7fffe078 ◂— 0x1 [ BACKTRACE ]─ ► f 0 0xdbd3 help+212 f 1 0xdab9 command+550 f 2 0xe3c8 main+776 f 3 0x77db50b3 __libc_start_main+243 ── pwndbg> bt #0 0xdbd3 in help (argc=8, argv=0x5557c130 ) at commands.c:3094 #1 0xdab9 in command (top=1, tbuf=0x0, cnt=0) at co