[Dnsmasq-discuss] Out-of-bound heap write when parsing invalid --dhcp-mac option
Hi, I found another crash in parsing code of a configuration file or command line options. To reproduce it, simply run dnsmasq --dhcp-mac=,A...A with "a lot of" A (>=89 with dnsmasq 2.80 on Linux 5.4.2-arch1-1). If you run dnsmasq without Address Sanitizer (ASAN), it won't crash immediately, but instead overwrite glibc metadata and crash later on: > $ dnsmasq --dhcp-mac=,A...A > malloc(): invalid next size (unsorted) > Terminated (core dumped) If you compile & run it with -fsanitize=address, you can see the actual root cause: > $ ./dnsmasq-asan --dhcp-mac=,A...A > = > ==32920==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x60600118 at pc 0x55f58e931e2d bp 0x7ffc8a3af1a0 sp > 0x7ffc8a3af190 > WRITE of size 1 at 0x60600118 thread T0 > #0 0x55f58e931e2c in parse_hex /tmp/dnsmasq/src/util.c:573 > #1 0x55f58e95d6b9 in one_opt /tmp/dnsmasq/src/option.c:3690 > #2 0x55f58e992879 in read_opts /tmp/dnsmasq/src/option.c:5045 > #3 0x55f58e8e198e in main /tmp/dnsmasq/src/dnsmasq.c:95 > #4 0x7f1fff40d152 in __libc_start_main (/usr/lib/libc.so.6+0x27152) > #5 0x55f58e8edfbd in _start (/home/klaus/dnsmasq-fuzzing/src/dnsmasq- > asan+0x2ffbd) > > 0x60600118 is located 0 bytes to the right of 56-byte region > [0x606000e0,0x60600118) > allocated by thread T0 here: > #0 0x7f1fff6bdcd8 in __interceptor_calloc /build/gcc/src > /gcc/libsanitizer/asan/asan_malloc_linux.cc:153 >#1 0x55f58e92e5a8 in safe_malloc /tmp/dnsmasq/src/util.c:278 > > SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/dnsmasq > /src/util.c:573 in parse_hex >From a quick grep in the code, there may be other, more interesting ways to reach the parse_hex(...) function, too. Kind regards, Klaus Eisentraut ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Segmentation fault when providing invalid --dhcp-match command line option
Hi, I recently did some fuzzing with afl-fuzz in the config file parsing part of dnsmasq. I know it is not very useful, but it was very easy to start with. Anyway, I found a (non-exploitable) crash in dnsmasq which can be triggered by providing an invalid configuration file or an invalid command line option. In order to reproduce it, just run dnsmasq --dhcp-match=a,120, The bug is in line 1473 of option.c where the statement "m[0] = 0" is executed while m is set to NULL. > (gdb) run --dhcp-match=a,120, > Starting program: dnsmasq --dhcp-match=a,120, > > Program received signal SIGSEGV, Segmentation fault. > 0x5556aaf8 in parse_dhcp_opt (errstr=0x555c06b0 "", > arg=0x555c02a6 "", flags=128) at option.c:1473 > 1473 m[0] = 0; > (gdb) p m > $1 = (unsigned char *) 0x0 Is this interesting for you at all? Kind regards, Klaus Eisentraut ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss