Re: [Dnsmasq-discuss] Out-of-bound heap write when parsing invalid --dhcp-mac option

2019-12-12 Thread Simon Kelley
On 10/12/2019 00:01, Klaus Eisentraut wrote:
> Hi,
> 
> I found another crash in parsing code of a configuration file or command
> line options. To reproduce it, simply run
> 
>   dnsmasq --dhcp-mac=,A...A
> 
> with "a lot of" A (>=89 with dnsmasq 2.80 on Linux 5.4.2-arch1-1). If
> you run dnsmasq without Address Sanitizer (ASAN), it won't crash
> immediately, but instead overwrite glibc metadata and crash later on:
> 
>> $ dnsmasq --dhcp-mac=,A...A
>> malloc(): invalid next size (unsorted)
>> Terminated (core dumped)
> 
> If you compile & run it with -fsanitize=address, you can see the actual
> root cause:
> 
>> $ ./dnsmasq-asan --dhcp-mac=,A...A
>> =
>> ==32920==ERROR: AddressSanitizer: heap-buffer-overflow on address
>> 0x60600118 at pc 0x55f58e931e2d bp 0x7ffc8a3af1a0 sp
>> 0x7ffc8a3af190
>> WRITE of size 1 at 0x60600118 thread T0
>>  #0 0x55f58e931e2c in parse_hex /tmp/dnsmasq/src/util.c:573
>>  #1 0x55f58e95d6b9 in one_opt /tmp/dnsmasq/src/option.c:3690
>>  #2 0x55f58e992879 in read_opts /tmp/dnsmasq/src/option.c:5045
>>  #3 0x55f58e8e198e in main /tmp/dnsmasq/src/dnsmasq.c:95
>>  #4 0x7f1fff40d152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
>>  #5 0x55f58e8edfbd in _start (/home/klaus/dnsmasq-fuzzing/src/dnsmasq-
>> asan+0x2ffbd)
>>
>> 0x60600118 is located 0 bytes to the right of 56-byte region
>> [0x606000e0,0x60600118)
>> allocated by thread T0 here:
>>   #0 0x7f1fff6bdcd8 in __interceptor_calloc /build/gcc/src
>> /gcc/libsanitizer/asan/asan_malloc_linux.cc:153
>>#1 0x55f58e92e5a8 in safe_malloc /tmp/dnsmasq/src/util.c:278
>>
>> SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/dnsmasq
>> /src/util.c:573 in parse_hex
> 
>>From a quick grep in the code, there may be other, more interesting ways
> to reach the parse_hex(...) function, too.
> 
>

Thanks for finding that. None of the uses of parse_hex is with untrusted
data, so this is an annoyance, not a security hole.

Patch pushed to git.


Cheers,

Simon.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


[Dnsmasq-discuss] Out-of-bound heap write when parsing invalid --dhcp-mac option

2019-12-09 Thread Klaus Eisentraut
Hi,

I found another crash in parsing code of a configuration file or command
line options. To reproduce it, simply run

  dnsmasq --dhcp-mac=,A...A

with "a lot of" A (>=89 with dnsmasq 2.80 on Linux 5.4.2-arch1-1). If
you run dnsmasq without Address Sanitizer (ASAN), it won't crash
immediately, but instead overwrite glibc metadata and crash later on:

> $ dnsmasq --dhcp-mac=,A...A
> malloc(): invalid next size (unsorted)
> Terminated (core dumped)

If you compile & run it with -fsanitize=address, you can see the actual
root cause:

> $ ./dnsmasq-asan --dhcp-mac=,A...A
> =
> ==32920==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60600118 at pc 0x55f58e931e2d bp 0x7ffc8a3af1a0 sp
> 0x7ffc8a3af190
> WRITE of size 1 at 0x60600118 thread T0
>  #0 0x55f58e931e2c in parse_hex /tmp/dnsmasq/src/util.c:573
>  #1 0x55f58e95d6b9 in one_opt /tmp/dnsmasq/src/option.c:3690
>  #2 0x55f58e992879 in read_opts /tmp/dnsmasq/src/option.c:5045
>  #3 0x55f58e8e198e in main /tmp/dnsmasq/src/dnsmasq.c:95
>  #4 0x7f1fff40d152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
>  #5 0x55f58e8edfbd in _start (/home/klaus/dnsmasq-fuzzing/src/dnsmasq-
> asan+0x2ffbd)
>
> 0x60600118 is located 0 bytes to the right of 56-byte region
> [0x606000e0,0x60600118)
> allocated by thread T0 here:
>   #0 0x7f1fff6bdcd8 in __interceptor_calloc /build/gcc/src
> /gcc/libsanitizer/asan/asan_malloc_linux.cc:153
>#1 0x55f58e92e5a8 in safe_malloc /tmp/dnsmasq/src/util.c:278
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/dnsmasq
> /src/util.c:573 in parse_hex

>From a quick grep in the code, there may be other, more interesting ways
to reach the parse_hex(...) function, too.

Kind regards,
Klaus Eisentraut

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss