Re: [systemd-devel] [PATCH] test-dhcp6-client: Fix option length

[Zbigniew Jędrzejewski-Szmek]

Hi,
I now pushed your patch along with another one, very similar, with
a fix for the second problem. test-dhcp6-client now runs fine under asan.

test-network doesn't, but that's another story.

Zbyszek

On Fri, Aug 29, 2014 at 02:58:54PM +0200, Zbigniew Jędrzejewski-Szmek wrote:
> On Fri, Aug 29, 2014 at 09:20:46AM +0300, Patrik Flykt wrote:
> > The whole DHCPv6 test message length was incorrectly used as the length
> > of DHCPv6 options causing the following bad memory access:
> > 
> > $ build/test-dhcp6-client
> > Assertion 'interface_index >= -1' failed at 
> > ../src/libsystemd-network/sd-dhcp6-client.c:129, function 
> > sd_dhcp6_client_set_index(). Ignoring.
> > =
> > ==29135==ERROR: AddressSanitizer: global-buffer-overflow on address 
> > 0x7fe204aa9148 at pc 0x7fe204a5958f bp 0x7fff3e47d470 sp 0x7fff3e47d460
> > READ of size 1 at 0x7fe204aa9148 thread T0
> > #0 0x7fe204a5958e in option_parse_hdr 
> > ../src/libsystemd-network/dhcp6-option.c:145
> > #1 0x7fe204a59884 in dhcp6_option_parse 
> > ../src/libsystemd-network/dhcp6-option.c:165
> > #2 0x7fe204a4eb9c in test_advertise_option 
> > ../src/libsystemd-network/test-dhcp6-client.c:227
> > #3 0x7fe204a51c58 in main 
> > ../src/libsystemd-network/test-dhcp6-client.c:584
> > #4 0x7fe2031590df in __libc_start_main (/lib64/libc.so.6+0x200df)
> > #5 0x7fe204a4cc5b (/home/test/systemd/build/test-dhcp6-client+0x25c5b)
> > 
> > 0x7fe204aa9148 is located 2 bytes to the right of global variable 
> > 'msg_advertise' from '../src/libsystemd-network/test-dhcp6-client.c' 
> > (0x7fe204aa9080) of size 198
> > 0x7fe204aa9148 is located 56 bytes to the left of global variable 
> > 'msg_reply' from '../src/libsystemd-network/test-dhcp6-client.c' 
> > (0x7fe204aa9180) of size 173
> > SUMMARY: AddressSanitizer: global-buffer-overflow 
> > ../src/libsystemd-network/dhcp6-option.c:145 option_parse_hdr
> > ---
> > 
> > This seems to be the cause of the bad memory access, please test.
> Hm, I thiink it helps, but there's another one:
> 
> $ build/test-dhcp6-client 
> Assertion 'interface_index >= -1' failed at 
> ../src/libsystemd-network/sd-dhcp6-client.c:129, function 
> sd_dhcp6_client_set_index(). Ignoring.
> DHCPv6 CLIENT: Sent SOLICIT
> DHCPv6 CLIENT: Next retransmission in 1.049185s
> =
> ==29571==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x61109708 at pc 0x7fd00190458f bp 0x7fff287de8d0 sp 0x7fff287de8c0
> READ of size 1 at 0x61109708 thread T0
> #0 0x7fd00190458e in option_parse_hdr 
> ../src/libsystemd-network/dhcp6-option.c:145
> #1 0x7fd001904884 in dhcp6_option_parse 
> ../src/libsystemd-network/dhcp6-option.c:165
> #2 0x7fd0019008ff in client_parse_message 
> ../src/libsystemd-network/sd-dhcp6-client.c:582
> #3 0x7fd001901078 in client_receive_advertise 
> ../src/libsystemd-network/sd-dhcp6-client.c:732
> #4 0x7fd001901822 in client_receive_message 
> ../src/libsystemd-network/sd-dhcp6-client.c:809
> #5 0x7fd001918c77 in source_dispatch 
> ../src/libsystemd/sd-event/sd-event.c:2035
> #6 0x7fd00191b7f1 in sd_event_dispatch 
> ../src/libsystemd/sd-event/sd-event.c:2384
> #7 0x7fd00191bad4 in sd_event_run 
> ../src/libsystemd/sd-event/sd-event.c:2413
> #8 0x7fd00191bc1d in sd_event_loop 
> ../src/libsystemd/sd-event/sd-event.c:2428
> #9 0x7fd0018fca81 in test_client_solicit 
> ../src/libsystemd-network/test-dhcp6-client.c:562
> #10 0x7fd0018fcc65 in main 
> ../src/libsystemd-network/test-dhcp6-client.c:585
> #11 0x7fd040df in __libc_start_main (/lib64/libc.so.6+0x200df)
> #12 0x7fd0018f7c5b (/home/test/systemd/build/test-dhcp6-client+0x25c5b)
> 
> 0x61109708 is located 2 bytes to the right of 198-byte region 
> [0x61109640,0x61109706)
> allocated by thread T0 here:
> #0 0x7fd000827cf5 in calloc (/lib64/libasan.so.1+0x57cf5)
> #1 0x7fd00190152b in client_receive_message 
> ../src/libsystemd-network/sd-dhcp6-client.c:769
> #2 0x7fd001918c77 in source_dispatch 
> ../src/libsystemd/sd-event/sd-event.c:2035
> #3 0x7fd00191b7f1 in sd_event_dispatch 
> ../src/libsystemd/sd-event/sd-event.c:2384
> #4 0x7fd00191bad4 in sd_event_run 
> ../src/libsystemd/sd-event/sd-event.c:2413
> #5 0x7fd00191bc1d in sd_event_loop 
> ../src/libsystemd/sd-event/sd-event.c:2428
> #6 0x7fd0018fca81 in test_client_solicit 
> ../src/libsystemd-network/test-dhcp6-client.c:562
> #7 0x7fd0018fcc65 in main 
> ../src/libsystemd-network/test-dhcp6-client.c:585
> #8 0x7fd040df in __libc_start_main (/lib64/libc.so.6+0x200df)
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> ../src/libsystemd-network/dhcp6-option.c:145 option_parse_hdr
> Shadow bytes around the buggy address:
>   0x0c227fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c227fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  

Re: [systemd-devel] [PATCH] test-dhcp6-client: Fix option length

[Zbigniew Jędrzejewski-Szmek]

On Fri, Aug 29, 2014 at 09:20:46AM +0300, Patrik Flykt wrote:
> The whole DHCPv6 test message length was incorrectly used as the length
> of DHCPv6 options causing the following bad memory access:
> 
> $ build/test-dhcp6-client
> Assertion 'interface_index >= -1' failed at 
> ../src/libsystemd-network/sd-dhcp6-client.c:129, function 
> sd_dhcp6_client_set_index(). Ignoring.
> =
> ==29135==ERROR: AddressSanitizer: global-buffer-overflow on address 
> 0x7fe204aa9148 at pc 0x7fe204a5958f bp 0x7fff3e47d470 sp 0x7fff3e47d460
> READ of size 1 at 0x7fe204aa9148 thread T0
> #0 0x7fe204a5958e in option_parse_hdr 
> ../src/libsystemd-network/dhcp6-option.c:145
> #1 0x7fe204a59884 in dhcp6_option_parse 
> ../src/libsystemd-network/dhcp6-option.c:165
> #2 0x7fe204a4eb9c in test_advertise_option 
> ../src/libsystemd-network/test-dhcp6-client.c:227
> #3 0x7fe204a51c58 in main 
> ../src/libsystemd-network/test-dhcp6-client.c:584
> #4 0x7fe2031590df in __libc_start_main (/lib64/libc.so.6+0x200df)
> #5 0x7fe204a4cc5b (/home/test/systemd/build/test-dhcp6-client+0x25c5b)
> 
> 0x7fe204aa9148 is located 2 bytes to the right of global variable 
> 'msg_advertise' from '../src/libsystemd-network/test-dhcp6-client.c' 
> (0x7fe204aa9080) of size 198
> 0x7fe204aa9148 is located 56 bytes to the left of global variable 'msg_reply' 
> from '../src/libsystemd-network/test-dhcp6-client.c' (0x7fe204aa9180) of size 
> 173
> SUMMARY: AddressSanitizer: global-buffer-overflow 
> ../src/libsystemd-network/dhcp6-option.c:145 option_parse_hdr
> ---
> 
> This seems to be the cause of the bad memory access, please test.
Hm, I thiink it helps, but there's another one:

$ build/test-dhcp6-client 
Assertion 'interface_index >= -1' failed at 
../src/libsystemd-network/sd-dhcp6-client.c:129, function 
sd_dhcp6_client_set_index(). Ignoring.
DHCPv6 CLIENT: Sent SOLICIT
DHCPv6 CLIENT: Next retransmission in 1.049185s
=
==29571==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x61109708 at pc 0x7fd00190458f bp 0x7fff287de8d0 sp 0x7fff287de8c0
READ of size 1 at 0x61109708 thread T0
#0 0x7fd00190458e in option_parse_hdr 
../src/libsystemd-network/dhcp6-option.c:145
#1 0x7fd001904884 in dhcp6_option_parse 
../src/libsystemd-network/dhcp6-option.c:165
#2 0x7fd0019008ff in client_parse_message 
../src/libsystemd-network/sd-dhcp6-client.c:582
#3 0x7fd001901078 in client_receive_advertise 
../src/libsystemd-network/sd-dhcp6-client.c:732
#4 0x7fd001901822 in client_receive_message 
../src/libsystemd-network/sd-dhcp6-client.c:809
#5 0x7fd001918c77 in source_dispatch 
../src/libsystemd/sd-event/sd-event.c:2035
#6 0x7fd00191b7f1 in sd_event_dispatch 
../src/libsystemd/sd-event/sd-event.c:2384
#7 0x7fd00191bad4 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:2413
#8 0x7fd00191bc1d in sd_event_loop 
../src/libsystemd/sd-event/sd-event.c:2428
#9 0x7fd0018fca81 in test_client_solicit 
../src/libsystemd-network/test-dhcp6-client.c:562
#10 0x7fd0018fcc65 in main ../src/libsystemd-network/test-dhcp6-client.c:585
#11 0x7fd040df in __libc_start_main (/lib64/libc.so.6+0x200df)
#12 0x7fd0018f7c5b (/home/test/systemd/build/test-dhcp6-client+0x25c5b)

0x61109708 is located 2 bytes to the right of 198-byte region 
[0x61109640,0x61109706)
allocated by thread T0 here:
#0 0x7fd000827cf5 in calloc (/lib64/libasan.so.1+0x57cf5)
#1 0x7fd00190152b in client_receive_message 
../src/libsystemd-network/sd-dhcp6-client.c:769
#2 0x7fd001918c77 in source_dispatch 
../src/libsystemd/sd-event/sd-event.c:2035
#3 0x7fd00191b7f1 in sd_event_dispatch 
../src/libsystemd/sd-event/sd-event.c:2384
#4 0x7fd00191bad4 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:2413
#5 0x7fd00191bc1d in sd_event_loop 
../src/libsystemd/sd-event/sd-event.c:2428
#6 0x7fd0018fca81 in test_client_solicit 
../src/libsystemd-network/test-dhcp6-client.c:562
#7 0x7fd0018fcc65 in main ../src/libsystemd-network/test-dhcp6-client.c:585
#8 0x7fd040df in __libc_start_main (/lib64/libc.so.6+0x200df)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
../src/libsystemd-network/dhcp6-option.c:145 option_parse_hdr
Shadow bytes around the buggy address:
  0x0c227fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff92d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff92e0: 06[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff9300: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c227fff9310: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff9320: 

[systemd-devel] [PATCH] test-dhcp6-client: Fix option length

[Patrik Flykt]

The whole DHCPv6 test message length was incorrectly used as the length
of DHCPv6 options causing the following bad memory access:

$ build/test-dhcp6-client
Assertion 'interface_index >= -1' failed at 
../src/libsystemd-network/sd-dhcp6-client.c:129, function 
sd_dhcp6_client_set_index(). Ignoring.
=
==29135==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x7fe204aa9148 at pc 0x7fe204a5958f bp 0x7fff3e47d470 sp 0x7fff3e47d460
READ of size 1 at 0x7fe204aa9148 thread T0
#0 0x7fe204a5958e in option_parse_hdr 
../src/libsystemd-network/dhcp6-option.c:145
#1 0x7fe204a59884 in dhcp6_option_parse 
../src/libsystemd-network/dhcp6-option.c:165
#2 0x7fe204a4eb9c in test_advertise_option 
../src/libsystemd-network/test-dhcp6-client.c:227
#3 0x7fe204a51c58 in main ../src/libsystemd-network/test-dhcp6-client.c:584
#4 0x7fe2031590df in __libc_start_main (/lib64/libc.so.6+0x200df)
#5 0x7fe204a4cc5b (/home/test/systemd/build/test-dhcp6-client+0x25c5b)

0x7fe204aa9148 is located 2 bytes to the right of global variable 
'msg_advertise' from '../src/libsystemd-network/test-dhcp6-client.c' 
(0x7fe204aa9080) of size 198
0x7fe204aa9148 is located 56 bytes to the left of global variable 'msg_reply' 
from '../src/libsystemd-network/test-dhcp6-client.c' (0x7fe204aa9180) of size 
173
SUMMARY: AddressSanitizer: global-buffer-overflow 
../src/libsystemd-network/dhcp6-option.c:145 option_parse_hdr
---

This seems to be the cause of the bad memory access, please test.

Cheers,

Patrik


 src/libsystemd-network/test-dhcp6-client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libsystemd-network/test-dhcp6-client.c 
b/src/libsystemd-network/test-dhcp6-client.c
index 96c68e1..259db33 100644
--- a/src/libsystemd-network/test-dhcp6-client.c
+++ b/src/libsystemd-network/test-dhcp6-client.c
@@ -207,7 +207,7 @@ static int test_advertise_option(sd_event *e) {
 DHCP6Message *advertise = (DHCP6Message *)msg_advertise;
 uint8_t *optval, *opt = &msg_advertise[sizeof(DHCP6Message)];
 uint16_t optcode;
-size_t optlen, len = sizeof(msg_advertise);
+size_t optlen, len = sizeof(msg_advertise) - sizeof(DHCP6Message);
 be32_t val;
 uint8_t preference = 255;
 struct in6_addr addr;
-- 
1.9.1

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel