Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 04 Oct 2022 20:39:31 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 266827] corrupt message can cause wild pointer read in hastd
Message-ID:  <bug-266827-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D266827

            Bug ID: 266827
           Summary: corrupt message can cause wild pointer read in hastd
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #237079 text/plain
         mime type:

Created attachment 237079
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D237079&action=
=3Dedit
crash a hastd server with a bad nv string dsize

hastd's nv_validate() uses a value from a received packet as an array
index without sufficient checking:

                dsize =3D NVH_DSIZE(nvh);
                ...
                case NV_TYPE_STRING:
                        data =3D NVH_DATA(nvh);
                        if (data[dsize - 1] !=3D '\0') {

I've attached a demo that passes 2^32-1 as dsize:

# cat hast.conf=20
listen tcp://0.0.0.0
resource r {
  on myhostname {
    local /tmp/hast.data
    remote tcp://127.0.0.1
  }
}
# touch /tmp/hast.data
# sudo /sbin/hastd -F -d -c hast.conf &
# cc hastd1a.c
# ./a.out
# wait
[1]    Segmentation fault            /sbin/hastd -F -d -c hast.conf

Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
nv_validate (nv=3D0x80183d000, extrap=3Dextrap@entry=3D0x7fffffffe518) at
/usr/src/sbin/hastd/nv.c:312
312                             if (data[dsize - 1] !=3D '\0') {
(gdb) where
#0  nv_validate (nv=3D0x80183d000, extrap=3Dextrap@entry=3D0x7fffffffe518)
    at /usr/src/sbin/hastd/nv.c:312
#1  0x000000000103b38c in nv_ntoh (eb=3Deb@entry=3D0x801863000)
    at /usr/src/sbin/hastd/nv.c:390
#2  0x00000000010360f8 in hast_proto_recv_hdr (conn=3D0x801853040,=20
    nvp=3Dnvp@entry=3D0x7fffffffe5b0) at /usr/src/sbin/hastd/hast_proto.c:1=
61
#3  0x0000000001037932 in listen_accept (lst=3Dlst@entry=3D0x80183e000)
    at /usr/src/sbin/hastd/hastd.c:790
#4  0x0000000001037325 in main_loop () at /usr/src/sbin/hastd/hastd.c:1148
#5  0x0000000001036f68 in main (argc=3D<optimized out>, argv=3D<optimized o=
ut>)
    at /usr/src/sbin/hastd/hastd.c:1337

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-266827-227>