Message ID | 20210421133606.22523-1-julian@cipht.net |
---|---|
State | Accepted |
Delegated to: | Petr Štetiar |
Headers | show
Return-Path: <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=E47J1TZE; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=mg.cipht.net header.i=@mg.cipht.net header.a=rsa-sha256 header.s=mailo header.b=BCM8JXkN; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FQM9H6hfmz9t0l for <incoming@patchwork.ozlabs.org>; Wed, 21 Apr 2021 23:39:31 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=QI44tvFdNxk3bbTN0E1dL0iReFWRR+N09uJYF8+/BJw=; b=E47J1TZEZncuNLbSwFlL4q2yI0 S00WdRXP6ShZDM5yP3ze7spawlxhYCLIOGabkNFJ6kdC1tRE23pEUhP73VrMye2yxWclehmxwrz/B 98qpmXxIcjA/V67snZC9QcvcbglU9WX6r8bC/gntQplCLt+46ucQ0IcZe5WTNkNMMTJYp5lXG5ZSh LNP5wgaO6YErCNUbwPZuy9RNjJViYaxWb7dw2gCv3EuYHhkl2LrMwe/vV9+LUdLK99FpziJItcHaw ntB7jaFtnkuy1vz3hHIv2VGZyA+gAGMGzELTmxQObBHz1nuoHBN2D2jW2Hu3t2AxKe4n+HlApNNmj G9PrmjWg==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lZD2J-00ETYv-PM; Wed, 21 Apr 2021 13:37:00 +0000 Received: from m42-7.mailgun.net ([69.72.42.7]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lZD23-00ETWg-I7 for openwrt-devel@lists.openwrt.org; Wed, 21 Apr 2021 13:36:48 +0000 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.cipht.net; q=dns/txt; s=mailo; t=1619012199; h=Content-Transfer-Encoding: MIME-Version: Message-Id: Date: Subject: Cc: To: From: Sender; bh=/Ax7jWz4haFcyK8G6bkRZrJn9lwBQ3x0/DUiYcHv/uU=; b=BCM8JXkNa1gWe9gjXm7zo8mOa6CzFrmLrRQ/XExtfp0+Wv7HnZKNIfdudO14g+2GRavTUPCY syycwQ4tb0jAqu8RQUgzhBW425ezAxWpMEi5VLQxa91G4ltDZ4+qrUOoQGotOQOuWKLwLszh cvnhsZK30j9hV+xHw6fcP276QGw= X-Mailgun-Sending-Ip: 69.72.42.7 X-Mailgun-Sid: WyIxNjExYSIsICJvcGVud3J0LWRldmVsQGxpc3RzLm9wZW53cnQub3JnIiwgImQxYzEzYyJd Received: from localhost.localdomain (mtprnf0117w-156-57-89-38.dhcp-dynamic.fibreop.nl.bellaliant.net [156.57.89.38]) by smtp-out-n02.prod.us-east-1.postgun.com with SMTP id 60802a612cbba88980c5afed (version=TLS1.3, cipher=TLS_AES_128_GCM_SHA256); Wed, 21 Apr 2021 13:36:33 GMT From: Julian Squires <julian@cipht.net> To: openwrt-devel@lists.openwrt.org Cc: Julian Squires <julian@cipht.net> Subject: [PATCH] ubusd: protect against too-short messages Date: Wed, 21 Apr 2021 11:06:06 -0230 Message-Id: <20210421133606.22523-1-julian@cipht.net> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210421_143644_381722_DDAB9859 X-CRM114-Status: UNSURE ( 7.96 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: A bad client can send a message whose blob_attr len is less than 4, and ubus_msg_new happily points ->data off the end of the allocated buffer, leading to invalid reads, writes, and eventually a crash [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [69.72.42.7 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [69.72.42.7 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org> List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>, <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe> List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/> List-Post: <mailto:openwrt-devel@lists.openwrt.org> List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help> List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>, <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org> Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org |
Series |
ubusd: protect against too-short messages
|
expand
|
diff --git a/ubusd_main.c b/ubusd_main.c index c3d8049..9fd0967 100644 --- a/ubusd_main.c +++ b/ubusd_main.c @@ -129,6 +129,8 @@ retry: if (cl->pending_msg_offset < (int) sizeof(cl->hdrbuf)) goto out; + if (blob_raw_len(&cl->hdrbuf.data) < sizeof(struct blob_attr)) + goto disconnect; if (blob_pad_len(&cl->hdrbuf.data) > UBUS_MAX_MSGLEN) goto disconnect;
A bad client can send a message whose blob_attr len is less than 4, and ubus_msg_new happily points ->data off the end of the allocated buffer, leading to invalid reads, writes, and eventually a crash if ubus monitor is running: ==17683== Invalid write of size 4 ==17683== at 0x10A915: client_cb (ubusd_main.c:143) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== Address 0x4a63200 is 0 bytes after a block of size 32 alloc'd ==17683== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==17683== by 0x10AA87: ubus_msg_new (ubusd.c:47) ==17683== by 0x10A8CE: client_cb (ubusd_main.c:135) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== ==17683== Invalid read of size 4 ==17683== at 0x10A645: blob_len (blob.h:102) ==17683== by 0x10A93D: blob_raw_len (blob.h:111) ==17683== by 0x10A93D: client_cb (ubusd_main.c:149) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== Address 0x4a63200 is 0 bytes after a block of size 32 alloc'd ==17683== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==17683== by 0x10AA87: ubus_msg_new (ubusd.c:47) ==17683== by 0x10A8CE: client_cb (ubusd_main.c:135) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== ==17683== Invalid read of size 4 ==17683== at 0x10ACE8: blob_len (blob.h:102) ==17683== by 0x10B7E1: blob_raw_len (blob.h:111) ==17683== by 0x10B7E1: ubusd_proto_receive_message (ubusd_proto.c:457) ==17683== by 0x10A9A7: client_cb (ubusd_main.c:169) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== Address 0x4a63200 is 0 bytes after a block of size 32 alloc'd ==17683== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==17683== by 0x10AA87: ubus_msg_new (ubusd.c:47) ==17683== by 0x10A8CE: client_cb (ubusd_main.c:135) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== ==17683== Invalid read of size 4 ==17683== at 0x10D39B: blob_len (blob.h:102) ==17683== by 0x10D53E: ubusd_monitor_message (ubusd_monitor.c:91) ==17683== by 0x10A99C: client_cb (ubusd_main.c:168) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== Address 0x4a6b3e0 is 0 bytes after a block of size 32 alloc'd ==17683== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==17683== by 0x10AA87: ubus_msg_new (ubusd.c:47) ==17683== by 0x10A8CE: client_cb (ubusd_main.c:135) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== ==17683== Invalid read of size 1 ==17683== at 0x4848286: blob_put (blob.c:167) ==17683== by 0x10D555: ubusd_monitor_message (ubusd_monitor.c:91) ==17683== by 0x10A99C: client_cb (ubusd_main.c:168) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== Address 0x4a6b3e4 is 4 bytes after a block of size 32 alloc'd ==17683== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==17683== by 0x10AA87: ubus_msg_new (ubusd.c:47) ==17683== by 0x10A8CE: client_cb (ubusd_main.c:135) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) ==17683== ==17683== ==17683== Process terminating with default action of signal 11 (SIGSEGV) ==17683== Bad permissions for mapped region at address 0x4E43000 ==17683== at 0x4848286: blob_put (blob.c:167) ==17683== by 0x10D555: ubusd_monitor_message (ubusd_monitor.c:91) ==17683== by 0x10A99C: client_cb (ubusd_main.c:168) ==17683== by 0x48495E3: uloop_run_events (uloop.c:198) ==17683== by 0x48495E3: uloop_run_timeout (uloop.c:555) ==17683== by 0x10A503: uloop_run (uloop.h:111) ==17683== by 0x10A503: main (ubusd_main.c:284) The following Python program minimally reproduces the issue: import socket sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock.connect('/tmp/usock') sock.recv(12) sock.send(b'\x00\x04\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00') Signed-off-by: Julian Squires <julian@cipht.net> --- ubusd_main.c | 2 ++ 1 file changed, 2 insertions(+)