Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use-after-free in post_args() #489

Closed
SegfaultMasters opened this issue Oct 15, 2018 · 2 comments
Closed

Use-after-free in post_args() #489

SegfaultMasters opened this issue Oct 15, 2018 · 2 comments
Assignees
@fklassen
Labels
bug

Comments

@SegfaultMasters
Copy link

A heap use-after-free issue exists in tcpbridge binary of tcpreplay, being triggered in function post_args() at file src/tcpbridge.c.

Tested version:

4.3.0-beta1

Command:

tcpbridge --intf1=en7

Debugging

Source - tcpbridge.c:219

214             if ((eth_buff = sendpacket_get_hwaddr(sp)) == NULL) {
215                 warnx("Unable to get MAC address: %s", sendpacket_geterr(sp));
216                 err(-1, "Please consult the man page for using the -M option.");
217             }
218             sendpacket_close(sp);  // Freed
219             memcpy(options.intf1_mac, eth_buff, ETHER_ADDR_LEN);  //use-after-free - Invalid read
220         }


gef> p sp
$1 = (sendpacket_t *) 0xb4203680

gef> ptype eth_buff
type = struct tcpr_ether_addr {
    uint8_t ether_addr_octet[6];
} *

ASAN Report

==21234==ERROR: AddressSanitizer: heap-use-after-free on address 0xb4203b38 at pc 0x0804e6e3 bp 0xbffff1e8 sp 0xbffff1d8
READ of size 6 at 0xb4203b38 thread T0
    #0 0x804e6e2 in post_args /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:219
    #1 0x804d48a in main /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:72
    #2 0xb7835636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #3 0x804a955  (/usr/local/bin/tcpbridge+0x804a955)

0xb4203b38 is located 1208 bytes inside of 1240-byte region [0xb4203680,0xb4203b58)
freed by thread T0 here:
    #0 0xb7ad0a84 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x96a84)
    #1 0x807b714 in _our_safe_free /home/loginsoft/ACE/tcpreplay/src/common/utils.c:118
    #2 0x807f34e in sendpacket_close /home/loginsoft/ACE/tcpreplay/src/common/sendpacket.c:636
    #3 0x804e677 in post_args /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:218
    #4 0x804d48a in main /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:72
    #5 0xb7835636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

previously allocated by thread T0 here:
    #0 0xb7ad0dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x807b4b0 in _our_safe_malloc /home/loginsoft/ACE/tcpreplay/src/common/utils.c:50
    #2 0x807ff10 in sendpacket_open_pf /home/loginsoft/ACE/tcpreplay/src/common/sendpacket.c:956
    #3 0x807e932 in sendpacket_open /home/loginsoft/ACE/tcpreplay/src/common/sendpacket.c:523
    #4 0x804e4f3 in post_args /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:211
    #5 0x804d48a in main /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:72
    #6 0xb7835636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-use-after-free /home/loginsoft/ACE/tcpreplay/src/tcpbridge.c:219 post_args
Shadow bytes around the buggy address:
  0x36840710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36840720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36840730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36840740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36840750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x36840760: fd fd fd fd fd fd fd[fd]fd fd fd fa fa fa fa fa
  0x36840770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36840780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36840790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368407a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368407b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==21234==ABORTING

No reproducer file required.
@carnil
Copy link

carnil commented Oct 19, 2018

This issue was assigned CVE-2018-18408

@fklassen fklassen self-assigned this Oct 20, 2018
@fklassen fklassen added the bug label Oct 20, 2018
fklassen added a commit that referenced this issue Oct 20, 2018
@fklassen
Bug #489 free after memcpy
59dc76a
fklassen added a commit that referenced this issue Oct 20, 2018
@fklassen
Merge pull request #497 from appneta/Bug_#489_use_after_free_in_post_…
3ab9a81 
…args

Bug #489 free after memcpy
@fklassen
Copy link
Member

fixed in PR #497

fklassen added a commit that referenced this issue Oct 23, 2018
@fklassen
Merge branch '4.3' into Bug_#418_2nd_packet_no_delay
5a15050 
* 4.3: (22 commits)
  Bug #418 don't ignore 2nd packet timing
  Bug #411 allow TAP on all platforms
  Bug #174 ensure --with-testnic does not affect replay
  Bug #406 change packet length to network order
  Bug #413 fix manpage typos
  Bug #485 Heap overflow fixed in #484
  Enhancement_#482 update CHANGELOG/CREDITS
  Enhancement_#482 test Makefile merge error fixup
  Enhancement_#482 test Makefile cleanup
  Bug #489 free after memcpy
  Bug #488 heap overflow csum replace4 (#496)
  Bug #486 CVE-2018-17974 realloc memory if packet size increases (#492)
  Enhancement #493 - fixes for Codacy identified issues
  Bug #486 Enforce max snaplen rather than doing realloc
  Bug #486 CVE-2018-17974 realloc memory if packet size increases
  Bug #484 CVE-2018-17582 Check for corrupt PCAP files
  4.3 - revert travis updates from merge
  Simplify plugin Makefiles
  allow out-of-tree build
  Remove dead code
  ...
fklassen added a commit that referenced this issue Oct 23, 2018
@fklassen
Merge branch '4.3' into Enhancement_#425_edit_tcp_seq-ack_numbers_sta…
e143d00 
…ging

* 4.3: (36 commits)
  Enhancement #506 disable C99 and fix warnings (#507)
  Bug #418 don't ignore 2nd packet timing
  Bug #411 allow TAP on all platforms
  Bug #174 ensure --with-testnic does not affect replay
  Bug #406 change packet length to network order
  Bug #413 fix manpage typos
  Bug #485 Heap overflow fixed in #484
  Enhancement_#482 update CHANGELOG/CREDITS
  Enhancement_#482 test Makefile merge error fixup
  Enhancement_#482 test Makefile cleanup
  Bug #489 free after memcpy
  Bug #488 heap overflow csum replace4 (#496)
  Bug #486 CVE-2018-17974 realloc memory if packet size increases (#492)
  Enhancement #493 - fixes for Codacy identified issues
  Bug #486 Enforce max snaplen rather than doing realloc
  Bug #486 CVE-2018-17974 realloc memory if packet size increases
  Bug #484 CVE-2018-17582 Check for corrupt PCAP files
  4.3 - revert travis updates from merge
  Simplify plugin Makefiles
  allow out-of-tree build
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fklassen fklassen

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @fklassen @SegfaultMasters