Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential stack overflow in ares_set_sortlist #496

Closed
hopper-vul opened this issue Dec 13, 2022 · 1 comment · Fixed by #497
Closed

Potential stack overflow in ares_set_sortlist #496

hopper-vul opened this issue Dec 13, 2022 · 1 comment · Fixed by #497

Comments

@hopper-vul
Copy link
Contributor

In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
the input str and initialize a sortlist configuration.

However, ares_set_sortlist has not any checks about the validity of the input str.
It is very easy to create an arbitrary length stack overflow with the unchecked
memcpy(ipbuf, str, q-str); and memcpy(ipbufpfx, str, q-str);
statements in the config_sortlist call, which could potentially cause severe
security impact in practical programs.

For example, the litter case could produce a stack overflow:

#include "ares.h"
#include<stdlib.h>
typedef int8_t  i8;
typedef int32_t i32;
int main() {
    struct ares_channeldata *v0 = NULL; // channel
    i32 v2 = ares_init(&v0); // $relative
    i8 v5[] = "111.111.111.111*shellcode*shellcode*shellcode*/"; // sortstr
    i32 v6 = ares_set_sortlist(v0, v5); // $target
}

As ares_set_sortlist is a public interface of a widely-used library,
i think it is necessary to add some checks to forbid further severe security bugs.
hopper-vul added a commit to hopper-vul/c-ares that referenced this issue Dec 13, 2022
@hopper-vul
Add str len check in config_sortlist to avoid stack overflow
ac59602 
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
the input str and initialize a sortlist configuration.

However, ares_set_sortlist has not any checks about the validity of the input str.
It is very easy to create an arbitrary length stack overflow with the unchecked
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
statements in the config_sortlist call, which could potentially cause severe
security impact in practical programs.

This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
potential stack overflows.

fixes c-ares#496

Signed-off-by: hopper-vul <hopper.vul@gmail.com>
@hopper-vul hopper-vul mentioned this issue Dec 13, 2022
Merged
bradh352 pushed a commit that referenced this issue Jan 18, 2023
@hopper-vul
Add str len check in config_sortlist to avoid stack overflow (#497)
9903253 
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
the input str and initialize a sortlist configuration.

However, ares_set_sortlist has not any checks about the validity of the input str.
It is very easy to create an arbitrary length stack overflow with the unchecked
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
statements in the config_sortlist call, which could potentially cause severe
security impact in practical programs.

This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
potential stack overflows.

fixes #496

Fix By: @hopper-vul
@00xc
Copy link

00xc commented Feb 9, 2023

This got assigned CVE-2022-4904 by Red Hat CNA.

halstead pushed a commit to openembedded/meta-openembedded that referenced this issue Apr 4, 2023
@petermarko @akuster
c-ares: fix CVE-2022-4904
e96e13f 
Backport based on c-ares/c-ares#496

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
halstead pushed a commit to openembedded/meta-openembedded that referenced this issue Apr 5, 2023
@petermarko @akuster
c-ares: fix CVE-2022-4904
092e125 
Backport based on c-ares/c-ares#496

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
amstewart pushed a commit to ni/meta-openembedded that referenced this issue Apr 7, 2023
@petermarko @amstewart
c-ares: fix CVE-2022-4904
7b3fbbb 
Backport based on c-ares/c-ares#496

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/meta-openembedded that referenced this issue Apr 10, 2023
@petermarko @jpuhlman
c-ares: fix CVE-2022-4904
b94c854 
Source: meta-openembedded
MR: 124675, 125263
Type: Security Fix
Disposition: Merged from meta-openembedded
ChangeID: 092e125
Description:

Backport based on c-ares/c-ares#496

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add str len check in config_sortlist to avoid stack overflow hopper-vul/c-ares
2 participants
@00xc @hopper-vul