Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

escape_with_table invalid access #1222

Open
mmmds opened this issue Jul 25, 2019 · 0 comments

Comments

@mmmds
Copy link

commented Jul 25, 2019

cherokee/buffer.c:

[...]
escape_with_table (cherokee_buffer_t *buffer,
1342                     cherokee_buffer_t *src,
1343                     uint32_t          *is_char_escaped)
[...]
1346  	const char *s,*s_next;
[...]
1359  	s = src->buf;
1360  	do {
1361  		s_next = utf8_get_next_char (s);
1362  
1363  		/* It's single-byte character */
1364  		if ((s_next - s) == 1) {
1365  
1366  			/* Check whether it has to be escaped */
1367  			if (is_char_escaped[*s >> 5] & (1 << (*s & 0x1f))) {
[...]

in the line 1367 *s is used to index is_char_escaped table. Because *s is signed
then we can get (negative value) >> 5 which results in negative value, so
we access memory before is_char_escaped.

Simple PoC to reproduce

echo -e "GET http://SilaHonorUlica/test8/test\xff.html HTTP/1.1\nHost: xoxoxo\nUser-Agent: netcat\n\n" | nc ::1 8765

test8 is a handler for proxy module

Patch for this issue:

diff --git a/cherokee/buffer.c b/cherokee/buffer.c
index d93c163..9250c5c 100644
--- a/cherokee/buffer.c
+++ b/cherokee/buffer.c
@@ -1343,8 +1343,8 @@ escape_with_table (cherokee_buffer_t *buffer,
                    uint32_t          *is_char_escaped)
 {
        char *t;
-       const char *s,*s_next;
-       char *end;
+       const unsigned char *s,*s_next;
+       unsigned char *end;
        cuint_t        n_escape    = 0;
        static char    hex_chars[] = "0123456789abcdef";

Setup:

  • Ubuntu 18.04 64 bit

  • source code from github, commit 9a75e65

  • build command:

ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0 -fprofile-arcs -ftest-coverage" ./configure --prefix=`pwd`/bin --enable-trace --enable-static-module=all --enable-static --enable-shared=no
make
  • files in webroot mkdir /var/www/test{1..20}; for i in seq 1 20; do echo test > test$i/test.html; done
  • configuration file cherokee.txt

found by: Mateusz Kocielski, Michał Dardas from LogicalTrust

skinkie added a commit that referenced this issue Jul 25, 2019

@skinkie skinkie self-assigned this Jul 25, 2019

@skinkie skinkie added the t:bug label Jul 25, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.