struct cherokee_handler_cgi_t (handler_cgi.h) consist of a fixed sized array (char *envp[ENV_VAR_NUM]) for environ variables. Sending a request with a lot of headers, causes to
increment int envp_last to a value greater than ENV_VAR_NUM resulting in reading outside the array.
=================================================================
==10864==ERROR: AddressSanitizer: SEGV on unknown address 0x6180001cb3c0 (pc 0x55c74bfd2f94 bp 0x7f6bac2e6220 sp 0x7f6bac2e61f0 T7)
==10864==The signal is caused by a WRITE memory access.
#0 0x55c74bfd2f93 in cherokee_handler_cgi_add_env_pair /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:310
#1 0x55c74c02d6e4 in foreach_header_add_unknown_variable /home/mmm/fuzz/webserver/cherokee/handler_cgi_base.c:664
#2 0x55c74c09fe32 in cherokee_header_foreach_unknown /home/mmm/fuzz/webserver/cherokee/header.c:1220
#3 0x55c74c02db36 in cherokee_handler_cgi_base_build_envp /home/mmm/fuzz/webserver/cherokee/handler_cgi_base.c:696
#4 0x55c74bfd30f3 in add_environment /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:328
#5 0x55c74bfd6912 in fork_and_execute_cgi_via_spawner /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:787
#6 0x55c74bfd35a8 in cherokee_handler_cgi_init /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:382
#7 0x55c74c04b44c in cherokee_handler_init /home/mmm/fuzz/webserver/cherokee/handler.c:93
#8 0x55c74c048233 in cherokee_connection_open_request /home/mmm/fuzz/webserver/cherokee/connection.c:2678
#9 0x55c74bf84889 in process_active_connections /home/mmm/fuzz/webserver/cherokee/thread.c:1165
#10 0x55c74bf8a549 in cherokee_thread_step_MULTI_THREAD /home/mmm/fuzz/webserver/cherokee/thread.c:2086
#11 0x55c74bf7e300 in thread_routine /home/mmm/fuzz/webserver/cherokee/thread.c:99
#12 0x7f6bb2b166da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#13 0x7f6bb263b88e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:310 in cherokee_handler_cgi_add_env_pair
Thread T7 created by T0 here:
#0 0x7f6bb2f9dd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x55c74bf7f219 in cherokee_thread_new /home/mmm/fuzz/webserver/cherokee/thread.c:247
#2 0x55c74bf6773f in initialize_server_threads /home/mmm/fuzz/webserver/cherokee/server.c:671
#3 0x55c74bf69a05 in cherokee_server_initialize /home/mmm/fuzz/webserver/cherokee/server.c:1053
#4 0x55c74bf0d76f in common_server_initialization /home/mmm/fuzz/webserver/cherokee/main_worker.c:255
#5 0x55c74bf0e1f7 in main /home/mmm/fuzz/webserver/cherokee/main_worker.c:393
#6 0x7f6bb253bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
==10864==ABORTING
In #1224 it was already pointed out that what issues arise when the number of headers exceed ENV_VAR_NUM.
It seems also be the root cause of issue #1225. In addition I guarantee that the envp list always ends with NULL, a required terminal.
struct cherokee_handler_cgi_t (handler_cgi.h) consist of a fixed sized array (char *envp[ENV_VAR_NUM]) for environ variables. Sending a request with a lot of headers, causes to
increment int envp_last to a value greater than ENV_VAR_NUM resulting in reading outside the array.
handler_cgi.c:
PoC
ASAN
Setup:
Ubuntu 18.04 64 bit
source code from github, commit 9a75e65
build command:
mkdir /var/www/test{1..20}; for i inseq 1 20; do echo test > test$i/test.html; donefound by: Mateusz Kocielski, Michał Dardas from LogicalTrust
The text was updated successfully, but these errors were encountered: