Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Memory corruption in MQTT input plugin leading to crash of the server while processing crafted MQTT message #1135

Open
cve-reporting opened this Issue Feb 25, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@cve-reporting
Copy link

cve-reporting commented Feb 25, 2019

Fluent Bit MQTT input plugin acting as MQTT broker (server) incorrectly handles incoming network messages.
After processing crafted packet, plugin executes memmove() function with negative size param.
That leads to crash of the whole Fluent Bit server via SIGSEGV signal.

Proposed CVSS 3.0 score: 7.5 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Error message WITHOUT Address Sanitizer:

./build/bin/fluent-bit -i mqtt -t data -o stdout -m '*' --config=conf/in_mqtt.conf
Fluent Bit v1.0.4
Copyright (C) Treasure Data

[2019/02/25 16:06:27] [ info] [storage] initializing...
[2019/02/25 16:06:27] [ info] [storage] in-memory
[2019/02/25 16:06:27] [ info] [storage] normal synchronization mode, checksum disabled
[2019/02/25 16:06:27] [ info] [engine] started (pid=16525)
[engine] caught signal (SIGSEGV)
#0 0x7f287ab70e2c in ???() at ???:0
#1 0x470dee in ???() at ???:0
#2 0x471755 in ???() at ???:0
#3 0x470397 in ???() at ???:0
#4 0x4371e7 in ???() at ???:0
#5 0x421e90 in ???() at ???:0
#6 0x7f287aa4382f in ???() at ???:0
#7 0x420088 in ???() at ???:0
#8 0xffffffffffffffff in ???() at ???:0
Aborted

Error message WITH Address Sanitizer:

./build_asan/bin/fluent-bit -i mqtt -t data -o stdout -m '*' --config=conf/in_mqtt.conf
Fluent Bit v1.0.4
Copyright (C) Treasure Data

[2019/02/25 15:52:55] [ info] [storage] initializing...
[2019/02/25 15:52:55] [ info] [storage] in-memory
[2019/02/25 15:52:55] [ info] [storage] normal synchronization mode, checksum disabled
[2019/02/25 15:52:55] [ info] [engine] started (pid=16457)

==16457==ERROR: AddressSanitizer: negative-size-param: (size=-1)
#0 0x7f7c9283c05d in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8d05d)
#1 0x4caaa0 in mqtt_packet_drop /fluent-bit-1.0.4/plugins/in_mqtt/mqtt_prot.c:72
#2 0x4cc51e in mqtt_prot_parser /fluent-bit-1.0.4/plugins/in_mqtt/mqtt_prot.c:385
#3 0x4c8efa in mqtt_conn_event /fluent-bit-1.0.4/plugins/in_mqtt/mqtt_conn.c:47
#4 0x447535 in flb_engine_start /fluent-bit-1.0.4/src/flb_engine.c:484
#5 0x423da0 in main /fluent-bit-1.0.4/src/fluent-bit.c:842
#6 0x7f7c918ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x420a08 in _start (/fluent-bit-1.0.4/build_asan/bin/fluent-bit+0x420a08)

0x6190000032d6 is located 86 bytes inside of 1112-byte region [0x619000003280,0x6190000036d8)
allocated by thread T0 here:
#0 0x7f7c92847602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4c88bd in flb_malloc /fluent-bit-1.0.4/include/fluent-bit/flb_mem.h:57
#2 0x4c8f77 in mqtt_conn_add /fluent-bit-1.0.4/plugins/in_mqtt/mqtt_conn.c:72
#3 0x4c87d2 in in_mqtt_collect /fluent-bit-1.0.4/plugins/in_mqtt/mqtt.c:94
#4 0x43602f in flb_input_collector_fd /fluent-bit-1.0.4/src/flb_input.c:815
#5 0x44714b in flb_engine_handle_event /fluent-bit-1.0.4/src/flb_engine.c:251
#6 0x44714b in flb_engine_start /fluent-bit-1.0.4/src/flb_engine.c:457
#7 0x423da0 in main /fluent-bit-1.0.4/src/fluent-bit.c:842
#8 0x7f7c918ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memmove
==16457==ABORTING

Reproduction:

  1. Compile Fluent Bit with Address Sanitizer by enabling compilation flag: -fsanitize=address

  2. Run Fluent Bit with enabled MQTT plugin:
    fluent-bit -i mqtt -t data -o stdout -m '*' --config=conf/in_mqtt.conf

  3. Send attached crafted message e.g. using netcat:
    netcat (IP_addr) 1883 < fluent-bit_mqtt_crash_000.raw
    where IP_addr is IP of test server
    fluent-bit_mqtt_crash_000.raw.zip

@cve-reporting cve-reporting changed the title Memory corruption while processing MQTT input plugin leading to crash of the server Memory corruption in MQTT input plugin leading to crash of the server while processing crafted MQTT message Feb 25, 2019

@edsiper edsiper self-assigned this Feb 26, 2019

@cve-reporting

This comment has been minimized.

Copy link
Author

cve-reporting commented Mar 13, 2019

@edsiper Could you confirm and provide any estimations on fixing time?
Do you have any questions regarding this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.