Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null Pointer Dereference from processing Query String #271

Closed
xsscx opened this issue Dec 19, 2017 · 1 comment
Closed

Null Pointer Dereference from processing Query String #271

xsscx opened this issue Dec 19, 2017 · 1 comment

Comments

@xsscx
Copy link

xsscx commented Dec 19, 2017

Hello and Good Day-

The Code for xmrblocks (https://github.com/moneroexamples/onion-monero-blockchain-explorer) uses crow as its HTTP Server.

I've found a Null Pointer Dereference, which looks to be hitting in crow. It would be helpful to have an ASAN Build Option in crow to help further identify the offending line of code.

The Null Pointer issue arises due to a Malicious Query String being processed... eg: localhost/?value=malicious_poc

I prefer not to dump PoC Code into a Public Ticket, but the Bug is Trivial for anyone with a security background to identify and confirm.

=========================================

Darwin server.local 17.3.0 Darwin Kernel Version 17.3.0: Thu Nov 9 18:09:22 PST 2017; root:xnu-4570.31.3~1/RELEASE_X86_64 x86_64

lldb

target create --no-dependents xmrblocks

process launch --environment MallocStackLogging=1 --environment MallocScribble=1 --environment MALLOC_PERMIT_INSANE_REQUESTS=22

Process 95780 stopped

  • thread Added minimalist logging framework #2, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x00007fff7ed3d432 libsystem_c.dylibstrlen + 18 libsystem_c.dylibstrlen:
    -> 0x7fff7ed3d432 <+18>: pcmpeqb (%rdi), %xmm0
    0x7fff7ed3d436 <+22>: pmovmskb %xmm0, %esi
    0x7fff7ed3d43a <+26>: andq $0xf, %rcx
    0x7fff7ed3d43e <+30>: orq $-0x1, %rax
    Target 0: (xmrblocks) stopped.
    (lldb) bt
  • thread Added minimalist logging framework #2, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    • frame #0: 0x00007fff7ed3d432 libsystem_c.dylibstrlen + 18 frame #1: 0x0000000100046145 xmrblocksstd::__1::char_traits::length(char const*) + 21
      frame Added minimalist logging framework #2: 0x0000000100247677 xmrblocksmain::$_16::operator()(crow::request const&) const + 375 frame #3: 0x0000000100247452 xmrblocksstd::__1::enable_if<(!(black_magic::CallHelper<main::$_16, crow::black_magic::S<> >::value)) && (black_magic::CallHelper<main::$_16, crow::black_magic::Scrow::request >::value), void>::type crow::TaggedRule<>::operator()main::$_16(main::$_16&&)::'lambda'(crow::request const&, crow::response&)::operator()(crow::request const&, crow::response&) const + 82
      frame Some fixes #4: 0x00000001002473ed xmrblocksvoid std::__1::__invoke_void_return_wrapper<void>::__call<std::__1::enable_if<(!(black_magic::CallHelper<main::$_16, crow::black_magic::S<> >::value)) && (black_magic::CallHelper<main::$_16, crow::black_magic::S<crow::request> >::value), void>::type crow::TaggedRule<>::operator()<main::$_16>(main::$_16&&)::'lambda'(crow::request const&, crow::response&)&, crow::request const&, crow::response&>(std::__1::enable_if<(!(black_magic::CallHelper<main::$_16, crow::black_magic::S<> >::value)) && (black_magic::CallHelper<main::$_16, crow::black_magic::S<crow::request> >::value), void>::type crow::TaggedRule<>::operator()<main::$_16>(main::$_16&&)::'lambda'(crow::request const&, crow::response&)&&&, crow::request const&&&, crow::response&&&) + 109 frame #5: 0x00000001002472c9 xmrblocksstd::__1::__function::__func<std::__1::enable_if<(!(black_magic::CallHelper<main::$_16, crow::black_magic::S<> >::value)) && (black_magic::CallHelper<main::$_16, crow::black_magic::Scrow::request >::value), void>::type crow::TaggedRule<>::operator()main::$_16(main::$_16&&)::'lambda'(crow::request const&, crow::response&), std::__1::allocator<std::__1::enable_if<(!(black_magic::CallHelper<main::$_16, crow::black_magic::S<> >::value)) && (black_magic::CallHelper<main::$_16, crow::black_magic::Scrow::request >::value), void>::type crow::TaggedRule<>::operator()main::$_16(main::$_16&&)::'lambda'(crow::request const&, crow::response&)>, void (crow::request const&, crow::response&)>::operator()(crow::request const&, crow::response&) + 73
      frame Added git submodule to the readme #6: 0x00000001000c61d2 xmrblocksstd::__1::function<void (crow::request const&, crow::response&)>::operator()(crow::request const&, crow::response&) const + 178 frame #7: 0x00000001000c6110 xmrblockscrow::detail::routing_handler_call_helper::call<crow::detail::routing_handler_call_helper::call_params<std::__1::function<void (crow::request const&, crow::response&)> >, 0, 0, 0, 0, crow::black_magic::S<>, crow::black_magic::S<> >::operator()(crow::detail::routing_handler_call_helper::call_params<std::__1::function<void (crow::request const&, crow::response&)> >) + 32
      frame Implementing missing HTTP/1.1 features #8: 0x00000001000c5a9e xmrblockscrow::TaggedRule<>::handle(crow::request const&, crow::response&, crow::routing_params const&) + 110 frame #9: 0x0000000100318a1b xmrblockscrow::Router::handle(crow::request const&, crow::response&) + 6699
      frame boost is not listed as a dependency #10: 0x00000001002fa374 xmrblockscrow::Crow<>::handle(crow::request const&, crow::response&) + 52 frame #11: 0x0000000100334d51 xmrblockscrow::Connection<crow::SocketAdaptor, crow::Crow<> >::handle() + 5105
      frame Middleware #12: 0x000000010033394c xmrblockscrow::HTTPParser<crow::Connection<crow::SocketAdaptor, crow::Crow<> > >::process_message() + 28 frame #13: 0x0000000100330c17 xmrblockscrow::HTTPParser<crow::Connection<crow::SocketAdaptor, crow::Crow<> > >::on_message_complete(http_parser*) + 2071
      frame Fix Connection object leak when using long polling #14: 0x00000001002eb562 xmrblockshttp_parser_execute + 15986 frame #15: 0x000000010032f461 xmrblockscrow::HTTPParser<crow::Connection<crow::SocketAdaptor, crow::Crow<> > >::feed(char const*, int) + 49
      frame What's the status of crow middleware/crow_contrib? #16: 0x000000010032f1cb xmrblockscrow::Connection<crow::SocketAdaptor, crow::Crow<> >::do_read()::'lambda'(boost::system::error_code const&, unsigned long)::operator()(boost::system::error_code const&, unsigned long) const + 123 frame #17: 0x000000010032f143 xmrblocksboost::asio::detail::binder2<crow::Connection<crow::SocketAdaptor, crow::Crow<> >::do_read()::'lambda'(boost::system::error_code const&, unsigned long), boost::system::error_code, unsigned long>::operator()() + 35
      frame implement arena allocator to boost performance #18: 0x000000010032f115 xmrblocksvoid boost::asio::asio_handler_invoke<boost::asio::detail::binder2<crow::Connection<crow::SocketAdaptor, crow::Crow<> >::do_read()::'lambda'(boost::system::error_code const&, unsigned long), boost::system::error_code, unsigned long> >(boost::asio::detail::binder2<crow::Connection<crow::SocketAdaptor, crow::Crow<> >::do_read()::'lambda'(boost::system::error_code const&, unsigned long), boost::system::error_code, unsigned long>&, ...) + 21 frame #19: 0x000000010032f067 xmrblocksvoid boost_asio_handler_invoke_helpers::invoke<boost::asio::detail::binder2<crow::Connection<crow::SocketAdaptor, crow::Crow<> >::do_read()::'lambda'(boost::system::error_code const&, unsigned long), boost::system::error_code, unsigned long>, crow::Connection<crow::SocketAdaptor, crow::Crow<> >::do_read()::'lambda'(boost::system::error_code const&, unsigned long)>(boost::asio::detail::binder2<crow::Connection<crow::SocketAdaptor, crow::Crow<> >::do_read()::'lambda'(boost::system::error_code const&, unsigned long), boost::system::error_code, unsigned long>&, crow::Connection<crow::SocketAdaptor, crow::Crow<> >::do_read()::'lambda'(boost::system::error_code const&, unsigned long)&) + 39
      frame Compilation broken #20: 0x000000010032ef34 xmrblocksboost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1, crow::Connection<crow::SocketAdaptor, crow::Crow<> >::do_read()::'lambda'(boost::system::error_code const&, unsigned long)>::do_complete(boost::asio::detail::task_io_service*, boost::asio::detail::task_io_service_operation*, boost::system::error_code const&, unsigned long) + 196 frame #21: 0x00000001002d0dd7 xmrblocksboost::asio::detail::task_io_service_operation::complete(boost::asio::detail::task_io_service&, boost::system::error_code const&, unsigned long) + 71
      frame Added travis build status logo to README #22: 0x00000001002d0334 xmrblocksboost::asio::detail::task_io_service::do_run_one(boost::asio::detail::scoped_lock<boost::asio::detail::posix_mutex>&, boost::asio::detail::task_io_service_thread_info&, boost::system::error_code const&) + 500 frame #23: 0x00000001002cff74 xmrblocksboost::asio::detail::task_io_service::run(boost::system::error_code&) + 372
      frame Culling url params #24: 0x00000001002c28f1 xmrblocksboost::asio::io_service::run() + 49 frame #25: 0x000000010032677c xmrblockscrow::Server<crow::Crow<>, crow::SocketAdaptor>::run()::'lambda'()::operator()() const + 1452
      frame Benchmark needed #26: 0x00000001003261bd xmrblocksvoid std::__1::__async_func<crow::Server<crow::Crow<>, crow::SocketAdaptor>::run()::'lambda'()>::__execute<>(std::__1::__tuple_indices<>) + 61 frame #27: 0x0000000100326175 xmrblocksstd::__1::__async_func<crow::Server<crow::Crow<>, crow::SocketAdaptor>::run()::'lambda'()>::operator()() + 21
      frame Added URL params (request.url_params) #28: 0x00000001003260c5 xmrblocksstd::__1::__async_assoc_state<void, std::__1::__async_func<crow::Server<crow::Crow<>, crow::SocketAdaptor>::run()::'lambda'()> >::__execute() + 37 frame #29: 0x000000010032a62f xmrblocksvoid* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_deletestd::__1::__thread_struct >, void (std::__1::__async_assoc_state<void, std::__1::__async_func<crow::Server<crow::Crow<>, crow::SocketAdaptor>::run()::'lambda'()> >::)(), std::__1::__async_assoc_state<void, std::__1::__async_func<crow::Server<crow::Crow<>, crow::SocketAdaptor>::run()::'lambda'()> >> >(void*) + 687
      frame Failed to build on clang 3. 6 #30: 0x00007fff7ef786c1 libsystem_pthread.dylib_pthread_body + 340 frame #31: 0x00007fff7ef7856d libsystem_pthread.dylib_pthread_start + 377
      frame Cannot build on MacOSX 10.10 (Yosemite) #32: 0x00007fff7ef77c5d libsystem_pthread.dylib`thread_start + 13

(lldb) register read
General Purpose Registers:
rax = 0x0000000000000000
rbx = 0x0000001062945000
rcx = 0x0000000000000000
rdx = 0x0000000000000000
rdi = 0x0000000000000000
rsi = 0x00000010a68c7f68
rbp = 0x00000010629415b0
rsp = 0x00000010629415b0
r8 = 0x0000000000000002
r9 = 0x000000010074379f "value"
r10 = 0x0000000000000000
r11 = 0x0000000f621fdea2
r12 = 0x000000010032a380 xmrblocksvoid* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (std::__1::__async_assoc_state<void, std::__1::__async_func<crow::Server<crow::Crow<>, crow::SocketAdaptor>::run()::'lambda'()> >::*)(), std::__1::__async_assoc_state<void, std::__1::__async_func<crow::Server<crow::Crow<>, crow::SocketAdaptor>::run()::'lambda'()> >*> >(void*) r13 = 0x0000000000000000 r14 = 0x0000001062945000 r15 = 0x0000000000000000 rip = 0x00007fff7ed3d432 libsystem_c.dylibstrlen + 18
rflags = 0x0000000000010246
cs = 0x000000000000002b
fs = 0x0000000000000000
gs = 0x0000000000000000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xsscx