Skip to content

out-of-bounds read in search_make_new() #332

Closed
@asn-d6

Description

@asn-d6

Here follows a bug report by Guido Vranken via the Tor bug bounty program. Please credit Guido accordingly.

Bug report

The DNS code of Libevent contains this rather obvious OOB read:

3122 static char *
3123 search_make_new(const struct search_state *const state, int n, const char *const base_name) {
3124     const size_t base_len = strlen(base_name);
3125     const char need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;

If the length of base_name is 0, then line 3125 reads 1 byte before the buffer. This will trigger a crash on ASAN-protected builds.

To reproduce:

Build libevent with ASAN:

$ CFLAGS='-fomit-frame-pointer -fsanitize=address' ./configure && make -j4

Put the attached resolv.conf and poc.c in the source directory and then do:

$ gcc -fsanitize=address -fomit-frame-pointer poc.c .libs/libevent.a
$ ./a.out
=================================================================
==22201== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60060000efdf at pc 0x4429da bp 0x7ffe1ed47300 sp 0x7ffe1ed472f8
READ of size 1 at 0x60060000efdf thread T0

This happens because I create a zero-length string in poc.c:

    char* hostname = malloc(32);
    memset(hostname, 0, 32);
    //hostname[0] = 'x';

If you uncomment the last line, it will not crash.

Guido

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions