Closed
Description
Here follows a bug report by Guido Vranken via the Tor bug bounty program. Please credit Guido accordingly.
Bug report
The DNS code of Libevent contains this rather obvious OOB read:
3122 static char *
3123 search_make_new(const struct search_state *const state, int n, const char *const base_name) {
3124 const size_t base_len = strlen(base_name);
3125 const char need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;If the length of base_name is 0, then line 3125 reads 1 byte before the buffer. This will trigger a crash on ASAN-protected builds.
To reproduce:
Build libevent with ASAN:
$ CFLAGS='-fomit-frame-pointer -fsanitize=address' ./configure && make -j4
Put the attached resolv.conf and poc.c in the source directory and then do:
$ gcc -fsanitize=address -fomit-frame-pointer poc.c .libs/libevent.a
$ ./a.out
=================================================================
==22201== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60060000efdf at pc 0x4429da bp 0x7ffe1ed47300 sp 0x7ffe1ed472f8
READ of size 1 at 0x60060000efdf thread T0
This happens because I create a zero-length string in poc.c:
char* hostname = malloc(32);
memset(hostname, 0, 32);
//hostname[0] = 'x';If you uncomment the last line, it will not crash.
Guido