Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

out-of-bounds read in search_make_new() #332

Closed
asn-d6 opened this issue Mar 3, 2016 · 4 comments
Closed

out-of-bounds read in search_make_new() #332

asn-d6 opened this issue Mar 3, 2016 · 4 comments
Assignees

Comments

@asn-d6
Copy link

asn-d6 commented Mar 3, 2016

Here follows a bug report by Guido Vranken via the Tor bug bounty program. Please credit Guido accordingly.

Bug report

The DNS code of Libevent contains this rather obvious OOB read:

3122 static char *
3123 search_make_new(const struct search_state *const state, int n, const char *const base_name) {
3124     const size_t base_len = strlen(base_name);
3125     const char need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;

If the length of base_name is 0, then line 3125 reads 1 byte before the buffer. This will trigger a crash on ASAN-protected builds.

To reproduce:

Build libevent with ASAN:

$ CFLAGS='-fomit-frame-pointer -fsanitize=address' ./configure && make -j4

Put the attached resolv.conf and poc.c in the source directory and then do:

$ gcc -fsanitize=address -fomit-frame-pointer poc.c .libs/libevent.a
$ ./a.out
=================================================================
==22201== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60060000efdf at pc 0x4429da bp 0x7ffe1ed47300 sp 0x7ffe1ed472f8
READ of size 1 at 0x60060000efdf thread T0

This happens because I create a zero-length string in poc.c:

    char* hostname = malloc(32);
    memset(hostname, 0, 32);
    //hostname[0] = 'x';

If you uncomment the last line, it will not crash.

Guido

@harjoc
Copy link

harjoc commented Mar 3, 2016

@asn-the-goblin-slayer Is the resolv.conf still to be attached ?

@asn-d6
Copy link
Author

asn-d6 commented Mar 3, 2016

Sure @Patraulea. I attach all relevant files from Guido. Hopefully they are of use.

resolv.txt
poc.c.txt

@azat azat self-assigned this Mar 24, 2016
azat added a commit that referenced this issue Mar 24, 2016
@azat azat closed this as completed in ec65c42 Mar 24, 2016
@azat
Copy link
Member

azat commented Mar 24, 2016

@asn-the-goblin-slayer thanks again for a detailed report! Fixed.

@lfam
Copy link

lfam commented Feb 2, 2017

This was assigned CVE-2016-10197:

http://seclists.org/oss-sec/2017/q1/282

BrendanCunningham pushed a commit to BrendanCunningham/ompi that referenced this issue Jul 26, 2022
…i#10542.

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10195
libevent issue: libevent dns remote stack overread vulnerability
    libevent/libevent#317
libevent fixing commit: libevent/libevent@96f64a0

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10196
libevent issue: libevent (stack) buffer overflow in
    evutil_parse_sockaddr_port() libevent/libevent#318
libevent fixing commit: libevent/libevent@329acc1

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10197
libevent issue: out-of-bounds read in search_make_new()
    libevent/libevent#332
libevent fixing commit: libevent/libevent@ec65c42

Signed-off-by: Brendan Cunningham <bcunningham@cornelisnetworks.com>
jsquyres pushed a commit to BrendanCunningham/ompi that referenced this issue Sep 22, 2022
…i#10542.

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10195
libevent issue: libevent dns remote stack overread vulnerability
    libevent/libevent#317
libevent fixing commit: libevent/libevent@96f64a0

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10196
libevent issue: libevent (stack) buffer overflow in
    evutil_parse_sockaddr_port() libevent/libevent#318
libevent fixing commit: libevent/libevent@329acc1

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10197
libevent issue: out-of-bounds read in search_make_new()
    libevent/libevent#332
libevent fixing commit: libevent/libevent@ec65c42

Signed-off-by: Brendan Cunningham <bcunningham@cornelisnetworks.com>
jsquyres pushed a commit to BrendanCunningham/ompi that referenced this issue Sep 22, 2022
…i#10542.

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10195
libevent issue: libevent dns remote stack overread vulnerability
    libevent/libevent#317
libevent fixing commit: libevent/libevent@96f64a0

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10196
libevent issue: libevent (stack) buffer overflow in
    evutil_parse_sockaddr_port() libevent/libevent#318
libevent fixing commit: libevent/libevent@329acc1

CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10197
libevent issue: out-of-bounds read in search_make_new()
    libevent/libevent#332
libevent fixing commit: libevent/libevent@ec65c42

Signed-off-by: Brendan Cunningham <bcunningham@cornelisnetworks.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

4 participants