Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Memory corruption (free on invalid pointer) while parsing DTLS messages #33

Closed
jakub-botwicz opened this issue Jul 25, 2019 · 2 comments

Comments

@jakub-botwicz
Copy link

jakub-botwicz commented Jul 25, 2019

MatrixSSL DTLS server (in versions: 4.2.1 Open and 4.1.0 Open) incorrectly handles incoming network messages leading to memory corruption issue, resulting in crash of the server.

Proposed CVSS 3.0 score:
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Error message WITHOUT Address Sanitizer:

matrixssl-4-2-1-open$ apps/dtls/dtlsServer -p 44444

DTLS server running on port 44444
Select woke 1
Sent 44 bytes
Select woke 1
Got REQUEST_RECV from ReceivedData
Select woke 1
*** Error in `apps/dtls/dtlsServer': free(): invalid pointer: 0x000000000224ae10 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f33eff327e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f33eff3b37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f33eff3f53c]
apps/dtls/dtlsServer[0x403804]
apps/dtls/dtlsServer[0x40be10]
apps/dtls/dtlsServer[0x4082b6]
apps/dtls/dtlsServer[0x4023dc]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f33efedb830]
apps/dtls/dtlsServer[0x402969]
======= Memory map: ========
00400000-004a3000 r-xp 00000000 fd:01 273412                             matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a2000-006a3000 r--p 000a2000 fd:01 273412                             matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a3000-006a4000 rw-p 000a3000 fd:01 273412                             matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a4000-006a5000 rw-p 00000000 00:00 0 
02249000-0226a000 rw-p 00000000 00:00 0                                  [heap]
7f33e8000000-7f33e8021000 rw-p 00000000 00:00 0 
7f33e8021000-7f33ec000000 ---p 00000000 00:00 0 
7f33efca5000-7f33efcbb000 r-xp 00000000 fd:01 2039                       /lib/x86_64-linux-gnu/libgcc_s.so.1
7f33efcbb000-7f33efeba000 ---p 00016000 fd:01 2039                       /lib/x86_64-linux-gnu/libgcc_s.so.1
7f33efeba000-7f33efebb000 rw-p 00015000 fd:01 2039                       /lib/x86_64-linux-gnu/libgcc_s.so.1
7f33efebb000-7f33f007b000 r-xp 00000000 fd:01 28237                      /lib/x86_64-linux-gnu/libc-2.23.so
7f33f007b000-7f33f027b000 ---p 001c0000 fd:01 28237                      /lib/x86_64-linux-gnu/libc-2.23.so
7f33f027b000-7f33f027f000 r--p 001c0000 fd:01 28237                      /lib/x86_64-linux-gnu/libc-2.23.so
7f33f027f000-7f33f0281000 rw-p 001c4000 fd:01 28237                      /lib/x86_64-linux-gnu/libc-2.23.so
7f33f0281000-7f33f0285000 rw-p 00000000 00:00 0 
7f33f0285000-7f33f029d000 r-xp 00000000 fd:01 28170                      /lib/x86_64-linux-gnu/libpthread-2.23.so
7f33f029d000-7f33f049c000 ---p 00018000 fd:01 28170                      /lib/x86_64-linux-gnu/libpthread-2.23.so
7f33f049c000-7f33f049d000 r--p 00017000 fd:01 28170                      /lib/x86_64-linux-gnu/libpthread-2.23.so
7f33f049d000-7f33f049e000 rw-p 00018000 fd:01 28170                      /lib/x86_64-linux-gnu/libpthread-2.23.so
7f33f049e000-7f33f04a2000 rw-p 00000000 00:00 0 
7f33f04a2000-7f33f04c8000 r-xp 00000000 fd:01 28169                      /lib/x86_64-linux-gnu/ld-2.23.so
7f33f06b3000-7f33f06b7000 rw-p 00000000 00:00 0 
7f33f06c6000-7f33f06c7000 rw-p 00000000 00:00 0 
7f33f06c7000-7f33f06c8000 r--p 00025000 fd:01 28169                      /lib/x86_64-linux-gnu/ld-2.23.so
7f33f06c8000-7f33f06c9000 rw-p 00026000 fd:01 28169                      /lib/x86_64-linux-gnu/ld-2.23.so
7f33f06c9000-7f33f06ca000 rw-p 00000000 00:00 0 
7ffd7dc33000-7ffd7dc54000 rw-p 00000000 00:00 0                          [stack]
7ffd7dc77000-7ffd7dc7a000 r--p 00000000 00:00 0                          [vvar]
7ffd7dc7a000-7ffd7dc7c000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Reproduction:

  1. Download and compile MatrixSSL 4.2.1 OPEN (or earlier).

  2. Run DTLS server:
    cd matrixssl-4-2-1-open
    apps/dtls/dtlsServer -p 44444

  3. Unzip and send attached crafted message e.g. using netcat:
    netcat -u $IP 44444 < payload_matrixssl_003.raw
    where $IP is IP of test server

payload_matrixssl_003.raw.zip

@matrixssl-admin
Copy link
Contributor

We are currently preparing a new release of MatrixSSL, including fixes for these reported DTLS issues.

Do you wish to be acknowledged in the changelogs and if so, under what name (and organization)?

@jakub-botwicz
Copy link
Author

Yes - please use following info: "Jakub Botwicz (Samsung R&D Poland)"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants