Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow #805

Closed
C0NSTANTINE110 opened this issue Jul 19, 2021 · 1 comment
Closed

Heap buffer overflow #805

C0NSTANTINE110 opened this issue Jul 19, 2021 · 1 comment

Comments

@C0NSTANTINE110
Copy link

Tested On:

memcached 1.6.9

PoC:

a.txt

./memcached --auth-file=input/a.txt -u root -m 1024 -p 11211

==1061115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000009e at pc 0x7fae5a305f9d bp 0x7ffee16f4fd0 sp 0x7ffee16f4778
WRITE of size 15 at 0x60200000009e thread T0
#0 0x7fae5a305f9c (/lib/x86_64-linux-gnu/libasan.so.5+0x53f9c)
#1 0x55bca5ccaf23 in fgets /usr/include/x86_64-linux-gnu/bits/stdio2.h:265
#2 0x55bca5ccaf23 in authfile_load /home/constantine/test/memcached/authfile.c:50
#3 0x55bca5c3ffb5 in main /home/constantine/test/memcached/memcached.c:5639
#4 0x7fae597010b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#5 0x55bca5c45d9d in _start (/home/constantine/test/memcached/memcached+0x26d9d)

0x60200000009e is located 0 bytes to the right of 14-byte region [0x602000000090,0x60200000009e)
allocated by thread T0 here:
#0 0x7fae5a3bfdc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
#1 0x55bca5ccaedd in authfile_load /home/constantine/test/memcached/authfile.c:44

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x53f9c)
Shadow bytes around the buggy address:
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 04 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8010: fa fa 00[06]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1061115==ABORTING

@dormando
Copy link
Member

Hey,

Thanks for the report. This is... I'll say incredibly minor, so I'll mark this as "help wanted" in case any passerby wants to churn up a PR for it.

TysonAndre added a commit to TysonAndre/memcached that referenced this issue Jul 22, 2021
Fixes memcached#805

Allocate an extra byte for reading the last entry when there is no `\n` at
the end of the file.

Also, check if the user contains null bytes when reading the last entry.

Unrelatedly, add handling in case the auth file size changes while it is being read.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants