Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL Pointer Dereference in CS104_IPAddress_setFromString #100

Open
AiDaiP opened this issue Dec 23, 2021 · 0 comments
Open

NULL Pointer Dereference in CS104_IPAddress_setFromString #100

AiDaiP opened this issue Dec 23, 2021 · 0 comments

Comments

@AiDaiP
Copy link

@AiDaiP AiDaiP commented Dec 23, 2021

NULL Pointer Dereference in CS104_IPAddress_setFromString

Description

A NULL Pointer Dereference was discovered in CS104_IPAddress_setFromString at src/iec60870/cs104/cs104_slave.c:785. The vulnerability causes a segmentation fault and application crash.

If the ipAddrStr is NULL, strchr() will crash. Should there be a check?

version

0d5e76e

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

gdb

LD_PRELOAD="/root/tools/preeny-master/build/lib/libdesock.so" ./cs104_redundancy_server
New connection request from (null)
[1]    128322 segmentation fault  LD_PRELOAD="/root/tools/preeny-master/build/lib/libdesock.so"
pwndbg>
0x0000555555568557      785         if (strchr(ipAddrStr, '.') != NULL) {
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x0
 RCX  0x7ffff7e9739b (getpeername+11) ◂— cmp    rax, -0xfff
 RDX  0x0
*RDI  0x0
 RSI  0x2e
 R8   0x0
 R9   0x23
 R10  0x55555557110e ◂— 0x63656e6e6f43000a /* '\n' */
 R11  0x246
 R12  0x7fffffffde9e ◂— 0x5555555a60600000
 R13  0x7fffffffde9f ◂— 0x5555555a606000
 R14  0x7fffffffdea0 —▸ 0x5555555a6060 ◂— 0x0
 R15  0x7ffff7d6afc0 ◂— 0x0
 RBP  0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
 RSP  0x7ffff7d6adc0 ◂— 0x0
*RIP  0x555555568557 (CS104_IPAddress_setFromString+32) ◂— call   0x5555555574e0
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
   0x555555568543 <CS104_IPAddress_setFromString+12>    mov    qword ptr [rbp - 0x18], rdi
   0x555555568547 <CS104_IPAddress_setFromString+16>    mov    qword ptr [rbp - 0x20], rsi
   0x55555556854b <CS104_IPAddress_setFromString+20>    mov    rax, qword ptr [rbp - 0x20]
   0x55555556854f <CS104_IPAddress_setFromString+24>    mov    esi, 0x2e
   0x555555568554 <CS104_IPAddress_setFromString+29>    mov    rdi, rax
 ► 0x555555568557 <CS104_IPAddress_setFromString+32>    call   strchr@plt                <strchr@plt>
        s: 0x0
        c: 0x2e

   0x55555556855c <CS104_IPAddress_setFromString+37>    test   rax, rax
   0x55555556855f <CS104_IPAddress_setFromString+40>    je     CS104_IPAddress_setFromString+165                <CS104_IPAddress_setFromString+165>

   0x555555568561 <CS104_IPAddress_setFromString+42>    mov    rax, qword ptr [rbp - 0x18]
   0x555555568565 <CS104_IPAddress_setFromString+46>    mov    dword ptr [rax + 0x10], 0
   0x55555556856c <CS104_IPAddress_setFromString+53>    mov    dword ptr [rbp - 0xc], 0
──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
In file: /root/disk2/fuzzing/lib60870/test/lib60870/lib60870-C/src/iec60870/cs104/cs104_slave.c
   780 };
   781
   782 static void
   783 CS104_IPAddress_setFromString(CS104_IPAddress self, const char* ipAddrStr)
   784 {
 ► 785     if (strchr(ipAddrStr, '.') != NULL) {
   786         /* parse IPv4 string */
   787         self->type = IP_ADDRESS_TYPE_IPV4;
   788
   789         int i;
   790
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7ffff7d6adc0 ◂— 0x0
01:0008│     0x7ffff7d6adc8 —▸ 0x7ffff7d6ae20 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
02:0010│     0x7ffff7d6add0 —▸ 0x7ffff0000ef0 ◂— 0x4
03:0018│     0x7ffff7d6add8 —▸ 0x55555557d2d0 —▸ 0x5555555579ed (interrogationHandler) ◂— endbr64
04:0020│ rbp 0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
05:0028│     0x7ffff7d6ade8 —▸ 0x55555556c0c1 (getMatchingRedundancyGroup+54) ◂— mov    qword ptr [rbp - 0x40], 0
06:0030│     0x7ffff7d6adf0 ◂— 0x0
07:0038│     0x7ffff7d6adf8 —▸ 0x55555557d2d0 —▸ 0x5555555579ed (interrogationHandler) ◂— endbr64
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x555555568557 CS104_IPAddress_setFromString+32
   f 1   0x55555556c0c1 getMatchingRedundancyGroup+54
   f 2   0x55555556c64f serverThread+523
   f 3   0x7ffff7f6f609 start_thread+217
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> c
Continuing.

Thread 2 "cs104_redundanc" received signal SIGSEGV, Segmentation fault.
__strchr_avx2 () at ../sysdeps/x86_64/multiarch/strchr-avx2.S:57
57      ../sysdeps/x86_64/multiarch/strchr-avx2.S: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x0
*RCX  0x0
 RDX  0x0
 RDI  0x0
 RSI  0x2e
 R8   0x0
 R9   0x23
 R10  0x55555557110e ◂— 0x63656e6e6f43000a /* '\n' */
 R11  0x246
 R12  0x7fffffffde9e ◂— 0x5555555a60600000
 R13  0x7fffffffde9f ◂— 0x5555555a606000
 R14  0x7fffffffdea0 —▸ 0x5555555a6060 ◂— 0x0
 R15  0x7ffff7d6afc0 ◂— 0x0
 RBP  0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
*RSP  0x7ffff7d6adb8 —▸ 0x55555556855c (CS104_IPAddress_setFromString+37) ◂— test   rax, rax
*RIP  0x7ffff7eff08c (__strchr_avx2+28) ◂— vmovdqu ymm8, ymmword ptr [rdi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x7ffff7eff08c <__strchr_avx2+28>     vmovdqu ymm8, ymmword ptr [rdi]
   0x7ffff7eff090 <__strchr_avx2+32>     vpcmpeqb ymm1, ymm0, ymm8
   0x7ffff7eff095 <__strchr_avx2+37>     vpcmpeqb ymm2, ymm9, ymm8
   0x7ffff7eff09a <__strchr_avx2+42>     vpor   ymm1, ymm2, ymm1
   0x7ffff7eff09e <__strchr_avx2+46>     vpmovmskb eax, ymm1
   0x7ffff7eff0a2 <__strchr_avx2+50>     test   eax, eax
   0x7ffff7eff0a4 <__strchr_avx2+52>     jne    __strchr_avx2+400                <__strchr_avx2+400>
    ↓
   0x7ffff7eff200 <__strchr_avx2+400>    tzcnt  eax, eax
   0x7ffff7eff204 <__strchr_avx2+404>    xor    edx, edx
   0x7ffff7eff206 <__strchr_avx2+406>    lea    rax, [rdi + rax]
   0x7ffff7eff20a <__strchr_avx2+410>    cmp    sil, byte ptr [rax]
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7ffff7d6adb8 —▸ 0x55555556855c (CS104_IPAddress_setFromString+37) ◂— test   rax, rax
01:0008│     0x7ffff7d6adc0 ◂— 0x0
02:0010│     0x7ffff7d6adc8 —▸ 0x7ffff7d6ae20 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
03:0018│     0x7ffff7d6add0 —▸ 0x7ffff0000ef0 ◂— 0x4
04:0020│     0x7ffff7d6add8 —▸ 0x55555557d2d0 —▸ 0x5555555579ed (interrogationHandler) ◂— endbr64
05:0028│ rbp 0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
06:0030│     0x7ffff7d6ade8 —▸ 0x55555556c0c1 (getMatchingRedundancyGroup+54) ◂— mov    qword ptr [rbp - 0x40], 0
07:0038│     0x7ffff7d6adf0 ◂— 0x0
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff7eff08c __strchr_avx2+28
   f 1   0x55555556855c CS104_IPAddress_setFromString+37
   f 2   0x55555556c0c1 getMatchingRedundancyGroup+54
   f 3   0x55555556c64f serverThread+523
   f 4   0x7ffff7f6f609 start_thread+217
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant