Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ncat segfault in __strlen_avx2 () from /usr/lib64/haswell/libc.so.6 #2154

Closed
bswinnerton opened this issue Oct 15, 2020 · 7 comments
Closed

ncat segfault in __strlen_avx2 () from /usr/lib64/haswell/libc.so.6 #2154

bswinnerton opened this issue Oct 15, 2020 · 7 comments
Assignees

Comments

@bswinnerton
Copy link

@bswinnerton bswinnerton commented Oct 15, 2020

Describe the bug
When invoking ncat over a Unix socket (for example with nc -U /var/run/libvirt/libvirt-sock), the application segfaults

To Reproduce

$ touch /tmp/foo
$ nc -U /tmp/foo
Segmentation fault (core dumped)

Expected behavior
In the example above, the expected behavior is:

$ touch /tmp/foo
$ nc -U /tmp/foo
Ncat: Connection refused.

Version info (please complete the following information):

  • OS: 5.8.14-991.native
  • Output of ncat --version: Ncat: Version 7.91 ( https://nmap.org/ncat )

Additional context

To quote clearlinux/distribution#2152 (comment):

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7d89db5 in __strlen_avx2 () from /usr/lib64/haswell/libc.so.6
(gdb) bt
#0  0x00007ffff7d89db5 in __strlen_avx2 () from /usr/lib64/haswell/libc.so.6
#1  0x00007ffff7c981f4 in __GI___strdup (s=0x0) at strdup.c:41
#2  0x000055555555fcd8 in nsock_iod_set_hostname (hostname=0x0, iod=0x5555555da270) at ../nsock/src/nsock_iod.c:453
#3  new_iod (mypool=<optimized out>) at ncat_connect.c:907
#4  0x000055555555d535 in ncat_connect () at ncat_connect.c:1018
#5  ncat_connect_mode () at ncat_main.c:1020
#6  main (argc=<optimized out>, argv=<optimized out>) at ncat_main.c:997
(gdb) f 3
#2  0x000055555555fcd8 in nsock_iod_set_hostname (hostname=0x0, iod=0x5555555da270) at ../nsock/src/nsock_iod.c:453
   if (nsock_iod_set_hostname(nsi, o.sslservername) == -1)
(gdb) p o
$1 = {portno = 31337, verbose = 0, debug = 0, target = 0x7fffffffe6e6 "/tmp/foo", af = 1, proto = 6, broker = 0, listen = 0, keepopen = 0, 
  sendonly = 0, recvonly = 0, noshutdown = 0, telnet = 0, linedelay = 0, chat = 0, nodns = 0, normlog = 0x0, hexlog = 0x0, normlogfd = -1, 
  hexlogfd = -1, append = 0, idletimeout = 0, crlf = 0, allow = 0, deny = 0, allowset = 0x5555555d9870, denyset = 0x5555555d9910, 
  httpserver = 0, nsock_engine = 0, test = 0, srcrtes = {{s_addr = 0}, {s_addr = 0}, {s_addr = 0}, {s_addr = 0}, {s_addr = 0}, {s_addr = 0}, {
      s_addr = 0}, {s_addr = 0}}, numsrcrtes = 0, srcrteptr = 4, conn_limit = -1, conntimeout = 10000, cmdexec = 0x0, execmode = EXEC_PLAIN, 
  proxy_auth = 0x0, proxytype = 0x0, proxyaddr = 0x0, proxydns = 2, ssl = 0, sslcert = 0x0, sslkey = 0x0, sslverify = 0, ssltrustfile = 0x0, 
  sslciphers = 0x0, sslservername = 0x0, sslalpn = 0x0, zerobyte = 0}

o.sslservername is set to NULL at

o.sslservername = NULL;
and set to something different at
o.sslservername = Strdup(optarg);

But this is not an SSL connection so it's not expected to be set to anything but null.

As mentioned by @thiagomacieira, the bug was introduced in 7d6cf3a which introduced o.sslservername, but that's only for TCP connections, not unix sockets.

/cc @nnposter as you may have context
/cc clearlinux/distribution#2152

@nnposter
Copy link

@nnposter nnposter commented Oct 15, 2020

Could you please test the following patch and report back?

--- a/ncat/ncat_main.c	2020-10-07 17:21:42.253789857 -0600
+++ b/ncat/ncat_main.c	2020-10-14 21:37:31.527610020 -0600
@@ -846,7 +846,7 @@
             targetaddrs->addr.un.sun_family = AF_UNIX;
             strncpy(targetaddrs->addr.un.sun_path, argv[optind], sizeof(targetaddrs->addr.un.sun_path));
             targetaddrs->addrlen = SUN_LEN(&targetaddrs->addr.un);
-            o.target = argv[optind];
+            o.sslservername = o.target = argv[optind];
             optind++;
         } else
 #endif
@@ -865,7 +865,7 @@
                 targetaddrs->addr.vm.svm_cid = long_cid;
 
                 targetaddrs->addrlen = sizeof(targetaddrs->addr.vm);
-                o.target = argv[optind];
+                o.sslservername = o.target = argv[optind];
                 optind++;
             }
         } else
@thiagomacieira
Copy link

@thiagomacieira thiagomacieira commented Oct 15, 2020

Confirmed

$ /tmp/usr/bin/ncat -U /tmp/foo
Ncat: No such file or directory.
$ touch /tmp/foo
$ /tmp/usr/bin/ncat -U /tmp/foo
Ncat: Connection refused.
@nnposter
Copy link

@nnposter nnposter commented Oct 16, 2020

The patch has been committed as r38121. Thank you for reporting the issue and pin-pointing the offending commit; my bad.

@nmap-bot nmap-bot closed this in f6b4061 Oct 16, 2020
fengjixuchui added a commit to fengjixuchui/nmap that referenced this issue Oct 16, 2020
Fix a Unix domain socket crash. Fixes nmap#2154
@thiagomacieira
Copy link

@thiagomacieira thiagomacieira commented Oct 16, 2020

I'll apply the committed patch to Clear tomorrow.

@stilor
Copy link

@stilor stilor commented Jul 19, 2021

@nnposter Can the fix be backported to the 7.9x release branch, please?

@nnposter
Copy link

@nnposter nnposter commented Jul 20, 2021

I am not quite sure what specifically you are asking for. The patch above (f6b4061) can be certainly applied to 7.91 source code and there should be no dependencies on other changes introduced after 7.91. The traditional backporting (i.e. patching the old source code, recompiling, and releasing new packages) could be done by the various distro maintainers, not by Nmap maintainers. I am confident that the next Nmap release will include the fix as well, as this is a straightforward bug fix.

@stilor
Copy link

@stilor stilor commented Jul 20, 2021

I was talking about applying that patch to the 7.90 release branch: https://svn.nmap.org/nmap-releases/nmap-7.90/; the 7.91 release has been created from that branch.

Otherwise if the next release of nmap (7.92) is created from that branch, it will not include this fix. At least one fix has already been backported to that branch after 7.91 release (r38105, "fix the windows timestamp/timezone problem"), so I assume another 7.9x release from that branch is possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants