Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix buffer overflow on empty strings in key. #927

Closed
wants to merge 1 commit into from
Closed

Fix buffer overflow on empty strings in key. #927

wants to merge 1 commit into from

Conversation

ealekseev
Copy link

Sometimes apache segfalult on memory copying when key.dptr is some
kind of empty string and key.dsize seems to be 0.

Investigating sefaults in our apache installation via gdb I get this:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:116
116    ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) up
#1  0x00007fd26129cd58 in memcpy (__len=18446744073709551615, __src=0xcd7c68, _dest= <optimized out>) at /usr/include/bits/string3.h:51
51      return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) up
#2  apr_pstrmemdup (a=<optimized out>, s=0xcd7c68 "", n=18446744073709551615) at strings/apr_strings.c:107
107    strings/apr_strings.c: No such file or directory.
(gdb) up
#3  0x00007fd253956987 in collections_remove_stale (msr=msr@entry=0xcc5b88, col_name=0xccd678 "ip") at persist_dbm.c:629
629    persist_dbm.c: No such file or directory.
(gdb) p s
$1 = <optimized out>
(gdb) down
#2  apr_pstrmemdup (a=<optimized out>, s=0xcd7c68 "", n=18446744073709551615) at strings/apr_strings.c:107
107    strings/apr_strings.c: No such file or directory.
(gdb) p s
$2 = 0xcd7c68 "" 
(gdb) p a
$3 = <optimized out>
(gdb) up
#3  0x00007fd253956987 in collections_remove_stale (msr=msr@entry=0xcc5b88, col_name=0xccd678 "ip") at persist_dbm.c:629
629    persist_dbm.c: No such file or directory.
(gdb) up
#4  0x00007fd25394393b in modsecurity_persist_data (msr=0xcc5b88) at modsecurity.c:232
232    modsecurity.c: No such file or directory.
(gdb) up
#5  modsecurity_process_phase_logging (msr=0xcc5b88) at modsecurity.c:640
640    in modsecurity.c
(gdb) up
#6  modsecurity_process_phase (msr=msr@entry=0xcc5b88, phase=phase@entry=5) at modsecurity.c:807
807    in modsecurity.c
(gdb) up
#7  0x00007fd253941cd2 in hook_log_transaction (r=<optimized out>) at mod_security2.c:1239
1239    mod_security2.c: No such file or directory.
(gdb) up
#8  0x000000000042cdd0 in ap_run_log_transaction (r=0xcc1be0) at protocol.c:1748
1748    protocol.c: No such file or directory.
(gdb) up
#9  0x000000000042d8c8 in ap_read_request (conn=conn@entry=0xcbbb00) at protocol.c:1078
1078    in protocol.c

Problem is here:
ModSecurity/apache2/persist_dbm.c:

rc = apr_sdbm_firstkey(dbm, &key);
while(rc == APR_SUCCESS) {
    char *s = apr_pstrmemdup(msr->mp, key.dptr, key.dsize - 1);  // <---- buffer overflow here
    *(char **)apr_array_push(keys_arr) = s;
    rc = apr_sdbm_nextkey(dbm, &key);
}

key.dptr = ""

key.dsize - 1 = 18446744073709551615 = 0xFFFFFFFFFFFFFFFF
key.dsize = 0

Fix buffer overflow on empty strings in key.
9cc6401 
Sometimes apache segfalult on memory copying when key.dptr is some
kind of empty string and key.dsize seems to be 0.
@marcstern
Copy link
Contributor

Optimisation: "key.dsize ? (key.dsize - 1) : 0" instead of "strlen(key.dptr)"
Even better, I suspect that we shouldn't even perform the apr_array_push() at all:
if (key.dsize) {
char s = apr_pstrmemdup(msr->mp, key.dptr, key.dsize - 1);
*(char *)apr_array_push(keys_arr) = s;
}

@zimmerle zimmerle self-assigned this Oct 9, 2015
zimmerle pushed a commit that referenced this pull request Oct 26, 2015
Improves #927 by checking earlier if the string is empty or not
1980322
zimmerle pushed a commit that referenced this pull request Oct 26, 2015
Adds information about the issue #927 on the CHANGES file
18d79b6
@zimmerle
Copy link
Contributor

Hi @ealekseev,

Thank you for the patch. I have also added the suggesting made by @marcstern. Code being cooked by our buildbots.

@ealekseev
Copy link
Author

You are welcome!

@jpelaez01
Copy link

Thanks @ealekseev for the solution!

@zimmerle
Copy link
Contributor

Hi @ealekseev,

Thank you for the patch again. Your code has been merged into your mainline. It will be released as part of 2.9.1.

@zimmerle zimmerle closed this Oct 27, 2015
daniilyar pushed a commit to daniilyar/ModSecurity that referenced this pull request Feb 5, 2016
@daniilyar-confyrm
Improves owasp-modsecurity#927 by checking earlier if the string is e…
1f0f369 
…mpty or not
daniilyar pushed a commit to daniilyar/ModSecurity that referenced this pull request Feb 5, 2016
@daniilyar
Issue owasp-modsecurity#927 Check earlier if the string is empty or not
0b79732 
Issue owasp-modsecurity#662 Fix the variable resolution duration
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@zimmerle zimmerle

Labels
RIP - release-2.9.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ealekseev @marcstern @zimmerle @jpelaez01