Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CPU DoS (infinite loop) in sctp_send_cookie_echo #352

Closed
markwo opened this issue Aug 21, 2019 · 3 comments
Closed

CPU DoS (infinite loop) in sctp_send_cookie_echo #352

markwo opened this issue Aug 21, 2019 · 3 comments
Assignees
@tuexen
Labels
bug

Comments

@markwo
Copy link

markwo commented Aug 21, 2019

While working on a fuzzer for usrsctp, I hit a timeout due to an infinite loop in the target/receiver endpoint. The PCAP is attached - output and stack trace of the timeout are below. From a look at the code, this is due to the code in sctp_send_cookie_echo (sctp_output.c) not handling parameters with a zero length:

        for (;;) {
                phdr = sctp_get_next_param(m, at, &param, sizeof(param));
                if (phdr == NULL) {
                        return (-3);
                }
                ptype = ntohs(phdr->param_type);
                plen = ntohs(phdr->param_length);
                if (ptype == SCTP_STATE_COOKIE) {
                ...
                }
                at += SCTP_SIZE32(plen);

I'm cleaning up the fuzzer currently - can share the code if you need it to repro. (Would also like to eventually get this fuzzer added to the repo as an OSS-Fuzz target).

ALARM: working on the last Unit for 5 seconds
       and the timeout value is 5 (use -timeout=N to change)
==102223== ERROR: libFuzzer: timeout after 5 seconds
    #0 0x55a619edd351 in __sanitizer_print_stack_trace third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_stack.cpp:86:3
    #1 0x55a61a0d8bc8 in fuzzer::PrintStackTrace() third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:205:5
    #2 0x55a61a0bcae6 in fuzzer::Fuzzer::AlarmCallback() third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:300:5
    #3 0x7f5b5a73599f  (/usr/grte/v4/lib64/libpthread.so.0+0xf99f)
    #4 0x55a619fc3541 in sctp_send_cookie_echo third_party/usrsctp/usrsctplib/netinet/sctp_output.c:9495:10
    #5 0x55a619f5f5d2 in sctp_process_init_ack third_party/usrsctp/usrsctplib/netinet/sctp_input.c:580:11
    #6 0x55a619f5399c in sctp_handle_init_ack third_party/usrsctp/usrsctplib/netinet/sctp_input.c:1515:7
    #7 0x55a619f50c3f in sctp_process_control third_party/usrsctp/usrsctplib/netinet/sctp_input.c:5087:11
    #8 0x55a619f71cbe in sctp_common_input_processing third_party/usrsctp/usrsctplib/netinet/sctp_input.c:5886:10
    #9 0x55a619f0cd17 in usrsctp_conninput third_party/usrsctp/usrsctplib/user_socket.c:3478:2
    #10 0x55a619ef9a5a in usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0::operator()(std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >) const third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:152:46
    #11 0x55a619ef9921 in decltype(std::__u::forward<usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0&>(fp)(std::__u::forward<std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(fp0))) std::__u::__invoke<usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >&&) third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/type_traits:3530:1
    #12 0x55a619eee590 in usrsctp_fuzzer::MessageSocket::ReceiveData(std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >) third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:103:5
    #13 0x55a619efbe91 in usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2::operator()(std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >) const third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:410:19
    #14 0x55a619efbcc1 in decltype(std::__u::forward<usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2&>(fp)(std::__u::forward<std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(fp0))) std::__u::__invoke<usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >&&) third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/type_traits:3530:1
    #15 0x55a619eee9b5 in usrsctp_fuzzer::MessageSocket::ProcessNextWriteInQueue() third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:119:3
    #16 0x55a619ef0dbc in usrsctp_fuzzer::SctpFuzzer::PumpMessages() third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:719:22
    #17 0x55a619ef28c4 in LLVMFuzzerTestOneInput third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:757:8
    #18 0x55a61a0be326 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:554:15
    #19 0x55a61a0a8439 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #20 0x55a61a0ad67e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:775:9
    #21 0x55a61a0c6e82 in main third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #22 0x7f5b5a5a3bbc in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38bbc)
    #23 0x55a619e3c768 in _start /usr/grte/v4/debug-src/src/csu/../sysdeps/x86_64/start.S:108

repro.zip
@benjwright benjwright mentioned this issue Aug 21, 2019
Closed
@tuexen tuexen self-assigned this Aug 22, 2019
@tuexen tuexen added the bug label Aug 22, 2019
@tuexen
Copy link
Member

tuexen commented Aug 22, 2019

Reproducible with the following packetdrill script:

 0.0 socket(..., SOCK_STREAM, IPPROTO_SCTP) = 3
+0.0 bind(3, ..., ...) = 0
+0.0 fcntl(3, F_GETFL) = 0x02 (flags O_RDWR)
+0.0 fcntl(3, F_SETFL, O_RDWR | O_NONBLOCK) = 0
+0.1 connect(3, ..., ...) = -1 EINPROGRESS (Operation now in progress)
+0.0 > sctp: INIT[flgs=0, tag=1, a_rwnd=..., os=..., is=..., tsn=0, ...]
+0.0 < sctp: [0x02, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x05, 0xDC, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x29, 0x00, 0x00, 0x08, 0x01, 0x02, 0x03, 0x04, 0x00, 0x06, 0x00, 0x00]
+0.0 close(3) = 0

@tuexen tuexen mentioned this issue Aug 30, 2019
Closed
tuexen added a commit to sctplab/stream-reset-improved that referenced this issue Sep 1, 2019
@tuexen
Improve the handling of state cookie parameters in INIT-ACK chunks.
1c893a7 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#355
and
sctplab/usrsctp#352
tuexen added a commit that referenced this issue Sep 1, 2019
@tuexen
Improve the handling of state cookie parameters in INIT-ACK chunks.
51d3c16 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
#355
and
#352
tuexen added a commit that referenced this issue Sep 1, 2019
@tuexen
Improve the handling of state cookie parameters in INIT-ACK chunks.
a5ce87d 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
#351
and
#352
tuexen added a commit to sctplab/stream-reset-improved that referenced this issue Sep 1, 2019
@tuexen
Improve the handling of state cookie parameters in INIT-ACK chunks.
4f9a49f 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#351
and
sctplab/usrsctp#352
tuexen added a commit to sctplab/SCTP_NKE_Yosemite that referenced this issue Sep 1, 2019
@tuexen
Improve the handling of state cookie parameters in INIT-ACK chunks.
c823b05 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#351
and
sctplab/usrsctp#352
tuexen added a commit to sctplab/SCTP_NKE_ElCapitan that referenced this issue Sep 1, 2019
@tuexen
Improve the handling of state cookie parameters in INIT-ACK chunks.
b9f8104 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#351
and
sctplab/usrsctp#352
tuexen added a commit to sctplab/SCTP_NKE_HighSierra that referenced this issue Sep 1, 2019
@tuexen
Improve the handling of state cookie parameters in INIT-ACK chunks.
6797834 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#351
and
sctplab/usrsctp#352
tuexen added a commit to sctplab/pr-sctp-improved that referenced this issue Sep 1, 2019
@tuexen
Improve the handling of state cookie parameters in INIT-ACK chunks.
8ff6531 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#351
and
sctplab/usrsctp#352
tuexen added a commit to sctplab/sctp-idata that referenced this issue Sep 1, 2019
@tuexen
iImprove the handling of state cookie parameters in INIT-ACK chunks.
3335c75 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#351
and
sctplab/usrsctp#352
@tuexen
Copy link
Member

tuexen commented Sep 1, 2019

@markwo a5ce87d should fix the issue. Can you retest and confirm?

uqs pushed a commit to freebsd/freebsd-src that referenced this issue Sep 1, 2019
Improve the handling of state cookie parameters in INIT-ACK chunks.
b56d0cc 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#355
and
sctplab/usrsctp#352

MFC after:		3 days


git-svn-id: svn+ssh://svn.freebsd.org/base/head@351654 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
uqs pushed a commit to freebsd/freebsd-src that referenced this issue Sep 1, 2019
@tuexen
Improve the handling of state cookie parameters in INIT-ACK chunks.
209e505 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#355
and
sctplab/usrsctp#352

MFC after:		3 days
opntr-auto added a commit to HardenedBSD/hardenedBSD that referenced this issue Sep 1, 2019
@opntr-auto
Merge branch 'freebsd/current/master' into hardened/current/master
7c7cb40 
* freebsd/current/master:
  Fix initialization of top_fsn.
  Improve the handling of state cookie parameters in INIT-ACK chunks. This fixes problem with parameters indicating a zero length or partial parameters after an unknown parameter indicating to stop processing. It also fixes a problem with state cookie parameters after unknown parametes indicating to stop porcessing. Thanks to Mark Wodrich from Google for finding two of these issues by fuzz testing the userland stack and reporting them in sctplab/usrsctp#355 and sctplab/usrsctp#352
  Add support for TP-Link Archer T2U Nano.
  nullfs: reduce areas protected by vnode interlock in null_lock
  posixshm: switch to OBJT_SWAP in advance of other changes
  ARM kernel can get RAM regions three ways: o from FDT; o from EFI; o from Linux Boot API (ATAG). U-Boot may pass RAM info all that 3 ways simultaneously. We do select between FDT and EFI, but not for ATAG. So this is not problem fix, but correctness check.
  Unskip test cases from netbsd-tests by defining __HAVE_FENV
@markwo
Copy link
Author

markwo commented Sep 3, 2019

I can confirm this fixes the issue, thanks!

@markwo markwo closed this as completed Sep 3, 2019
uqs pushed a commit to freebsd/freebsd-src that referenced this issue Sep 7, 2019
@tuexen
MFC r351654:
9e8e6b2 
Improve the handling of state cookie parameters in INIT-ACK chunks.
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#351
and
sctplab/usrsctp#352
bdrewery pushed a commit to bdrewery/freebsd that referenced this issue Sep 12, 2019
Improve the handling of state cookie parameters in INIT-ACK chunks.
cdfb34a 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#355
and
sctplab/usrsctp#352

MFC after:		3 days


git-svn-id: svn+ssh://svn.freebsd.org/base/head@351654 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
mat813 pushed a commit to mat813/freebsd that referenced this issue Sep 16, 2019
MFC r351654:
8bb54c3 
Improve the handling of state cookie parameters in INIT-ACK chunks.
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#351
and
sctplab/usrsctp#352


git-svn-id: https://svn.freebsd.org/base/stable/12@352007 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
mat813 pushed a commit to mat813/freebsd that referenced this issue Sep 16, 2019
Improve the handling of state cookie parameters in INIT-ACK chunks.
a0c4a48 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#355
and
sctplab/usrsctp#352

MFC after:		3 days


git-svn-id: https://svn.freebsd.org/base/head@351654 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
brooksdavis pushed a commit to CTSRD-CHERI/cheribsd that referenced this issue Oct 18, 2019
@tuexen @brooksdavis
Improve the handling of state cookie parameters in INIT-ACK chunks.
8d7e227 
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#355
and
sctplab/usrsctp#352

MFC after:		3 days
uqs pushed a commit to freebsd/freebsd-src that referenced this issue May 7, 2020
@tuexen
MFC r351654: Improve handling of cookie parameters in INIT-ACK chunks
cdada6e 
Improve the handling of state cookie parameters in INIT-ACK chunks.
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#355
and
sctplab/usrsctp#352
mat813 pushed a commit to mat813/freebsd that referenced this issue Jun 9, 2020
MFC r351654: Improve handling of cookie parameters in INIT-ACK chunks
e42854b 
Improve the handling of state cookie parameters in INIT-ACK chunks.
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#355
and
sctplab/usrsctp#352


git-svn-id: https://svn.freebsd.org/base/stable/11@360731 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
hardenedbsd-services pushed a commit to HardenedBSD/hardenedBSD that referenced this issue Jan 29, 2021
@tuexen
MFC r351654:
c88ce0f 
Improve the handling of state cookie parameters in INIT-ACK chunks.
This fixes problem with parameters indicating a zero length or partial
parameters after an unknown parameter indicating to stop processing. It
also fixes a problem with state cookie parameters after unknown
parametes indicating to stop porcessing.
Thanks to Mark Wodrich from Google for finding two of these issues
by fuzz testing the userland stack and reporting them in
sctplab/usrsctp#351
and
sctplab/usrsctp#352
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tuexen tuexen

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tuexen @markwo