NULL deref crash in m_copydata #382

markwo · 2019-09-25T23:06:52Z

I hit this crash during fuzzing - it looks similar to #351 but reproduces with the current code in master.

PCAP is attached.

==111159==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x557fc8c7acff bp 0x7ffd962a81d0 sp 0x7ffd962a8190 T0)
==111159==The signal is caused by a READ memory access.
==111159==Hint: address points to the zero page.
    #0 0x557fc8c7acfe in m_copydata third_party/usrsctp/usrsctplib/user_mbuf.c:1394:11
    #1 0x557fc8d31e23 in sctp_copy_mbufchain third_party/usrsctp/usrsctplib/netinet/sctp_output.c:7027:5
    #2 0x557fc8d0852b in sctp_med_chunk_output third_party/usrsctp/usrsctplib/netinet/sctp_output.c:8918:16
    #3 0x557fc8d00efa in sctp_chunk_output third_party/usrsctp/usrsctplib/netinet/sctp_output.c:10726:11
    #4 0x557fc8c8cf46 in sctp_process_control third_party/usrsctp/usrsctplib/netinet/sctp_input.c:5098:5
    #5 0x557fc8c86807 in sctp_common_input_processing third_party/usrsctp/usrsctplib/netinet/sctp_input.c:5899:10
    #6 0x557fc8c438d7 in usrsctp_conninput third_party/usrsctp/usrsctplib/user_socket.c:3518:2

repro.pcap.zip

The text was updated successfully, but these errors were encountered:

markwo · 2019-09-26T22:46:39Z

I added a stand-alone repro program in this branch:
https://github.com/markwo/usrsctp/tree/fuzzer_repro

I build the project as follows:
cmake -DCMAKE_C_COMPILER=/usr/bin/clang-8 -Dsctp_build_repro=1 -Dsctp_sanitizer_memory=1 -Dsctp_sanitizer_address=0 -Dsctp_debug=1 .

Then run repro/repro_382. Output:

[S][0.000] vrf_id 0x0: adding address: [S][0.000] AF_CONN address: 0x1
[P][0.000] usrsctp initialized
[S][0.003] SCTP: add HMAC id 1 to list
[S][0.003] SCTP: added chunk 193 (0xc1) to Auth list
[S][0.003] SCTP: added chunk 128 (0x80) to Auth list
[S][0.003] Bind called port: 5000
[S][0.003] Addr: [S][0.003] IPv4 address: 0.0.0.0:5000
[S][0.003] Main hash to bind at head:0x724000000098, bound port:5000 - in tcp_pool=0
[P][0.003] Calling usrsctp_connect()
[S][0.003] Allocate an association for peer:[S][0.003] AF_CONN address: 0x1
[S][0.003] Port:5001
[S][0.003] Adding an address (from:1) to the peer: [S][0.003] AF_CONN address: 0x1
[S][0.003] Association 0x71d000000000 now allocated
[S][0.004] Sending INIT
[S][0.004] Sending INIT - calls lowlevel_output
[P][0.004] Found outgoing INIT, extracting VTAG : 3131831035

O 15:43:11.541448 0000 13 88 13 89 00 00 00 00 00 00 00 00 01 00 00 5a fb f2 ab ba 00 02 00 00 00 0a 08 00 00 00 00 f8 80 00 00 04 c0 00 00 04 80 08 00 09 c0 0f c1 80 82 00 00 00 80 02 00 24 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 80 04 00 06 00 01 00 00 80 03 00 06 80 c1 00 00 # SCTP_PACKET
[P][0.005] Injecting INIT

I 15:43:11.541953 0000 13 89 13 88 00 00 00 00 00 00 00 00 01 00 00 50 01 00 00 00 00 00 20 00 00 08 00 08 00 00 00 01 80 08 00 07 c1 80 0f 00 80 03 00 07 00 c1 80 00 80 02 00 24 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 80 04 00 07 00 01 00 00 # SCTP_PACKET
[S][0.005] stcb:0x71d000000000 inp:0x719000000000
[S][0.005] stcb is 0x71d000000000
[S][0.005] Ok, Common input processing called, m:0x710000010100 iphlen:0 offset:12 length:92 stcb:0x71d000000000
[S][0.005] stcb:0x71d000000000 state:2
[S][0.005] sctp_process_control: iphlen=0, offset=12, length=92 stcb:0x71d000000000
[S][0.005] Its an INIT of len:80 vtag:0
[S][0.005] sctp_process_control: processing a chunk type=1, len=80
[S][0.005] SCTP_INIT
[S][0.005] sctp_handle_init: handling INIT tcb:0x71d000000000
[S][0.005] sctp_handle_init: sending INIT-ACK
[S][0.005] Check for unrecognized param's
[S][0.005] Hit default param 8004
[S][0.005] move on

O 15:43:11.542631 0000 13 88 13 89 01 00 00 00 00 00 00 00 02 00 01 90 fb f2 ab ba 00 02 00 00 00 08 08 00 00 00 00 f8 80 00 00 04 c0 00 00 04 80 08 00 09 c0 0f c1 80 82 00 00 00 80 02 00 24 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 80 04 00 06 00 01 00 00 80 03 00 06 80 c1 00 00 00 07 01 34 4b 41 4d 45 2d 42 53 44 20 31 2e 31 00 00 00 00 ff 3e 8d 5d 00 00 00 00 e0 45 08 00 00 00 00 00 60 ea 00 00 e3 00 00 00 46 7c c2 54 00 00 00 01 fb f2 ab ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 13 89 13 88 00 00 01 00 01 01 01 00 00 00 00 00 01 00 00 50 01 00 00 00 00 00 20 00 00 08 00 08 00 00 00 01 80 08 00 07 c1 80 0f 00 80 03 00 07 00 c1 80 00 80 02 00 24 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 80 04 00 07 00 01 00 00 02 00 01 90 fb f2 ab ba 00 02 00 00 00 08 08 00 00 00 00 f8 80 00 00 04 c0 00 00 04 80 08 00 09 c0 0f c1 80 82 00 00 00 80 02 00 24 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 80 04 00 06 00 01 00 00 80 03 00 06 80 c1 00 00 b5 2f 0c e2 c7 9b a0 3d ad 10 65 a8 7e 0a 1e d4 f1 bf 87 9d # SCTP_PACKET
[P][0.005] Injecting 2nd packet

I 15:43:11.543002 0000 13 89 13 88 fb f2 ab ba 00 00 00 00 02 fd 01 08 ff 00 fa 00 46 00 00 08 0a f8 37 00 00 00 00 00 00 01 00 11 00 00 00 01 00 09 00 01 00 11 00 00 00 01 00 00 00 01 00 11 00 00 00 01 00 00 09 01 00 11 00 00 00 01 00 00 00 01 00 11 00 00 00 01 00 00 96 19 00 01 00 01 00 01 00 00 00 01 00 11 00 00 00 01 00 00 2a 01 00 11 00 00 00 01 00 00 00 07 00 92 00 00 01 00 00 00 5d 8c 90 1d 00 01 00 00 00 01 00 11 00 00 00 00 00 01 09 01 00 11 00 00 00 00 00 00 00 01 00 11 00 00 00 01 00 01 00 00 00 07 00 1b 00 00 00 09 09 01 00 11 00 00 00 01 00 00 00 01 00 11 00 00 00 01 00 00 00 07 00 1b 00 00 00 09 09 01 00 11 00 00 00 01 00 00 00 01 00 11 00 00 00 03 00 00 09 81 00 11 00 00 00 00 00 01 00 11 00 00 00 01 23 00 00 3a 00 11 00 00 00 01 00 00 00 19 00 09 00 01 00 01 00 00 80 fa ff 11 00 00 00 06 00 00 00 00 00 00 08 0a f8 37 11 00 # SCTP_PACKET
[S][0.006] Ok, Common input processing called, m:0x710000010200 iphlen:0 offset:12 length:276 stcb:0x71d000000000
[S][0.006] stcb:0x71d000000000 state:2
[S][0.006] sctp_process_control: iphlen=0, offset=12, length=276 stcb:0x71d000000000
[S][0.006] sctp_process_control: processing a chunk type=2, len=264
[S][0.006] SCTP_INIT_ACK
[S][0.006] sctp_handle_init_ack: handling INIT-ACK
[S][0.006] Check for unrecognized param's
[S][0.006] Hit default param 0
[S][0.006] stop proc
[S][0.007] moving to COOKIE-ECHOED state
[S][0.007] Leaving handle-init-ack end
MemorySanitizer:DEADLYSIGNAL
==215394==ERROR: MemorySanitizer: SEGV on unknown address 0x000000000018 (pc 0x000000aea7a2 bp 0x7fff4813b5e0 sp 0x7fff4813b370 T215394)
==215394==The signal is caused by a READ memory access.
==215394==Hint: address points to the zero page.
    #0 0xaea7a1 in m_copydata (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0xaea7a1)
    #1 0x768e48 in sctp_copy_mbufchain (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x768e48)
    #2 0x6ae3fd in sctp_med_chunk_output (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x6ae3fd)
    #3 0x688637 in sctp_chunk_output (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x688637)
    #4 0x546a5d in sctp_process_control (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x546a5d)
    #5 0x53192a in sctp_common_input_processing (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x53192a)
    #6 0x5014f0 in usrsctp_conninput (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x5014f0)
    #7 0x4aca1b in main (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x4aca1b)
    #8 0x7f925e33f52a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)
    #9 0x42a439 in _start (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x42a439)

MemorySanitizer can not provide additional info.
SUMMARY: MemorySanitizer: SEGV (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0xaea7a1) in m_copydata
==215394==ABORTING

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in #382

tuexen · 2019-10-05T09:51:06Z

@markwo : I think I fixed the issue in de8c4e3. Please retest and report.

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382 MFC after: 3 days git-svn-id: svn+ssh://svn.freebsd.org/base/head@353119 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382 MFC after: 3 days

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382 MFC after: 3 days git-svn-id: https://svn.freebsd.org/base/head@353119 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

markwo · 2019-10-07T16:19:58Z

Tested, the fix looks good.

Fix the adding of padding to COOKIE-ECHO chunks. Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382

Add missing input validation. This could result in reading from uninitialized memory. The issue was found by OSS-Fuzz for usrsctp and reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17780 MFS r353396: Cleanup sctp_asconf_error_response() and ensure that the parameter is padded as required. This fixes the followig bug reported by OSS-Fuzz for the usersctp stack: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17790 MFS r353397: When skipping the address parameter, take the padding into account. MFS r353398: Fix the adding of padding to COOKIE-ECHO chunks. Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382 MFS r353399: Plumb an mbuf leak found by Mark Wodrich from Google by fuzz testing the userland stack and reporting it in: sctplab/usrsctp#396 MFS r353400: Fix a use after free bug when removing remote addresses. This bug was found by OSS-Fuzz and reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18004 MFS r353401: Plumb an mbuf leak in a code path that should not be taken. Also avoid that this path is taken by setting the tail pointer correctly. There is still bug related to handling unordered unfragmented messages which were delayed in deferred handling. This issue was found by OSS-Fuzz testing the usrsctp stack and reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17794 MFS r353403: Validate length before use it, not vice versa. r353060 should have contained this... This fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18070 Approved by: re (gjb@)

Add missing input validation. This could result in reading from uninitialized memory. The issue was found by OSS-Fuzz for usrsctp and reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17780 MFS r353396: Cleanup sctp_asconf_error_response() and ensure that the parameter is padded as required. This fixes the followig bug reported by OSS-Fuzz for the usersctp stack: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17790 MFS r353397: When skipping the address parameter, take the padding into account. MFS r353398: Fix the adding of padding to COOKIE-ECHO chunks. Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382 MFS r353399: Plumb an mbuf leak found by Mark Wodrich from Google by fuzz testing the userland stack and reporting it in: sctplab/usrsctp#396 MFS r353400: Fix a use after free bug when removing remote addresses. This bug was found by OSS-Fuzz and reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18004 MFS r353401: Plumb an mbuf leak in a code path that should not be taken. Also avoid that this path is taken by setting the tail pointer correctly. There is still bug related to handling unordered unfragmented messages which were delayed in deferred handling. This issue was found by OSS-Fuzz testing the usrsctp stack and reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17794 MFS r353403: Validate length before use it, not vice versa. r353060 should have contained this... This fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18070 Approved by: re (gjb@) git-svn-id: https://svn.freebsd.org/base/releng/12.1@353410 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

Fix the adding of padding to COOKIE-ECHO chunks. Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382 git-svn-id: https://svn.freebsd.org/base/stable/12@353398 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

Add missing input validation. This could result in reading from uninitialized memory. The issue was found by OSS-Fuzz for usrsctp and reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17780 MFS r353396: Cleanup sctp_asconf_error_response() and ensure that the parameter is padded as required. This fixes the followig bug reported by OSS-Fuzz for the usersctp stack: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17790 MFS r353397: When skipping the address parameter, take the padding into account. MFS r353398: Fix the adding of padding to COOKIE-ECHO chunks. Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382 MFS r353399: Plumb an mbuf leak found by Mark Wodrich from Google by fuzz testing the userland stack and reporting it in: sctplab/usrsctp#396 MFS r353400: Fix a use after free bug when removing remote addresses. This bug was found by OSS-Fuzz and reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18004 MFS r353401: Plumb an mbuf leak in a code path that should not be taken. Also avoid that this path is taken by setting the tail pointer correctly. There is still bug related to handling unordered unfragmented messages which were delayed in deferred handling. This issue was found by OSS-Fuzz testing the usrsctp stack and reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17794 MFS r353403: Validate length before use it, not vice versa. r353060 should have contained this... This fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18070 Approved by: re (gjb@)

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382 MFC after: 3 days

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382 MFC after: 3 days git-svn-id: svn+ssh://svn.freebsd.org/base/head@353119 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

Fix the adding of padding to COOKIE-ECHO chunks. Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382

Fix the adding of padding to COOKIE-ECHO chunks. Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382 git-svn-id: https://svn.freebsd.org/base/stable/11@360742 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

markwo added a commit to markwo/usrsctp that referenced this issue Sep 26, 2019

Add repro program for Issue sctplab#382

06534f2

tuexen self-assigned this Sep 30, 2019

tuexen added the bug label Sep 30, 2019

tuexen added a commit to sctplab/stream-reset-improved that referenced this issue Oct 5, 2019

Fix the adding of padding to COOKIE-ECHO chunks.

8dea561

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382

tuexen added a commit to sctplab/SCTP_NKE_ElCapitan that referenced this issue Oct 5, 2019

Fix the adding of padding to COOKIE-ECHO chunks.

fc20ef5

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382

tuexen added a commit to sctplab/SCTP_NKE_Yosemite that referenced this issue Oct 5, 2019

Fix the adding of padding to COOKIE-ECHO chunks.

670339e

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382

tuexen added a commit to sctplab/SCTP_NKE_HighSierra that referenced this issue Oct 5, 2019

Fix the adding of padding to COOKIE-ECHO chunks.

40e4113

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382

tuexen added a commit to sctplab/pr-sctp-improved that referenced this issue Oct 5, 2019

Fix the adding of padding to COOKIE-ECHO chunks.

d187702

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382

tuexen added a commit to sctplab/sctp-idata that referenced this issue Oct 5, 2019

Fix the adding of padding to COOKIE-ECHO chunks.

19bc4ef

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382

tuexen added a commit that referenced this issue Oct 5, 2019

Fix the adding of padding to COOKIE-ECHO chunks.

de8c4e3

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in #382

uqs pushed a commit to freebsd/freebsd-src that referenced this issue Oct 5, 2019

Fix the adding of padding to COOKIE-ECHO chunks.

353256a

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382 MFC after: 3 days

markwo closed this as completed Oct 7, 2019

uqs pushed a commit to freebsd/freebsd-src that referenced this issue Oct 10, 2019

MFC r353119:

4bcd405

Fix the adding of padding to COOKIE-ECHO chunks. Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382

brooksdavis pushed a commit to CTSRD-CHERI/cheribsd that referenced this issue Oct 30, 2019

Fix the adding of padding to COOKIE-ECHO chunks.

9898036

Thanks to Mark Wodrich who found this issue while fuzz testing the usrsctp stack and reported the issue in sctplab/usrsctp#382 MFC after: 3 days

taylor-b mentioned this issue Apr 14, 2020

NULL deref crash in m_copydata #454

Open

taylor-b pushed a commit to taylor-b/usrsctp that referenced this issue Apr 1, 2021

Add repro program for Issue sctplab#382

c7cbce1

taylor-b pushed a commit to taylor-b/usrsctp that referenced this issue May 3, 2021

Add repro program for Issue sctplab#382

5c92139

taylor-b pushed a commit to taylor-b/usrsctp that referenced this issue May 11, 2021

Add repro program for Issue sctplab#382

3df55b4

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NULL deref crash in m_copydata #382

NULL deref crash in m_copydata #382

markwo commented Sep 25, 2019

markwo commented Sep 26, 2019

tuexen commented Oct 5, 2019

markwo commented Oct 7, 2019

NULL deref crash in m_copydata #382

NULL deref crash in m_copydata #382

Comments

markwo commented Sep 25, 2019

markwo commented Sep 26, 2019

tuexen commented Oct 5, 2019

markwo commented Oct 7, 2019