Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL deref crash in m_copydata #382

Closed
markwo opened this issue Sep 25, 2019 · 3 comments

Comments

@markwo
Copy link

commented Sep 25, 2019

I hit this crash during fuzzing - it looks similar to #351 but reproduces with the current code in master.

PCAP is attached.

==111159==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x557fc8c7acff bp 0x7ffd962a81d0 sp 0x7ffd962a8190 T0)
==111159==The signal is caused by a READ memory access.
==111159==Hint: address points to the zero page.
    #0 0x557fc8c7acfe in m_copydata third_party/usrsctp/usrsctplib/user_mbuf.c:1394:11
    #1 0x557fc8d31e23 in sctp_copy_mbufchain third_party/usrsctp/usrsctplib/netinet/sctp_output.c:7027:5
    #2 0x557fc8d0852b in sctp_med_chunk_output third_party/usrsctp/usrsctplib/netinet/sctp_output.c:8918:16
    #3 0x557fc8d00efa in sctp_chunk_output third_party/usrsctp/usrsctplib/netinet/sctp_output.c:10726:11
    #4 0x557fc8c8cf46 in sctp_process_control third_party/usrsctp/usrsctplib/netinet/sctp_input.c:5098:5
    #5 0x557fc8c86807 in sctp_common_input_processing third_party/usrsctp/usrsctplib/netinet/sctp_input.c:5899:10
    #6 0x557fc8c438d7 in usrsctp_conninput third_party/usrsctp/usrsctplib/user_socket.c:3518:2

repro.pcap.zip

markwo added a commit to markwo/usrsctp that referenced this issue Sep 26, 2019
@markwo

This comment has been minimized.

Copy link
Author

commented Sep 26, 2019

I added a stand-alone repro program in this branch:
https://github.com/markwo/usrsctp/tree/fuzzer_repro

I build the project as follows:
cmake -DCMAKE_C_COMPILER=/usr/bin/clang-8 -Dsctp_build_repro=1 -Dsctp_sanitizer_memory=1 -Dsctp_sanitizer_address=0 -Dsctp_debug=1 .

Then run repro/repro_382. Output:

[S][0.000] vrf_id 0x0: adding address: [S][0.000] AF_CONN address: 0x1
[P][0.000] usrsctp initialized
[S][0.003] SCTP: add HMAC id 1 to list
[S][0.003] SCTP: added chunk 193 (0xc1) to Auth list
[S][0.003] SCTP: added chunk 128 (0x80) to Auth list
[S][0.003] Bind called port: 5000
[S][0.003] Addr: [S][0.003] IPv4 address: 0.0.0.0:5000
[S][0.003] Main hash to bind at head:0x724000000098, bound port:5000 - in tcp_pool=0
[P][0.003] Calling usrsctp_connect()
[S][0.003] Allocate an association for peer:[S][0.003] AF_CONN address: 0x1
[S][0.003] Port:5001
[S][0.003] Adding an address (from:1) to the peer: [S][0.003] AF_CONN address: 0x1
[S][0.003] Association 0x71d000000000 now allocated
[S][0.004] Sending INIT
[S][0.004] Sending INIT - calls lowlevel_output
[P][0.004] Found outgoing INIT, extracting VTAG : 3131831035

O 15:43:11.541448 0000 13 88 13 89 00 00 00 00 00 00 00 00 01 00 00 5a fb f2 ab ba 00 02 00 00 00 0a 08 00 00 00 00 f8 80 00 00 04 c0 00 00 04 80 08 00 09 c0 0f c1 80 82 00 00 00 80 02 00 24 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 80 04 00 06 00 01 00 00 80 03 00 06 80 c1 00 00 # SCTP_PACKET
[P][0.005] Injecting INIT

I 15:43:11.541953 0000 13 89 13 88 00 00 00 00 00 00 00 00 01 00 00 50 01 00 00 00 00 00 20 00 00 08 00 08 00 00 00 01 80 08 00 07 c1 80 0f 00 80 03 00 07 00 c1 80 00 80 02 00 24 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 80 04 00 07 00 01 00 00 # SCTP_PACKET
[S][0.005] stcb:0x71d000000000 inp:0x719000000000
[S][0.005] stcb is 0x71d000000000
[S][0.005] Ok, Common input processing called, m:0x710000010100 iphlen:0 offset:12 length:92 stcb:0x71d000000000
[S][0.005] stcb:0x71d000000000 state:2
[S][0.005] sctp_process_control: iphlen=0, offset=12, length=92 stcb:0x71d000000000
[S][0.005] Its an INIT of len:80 vtag:0
[S][0.005] sctp_process_control: processing a chunk type=1, len=80
[S][0.005] SCTP_INIT
[S][0.005] sctp_handle_init: handling INIT tcb:0x71d000000000
[S][0.005] sctp_handle_init: sending INIT-ACK
[S][0.005] Check for unrecognized param's
[S][0.005] Hit default param 8004
[S][0.005] move on

O 15:43:11.542631 0000 13 88 13 89 01 00 00 00 00 00 00 00 02 00 01 90 fb f2 ab ba 00 02 00 00 00 08 08 00 00 00 00 f8 80 00 00 04 c0 00 00 04 80 08 00 09 c0 0f c1 80 82 00 00 00 80 02 00 24 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 80 04 00 06 00 01 00 00 80 03 00 06 80 c1 00 00 00 07 01 34 4b 41 4d 45 2d 42 53 44 20 31 2e 31 00 00 00 00 ff 3e 8d 5d 00 00 00 00 e0 45 08 00 00 00 00 00 60 ea 00 00 e3 00 00 00 46 7c c2 54 00 00 00 01 fb f2 ab ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 13 89 13 88 00 00 01 00 01 01 01 00 00 00 00 00 01 00 00 50 01 00 00 00 00 00 20 00 00 08 00 08 00 00 00 01 80 08 00 07 c1 80 0f 00 80 03 00 07 00 c1 80 00 80 02 00 24 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 80 04 00 07 00 01 00 00 02 00 01 90 fb f2 ab ba 00 02 00 00 00 08 08 00 00 00 00 f8 80 00 00 04 c0 00 00 04 80 08 00 09 c0 0f c1 80 82 00 00 00 80 02 00 24 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 80 04 00 06 00 01 00 00 80 03 00 06 80 c1 00 00 b5 2f 0c e2 c7 9b a0 3d ad 10 65 a8 7e 0a 1e d4 f1 bf 87 9d # SCTP_PACKET
[P][0.005] Injecting 2nd packet

I 15:43:11.543002 0000 13 89 13 88 fb f2 ab ba 00 00 00 00 02 fd 01 08 ff 00 fa 00 46 00 00 08 0a f8 37 00 00 00 00 00 00 01 00 11 00 00 00 01 00 09 00 01 00 11 00 00 00 01 00 00 00 01 00 11 00 00 00 01 00 00 09 01 00 11 00 00 00 01 00 00 00 01 00 11 00 00 00 01 00 00 96 19 00 01 00 01 00 01 00 00 00 01 00 11 00 00 00 01 00 00 2a 01 00 11 00 00 00 01 00 00 00 07 00 92 00 00 01 00 00 00 5d 8c 90 1d 00 01 00 00 00 01 00 11 00 00 00 00 00 01 09 01 00 11 00 00 00 00 00 00 00 01 00 11 00 00 00 01 00 01 00 00 00 07 00 1b 00 00 00 09 09 01 00 11 00 00 00 01 00 00 00 01 00 11 00 00 00 01 00 00 00 07 00 1b 00 00 00 09 09 01 00 11 00 00 00 01 00 00 00 01 00 11 00 00 00 03 00 00 09 81 00 11 00 00 00 00 00 01 00 11 00 00 00 01 23 00 00 3a 00 11 00 00 00 01 00 00 00 19 00 09 00 01 00 01 00 00 80 fa ff 11 00 00 00 06 00 00 00 00 00 00 08 0a f8 37 11 00 # SCTP_PACKET
[S][0.006] Ok, Common input processing called, m:0x710000010200 iphlen:0 offset:12 length:276 stcb:0x71d000000000
[S][0.006] stcb:0x71d000000000 state:2
[S][0.006] sctp_process_control: iphlen=0, offset=12, length=276 stcb:0x71d000000000
[S][0.006] sctp_process_control: processing a chunk type=2, len=264
[S][0.006] SCTP_INIT_ACK
[S][0.006] sctp_handle_init_ack: handling INIT-ACK
[S][0.006] Check for unrecognized param's
[S][0.006] Hit default param 0
[S][0.006] stop proc
[S][0.007] moving to COOKIE-ECHOED state
[S][0.007] Leaving handle-init-ack end
MemorySanitizer:DEADLYSIGNAL
==215394==ERROR: MemorySanitizer: SEGV on unknown address 0x000000000018 (pc 0x000000aea7a2 bp 0x7fff4813b5e0 sp 0x7fff4813b370 T215394)
==215394==The signal is caused by a READ memory access.
==215394==Hint: address points to the zero page.
    #0 0xaea7a1 in m_copydata (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0xaea7a1)
    #1 0x768e48 in sctp_copy_mbufchain (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x768e48)
    #2 0x6ae3fd in sctp_med_chunk_output (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x6ae3fd)
    #3 0x688637 in sctp_chunk_output (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x688637)
    #4 0x546a5d in sctp_process_control (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x546a5d)
    #5 0x53192a in sctp_common_input_processing (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x53192a)
    #6 0x5014f0 in usrsctp_conninput (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x5014f0)
    #7 0x4aca1b in main (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x4aca1b)
    #8 0x7f925e33f52a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)
    #9 0x42a439 in _start (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0x42a439)

MemorySanitizer can not provide additional info.
SUMMARY: MemorySanitizer: SEGV (/usr/local/google/home/markwo/repos/usrsctp/repro/repro_382+0xaea7a1) in m_copydata
==215394==ABORTING
@tuexen tuexen self-assigned this Sep 30, 2019
@tuexen tuexen added the bug label Sep 30, 2019
tuexen added a commit to sctplab/stream-reset-improved that referenced this issue Oct 5, 2019
Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
sctplab/usrsctp#382
tuexen added a commit to sctplab/SCTP_NKE_ElCapitan that referenced this issue Oct 5, 2019
Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
sctplab/usrsctp#382
tuexen added a commit to sctplab/SCTP_NKE_Yosemite that referenced this issue Oct 5, 2019
Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
sctplab/usrsctp#382
tuexen added a commit to sctplab/SCTP_NKE_HighSierra that referenced this issue Oct 5, 2019
Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
sctplab/usrsctp#382
tuexen added a commit to sctplab/pr-sctp-improved that referenced this issue Oct 5, 2019
Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
sctplab/usrsctp#382
tuexen added a commit to sctplab/sctp-idata that referenced this issue Oct 5, 2019
Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
sctplab/usrsctp#382
tuexen added a commit that referenced this issue Oct 5, 2019
Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
#382
@tuexen

This comment has been minimized.

Copy link
Member

commented Oct 5, 2019

@markwo : I think I fixed the issue in de8c4e3. Please retest and report.

uqs pushed a commit to freebsd/freebsd that referenced this issue Oct 5, 2019
Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
sctplab/usrsctp#382

MFC after:		3 days


git-svn-id: svn+ssh://svn.freebsd.org/base/head@353119 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
uqs pushed a commit to freebsd/freebsd that referenced this issue Oct 5, 2019
Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
sctplab/usrsctp#382

MFC after:		3 days
mat813 pushed a commit to mat813/freebsd that referenced this issue Oct 7, 2019
Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
sctplab/usrsctp#382

MFC after:		3 days


git-svn-id: https://svn.freebsd.org/base/head@353119 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
@markwo

This comment has been minimized.

Copy link
Author

commented Oct 7, 2019

Tested, the fix looks good.

@markwo markwo closed this Oct 7, 2019
uqs pushed a commit to freebsd/freebsd that referenced this issue Oct 10, 2019
Fix the adding of padding to COOKIE-ECHO chunks.

Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
sctplab/usrsctp#382
uqs pushed a commit to freebsd/freebsd that referenced this issue Oct 10, 2019
Add missing input validation. This could result in reading from
uninitialized memory.
The issue was found by OSS-Fuzz for usrsctp  and reported in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17780

MFS r353396:

Cleanup sctp_asconf_error_response() and ensure that the parameter
is padded as required. This fixes the followig bug reported by
OSS-Fuzz for the usersctp stack:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17790

MFS r353397:

When skipping the address parameter, take the padding into account.

MFS r353398:

Fix the adding of padding to COOKIE-ECHO chunks.

Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
sctplab/usrsctp#382

MFS r353399:

Plumb an mbuf leak found by Mark Wodrich from Google by fuzz testing the
userland stack and reporting it in:
sctplab/usrsctp#396

MFS r353400:

Fix a use after free bug when removing remote addresses.
This bug was found by OSS-Fuzz and reported in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18004

MFS r353401:

Plumb an mbuf leak in a code path that should not be taken. Also avoid
that this path is taken by setting the tail pointer correctly.
There is still bug related to handling unordered unfragmented messages
which were delayed in deferred handling.
This issue was found by OSS-Fuzz testing the usrsctp stack and reported
in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17794

MFS r353403:

Validate length before use it, not vice versa.
r353060 should have contained this...
This fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18070

Approved by:		re (gjb@)
mat813 pushed a commit to mat813/freebsd that referenced this issue Oct 11, 2019
Add missing input validation. This could result in reading from
uninitialized memory.
The issue was found by OSS-Fuzz for usrsctp  and reported in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17780

MFS r353396:

Cleanup sctp_asconf_error_response() and ensure that the parameter
is padded as required. This fixes the followig bug reported by
OSS-Fuzz for the usersctp stack:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17790

MFS r353397:

When skipping the address parameter, take the padding into account.

MFS r353398:

Fix the adding of padding to COOKIE-ECHO chunks.

Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
sctplab/usrsctp#382

MFS r353399:

Plumb an mbuf leak found by Mark Wodrich from Google by fuzz testing the
userland stack and reporting it in:
sctplab/usrsctp#396

MFS r353400:

Fix a use after free bug when removing remote addresses.
This bug was found by OSS-Fuzz and reported in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18004

MFS r353401:

Plumb an mbuf leak in a code path that should not be taken. Also avoid
that this path is taken by setting the tail pointer correctly.
There is still bug related to handling unordered unfragmented messages
which were delayed in deferred handling.
This issue was found by OSS-Fuzz testing the usrsctp stack and reported
in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17794

MFS r353403:

Validate length before use it, not vice versa.
r353060 should have contained this...
This fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18070

Approved by:		re (gjb@)


git-svn-id: https://svn.freebsd.org/base/releng/12.1@353410 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
mat813 pushed a commit to mat813/freebsd that referenced this issue Oct 11, 2019
Fix the adding of padding to COOKIE-ECHO chunks.

Thanks to Mark Wodrich who found this issue while fuzz testing the
usrsctp stack and reported the issue in
sctplab/usrsctp#382


git-svn-id: https://svn.freebsd.org/base/stable/12@353398 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.