Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bug report]: out of bound read in sadf which may lead to code execution #196

Closed
bash-c opened this issue Nov 21, 2018 · 1 comment
Closed

Comments

@bash-c
Copy link

bash-c commented Nov 21, 2018

Information:

  • version:
analyses ./sadf -V       
sysstat 版本 12.1.1
(C) Sebastien Godard (sysstat <at> orange.fr)
  • related code(sa_common.c:1293)
1290/* Remap [unsigned] long fields */
1291   │     d = gtypes_nr[0] - ftypes_nr[0];
1292if (d) {
1293memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1294   │             ((char *) ps) + ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1295MINIMUM(f_size - ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1296   │                 g_size - gtypes_nr[0] * ULL_ALIGNMENT_WIDTH));
1297if (d > 0) {
1298memset(((char *) ps) + ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
12990, d * ULL_ALIGNMENT_WIDTH);
1300   │         }
1301   │     }
  • Description:
    memmove() doesn't check the args and sadf crashes when the args is invalid. The following is my debug info
pwndbg> 
memmove (__len=8, __src=0x8000ffffcf00, __dest=0x7fffffffd700) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40
40	  return __builtin___memmove_chk (__dest, __src, __len, __bos0 (__dest));
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────
 RAX  0x800
 RBX  0x5555557aba88 (file_hdr+40) ◂— 0xffffffff02
 RCX  0x10
 RDX  0x8
 RDI  0x7fffffffd700 ◂— 0x3
 RSI  0x8000ffffcf00
 R8   0x18
 R9   0xfffff810
 R10  0x8
 R11  0x1
 R12  0x5555557a5b50 (rec_types_nr) ◂— 0x2
 R13  0x18
 R14  0x7fffffffd6f0 ◂— 0x3030303030303030 ('00000000')
 R15  0x100
 RBP  0x10
 RSP  0x7fffffffd630 ◂— 0x0
 RIP  0x55555558cd8a (remap_struct+346) ◂— call   0x555555557e70
──────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────
   0x55555558cd7c <remap_struct+332>    sub    edx, edi
   0x55555558cd7e <remap_struct+334>    sub    eax, r9d
   0x55555558cd81 <remap_struct+337>    cmp    edx, eax
   0x55555558cd83 <remap_struct+339>    cmova  rdx, rax
   0x55555558cd87 <remap_struct+343>    add    rdi, r14
0x55555558cd8a <remap_struct+346>    call   memmove@plt <0x555555557e70>
        dest: 0x7fffffffd700 ◂— 0x3
        src: 0x8000ffffcf00
        n: 0x8
 
   0x55555558cd8f <remap_struct+351>    test   r15d, r15d
   0x55555558cd92 <remap_struct+354>    jle    remap_struct+386 <0x55555558cdb2>
 
   0x55555558cd94 <remap_struct+356>    mov    eax, dword ptr [rbx]
   0x55555558cd96 <remap_struct+358>    lea    edx, [r15*8]
   0x55555558cd9e <remap_struct+366>    xor    esi, esi
──────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────
   35 }
   36 
   37 __fortify_function void *
   38 __NTH (memmove (void *__dest, const void *__src, size_t __len))
   39 {
40   return __builtin___memmove_chk (__dest, __src, __len, __bos0 (__dest));
   41 }
   42 
   43 #ifdef __USE_GNU
   44 __fortify_function void *
   45 __NTH (mempcpy (void *__restrict __dest, const void *__restrict __src,
──────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────
00:0000rsp  0x7fffffffd630 ◂— 0x0
01:00080x7fffffffd638 —▸ 0x5555557aba60 (file_hdr) ◂— 0x3030303030303030 ('00000000')
02:00100x7fffffffd640 —▸ 0x7fffffffd6f0 ◂— 0x3030303030303030 ('00000000')
03:00180x7fffffffd648 —▸ 0x5555557abc80 (record_hdr) ◂— 0x0
04:00200x7fffffffd650 ◂— 0x0
... ↓
06:00300x7fffffffd660 —▸ 0x7fffffffda40 ◂— 0x20 /* ' ' */
07:00380x7fffffffd668 —▸ 0x55555558cfa0 (read_record_hdr+96) ◂— movdqu xmm0, xmmword ptr [rbp]

If we control src and n of memmove, stack overflow may happen which lead to ROP even code execution!

  • ASAN
sa_common_1293 ./sadf stack_oob
ASAN:DEADLYSIGNAL
=================================================================
==12760==ERROR: AddressSanitizer: SEGV on unknown address 0x100089c809c6 (pc 0x7f03a0cf6b85 bp 0x7fff4e445550 sp 0x7fff4e444cc0 T0)
==12760==The signal is caused by a READ memory access.
    #0 0x7f03a0cf6b84 in __interceptor_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ab84)
    #1 0x55d39dbc7e5e in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40
    #2 0x55d39dbc7e5e in remap_struct /home/m4x/Projects/sysstat-12.1.1/sa_common.c:1293
    #3 0x55d39dbc806f in read_record_hdr /home/m4x/Projects/sysstat-12.1.1/sa_common.c:1424
    #4 0x55d39db93f7b in read_next_sample /home/m4x/Projects/sysstat-12.1.1/sadf.c:239
    #5 0x55d39db958e5 in logic2_display_loop /home/m4x/Projects/sysstat-12.1.1/sadf.c:1173
    #6 0x55d39db9625c in read_stats_from_file /home/m4x/Projects/sysstat-12.1.1/sadf.c:1432
    #7 0x55d39db931f0 in main /home/m4x/Projects/sysstat-12.1.1/sadf.c:1799
    #8 0x7f03a08acb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x55d39db93c59 in _start (/home/m4x/Projects/huawei/crash/analyses/sysstat-sadf/sa_common_1293/sadf+0x4c59)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7ab84) in __interceptor_memmove
==12760==ABORTING

poc here

@bash-c bash-c changed the title [bug report]: out of bound read in sadf whilch may lead to code execution [bug report]: out of bound read in sadf which may lead to code execution Nov 21, 2018
@kirotawa
Copy link

It was assigned this CVE-2018-19416 number for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants