[bug report]: out of bound read in sadf which leads to crash.

[bash-c]

Version

crashes ./sadf -V
sysstat 版本 12.1.1
(C) Sebastien Godard (sysstat <at> orange.fr)

Description

The remap_struct function in sa_common.c(line 1298) has an out-of-bounds read during a memset call, as demonstrated by sadf.

Related code(sa_common.c:1298)

 /* Remap [unsigned] long fields */
1291   │     d = gtypes_nr[0] - ftypes_nr[0];
1292   │     if (d) {
1293   │         memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1294   │             ((char *) ps) + ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1295   │             MINIMUM(f_size - ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1296   │                 g_size - gtypes_nr[0] * ULL_ALIGNMENT_WIDTH));
1297   │         if (d > 0) {
1298   │             memset(((char *) ps) + ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1299   │                    0, d * ULL_ALIGNMENT_WIDTH);
1300   │         }
1301   │     }

Additional Information

As the debug info shows, the args of memset points to an invalid address.

pwndbg> 
memset (__len=2048, __ch=0, __dest=0x5556557ad5d8) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
71	  return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest));
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────
 RAX  0xffffff05
 RBX  0x5555557a533c (io_act+156) ◂— 0xffffffff05
 RCX  0x28
 RDX  0x800
 RDI  0x5556557ad5d8
 RSI  0x0
 R8   0x28
 R9   0xfffff828
 R10  0x20
 R11  0x4
 R12  0x5555557a5330 (io_act+144) ◂— 0x5
 R13  0x28
 R14  0x5555557addb0 ◂— 0x3030303030303030 ('00000000')
 R15  0x100
 RBP  0x28
 RSP  0x7fffffffd5a0 ◂— 0x0
 RIP  0x55555558cdad (remap_struct+381) ◂— call   0x555555557c80
──────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────
   0x55555558cd96 <remap_struct+358>    lea    edx, [r15*8]
   0x55555558cd9e <remap_struct+366>    xor    esi, esi
   0x55555558cda0 <remap_struct+368>    movsxd rdx, edx
   0x55555558cda3 <remap_struct+371>    lea    edi, [rax*8]
   0x55555558cdaa <remap_struct+378>    add    rdi, r14
 ► 0x55555558cdad <remap_struct+381>    call   memset@plt <0x555555557c80>
        s: 0x5556557ad5d8
        c: 0x0
        n: 0x800
 
   0x55555558cdb2 <remap_struct+386>    mov    edx, dword ptr [r12 + 4]
   0x55555558cdb7 <remap_struct+391>    mov    eax, dword ptr [rbx + 4]
   0x55555558cdba <remap_struct+394>    mov    r15d, edx
   0x55555558cdbd <remap_struct+397>    sub    r15d, eax
   0x55555558cdc0 <remap_struct+400>    je     remap_struct+86 <0x55555558cc86>
──────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────
   66     {
   67       __warn_memset_zero_len ();
   68       return __dest;
   69     }
   70 #endif
 ► 71   return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest));
   72 }
   73 
   74 #ifdef __USE_MISC
   75 # include <bits/strings_fortified.h>
   76 
──────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffd5a0 ◂— 0x0
01:0008│      0x7fffffffd5a8 —▸ 0x5555557a3088 (act+40) —▸ 0x5555557a52a0 (io_act) ◂— 0x100000006
02:0010│      0x7fffffffd5b0 —▸ 0x5555557a3060 (act) —▸ 0x5555557a57a0 (cpu_act) ◂— 0x6f00000001
03:0018│      0x7fffffffd5b8 ◂— 0x1
04:0020│      0x7fffffffd5c0 —▸ 0x5555557ad3b0 ◂— 0x8b00000006
05:0028│      0x7fffffffd5c8 ◂— 0x1a
06:0030│      0x7fffffffd5d0 ◂— 0x1
07:0038│      0x7fffffffd5d8 —▸ 0x55555558d35b (read_file_stat_bunch+491) ◂— mov    rdi, qword ptr [rbx]
pwndbg> x $rdi
0x5556557ad5d8:	Cannot access memory at address 0x5556557ad5d8

ASAN

analysis ./sadf ./memset_oob
ASAN:DEADLYSIGNAL
=================================================================
==13962==ERROR: AddressSanitizer: SEGV on unknown address 0x6040fffff878 (pc 0x7efe5fec2fac bp 0x7fff532a4c80 sp 0x7fff532a43f8 T0)
==13962==The signal is caused by a WRITE memory access.
    #0 0x7efe5fec2fab  (/lib/x86_64-linux-gnu/libc.so.6+0x18efab)
    #1 0x7efe60183cde  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ecde)
    #2 0x5613e7409deb in remap_struct /home/m4x/Projects/huawei/sysstat-12.1.1/sa_common.c:1298
    #3 0x5613e740aacd in read_file_stat_bunch /home/m4x/Projects/huawei/sysstat-12.1.1/sa_common.c:1646
    #4 0x5613e73c0955 in read_next_sample /home/m4x/Projects/huawei/sysstat-12.1.1/sadf.c:298
    #5 0x5613e73c2bcf in logic2_display_loop /home/m4x/Projects/huawei/sysstat-12.1.1/sadf.c:1173
    #6 0x5613e73c370c in read_stats_from_file /home/m4x/Projects/huawei/sysstat-12.1.1/sadf.c:1432
    #7 0x5613e73c4a10 in main /home/m4x/Projects/huawei/sysstat-12.1.1/sadf.c:1799
    #8 0x7efe5fd55b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x5613e73c01c9 in _start (/home/m4x/Projects/huawei/analysis/sadf+0x41c9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18efab) 
==13962==ABORTING

poc here

[carnil]

This issue was assigned CVE-2018-19517

[sysstat]

Commit fbc691e should hopefully fix the problem.
Thanks go to @bash-c for reporting those issues.

[bash-c]

Yes I have checked all the crash POCs using the latest commit fbc691e
and the problem has been fixed.