New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bug report]: out of bound read in sadf which leads to crash. #199

Closed
bash-c opened this Issue Nov 23, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@bash-c

bash-c commented Nov 23, 2018

Version

crashes ./sadf -V
sysstat 版本 12.1.1
(C) Sebastien Godard (sysstat <at> orange.fr)

Description

The remap_struct function in sa_common.c(line 1298) has an out-of-bounds read during a memset call, as demonstrated by sadf.

Related code(sa_common.c:1298)

 /* Remap [unsigned] long fields */
1291   │     d = gtypes_nr[0] - ftypes_nr[0];
1292if (d) {
1293memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1294   │             ((char *) ps) + ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1295MINIMUM(f_size - ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
1296   │                 g_size - gtypes_nr[0] * ULL_ALIGNMENT_WIDTH));
1297if (d > 0) {
1298memset(((char *) ps) + ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
12990, d * ULL_ALIGNMENT_WIDTH);
1300   │         }
1301   │     }

Additional Information

As the debug info shows, the args of memset points to an invalid address.

pwndbg> 
memset (__len=2048, __ch=0, __dest=0x5556557ad5d8) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
71	  return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest));
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────
 RAX  0xffffff05
 RBX  0x5555557a533c (io_act+156) ◂— 0xffffffff05
 RCX  0x28
 RDX  0x800
 RDI  0x5556557ad5d8
 RSI  0x0
 R8   0x28
 R9   0xfffff828
 R10  0x20
 R11  0x4
 R12  0x5555557a5330 (io_act+144) ◂— 0x5
 R13  0x28
 R14  0x5555557addb0 ◂— 0x3030303030303030 ('00000000')
 R15  0x100
 RBP  0x28
 RSP  0x7fffffffd5a0 ◂— 0x0
 RIP  0x55555558cdad (remap_struct+381) ◂— call   0x555555557c80
──────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────
   0x55555558cd96 <remap_struct+358>    lea    edx, [r15*8]
   0x55555558cd9e <remap_struct+366>    xor    esi, esi
   0x55555558cda0 <remap_struct+368>    movsxd rdx, edx
   0x55555558cda3 <remap_struct+371>    lea    edi, [rax*8]
   0x55555558cdaa <remap_struct+378>    add    rdi, r14
0x55555558cdad <remap_struct+381>    call   memset@plt <0x555555557c80>
        s: 0x5556557ad5d8
        c: 0x0
        n: 0x800
 
   0x55555558cdb2 <remap_struct+386>    mov    edx, dword ptr [r12 + 4]
   0x55555558cdb7 <remap_struct+391>    mov    eax, dword ptr [rbx + 4]
   0x55555558cdba <remap_struct+394>    mov    r15d, edx
   0x55555558cdbd <remap_struct+397>    sub    r15d, eax
   0x55555558cdc0 <remap_struct+400>    je     remap_struct+86 <0x55555558cc86>
──────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────
   66     {
   67       __warn_memset_zero_len ();
   68       return __dest;
   69     }
   70 #endif
71   return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest));
   72 }
   73 
   74 #ifdef __USE_MISC
   75 # include <bits/strings_fortified.h>
   76 
──────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────
00:0000rsp  0x7fffffffd5a0 ◂— 0x0
01:00080x7fffffffd5a8 —▸ 0x5555557a3088 (act+40) —▸ 0x5555557a52a0 (io_act) ◂— 0x100000006
02:00100x7fffffffd5b0 —▸ 0x5555557a3060 (act) —▸ 0x5555557a57a0 (cpu_act) ◂— 0x6f00000001
03:00180x7fffffffd5b8 ◂— 0x1
04:00200x7fffffffd5c0 —▸ 0x5555557ad3b0 ◂— 0x8b00000006
05:00280x7fffffffd5c8 ◂— 0x1a
06:00300x7fffffffd5d0 ◂— 0x1
07:00380x7fffffffd5d8 —▸ 0x55555558d35b (read_file_stat_bunch+491) ◂— mov    rdi, qword ptr [rbx]
pwndbg> x $rdi
0x5556557ad5d8:	Cannot access memory at address 0x5556557ad5d8

ASAN

analysis ./sadf ./memset_oob
ASAN:DEADLYSIGNAL
=================================================================
==13962==ERROR: AddressSanitizer: SEGV on unknown address 0x6040fffff878 (pc 0x7efe5fec2fac bp 0x7fff532a4c80 sp 0x7fff532a43f8 T0)
==13962==The signal is caused by a WRITE memory access.
    #0 0x7efe5fec2fab  (/lib/x86_64-linux-gnu/libc.so.6+0x18efab)
    #1 0x7efe60183cde  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ecde)
    #2 0x5613e7409deb in remap_struct /home/m4x/Projects/huawei/sysstat-12.1.1/sa_common.c:1298
    #3 0x5613e740aacd in read_file_stat_bunch /home/m4x/Projects/huawei/sysstat-12.1.1/sa_common.c:1646
    #4 0x5613e73c0955 in read_next_sample /home/m4x/Projects/huawei/sysstat-12.1.1/sadf.c:298
    #5 0x5613e73c2bcf in logic2_display_loop /home/m4x/Projects/huawei/sysstat-12.1.1/sadf.c:1173
    #6 0x5613e73c370c in read_stats_from_file /home/m4x/Projects/huawei/sysstat-12.1.1/sadf.c:1432
    #7 0x5613e73c4a10 in main /home/m4x/Projects/huawei/sysstat-12.1.1/sadf.c:1799
    #8 0x7efe5fd55b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x5613e73c01c9 in _start (/home/m4x/Projects/huawei/analysis/sadf+0x41c9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18efab) 
==13962==ABORTING

poc here

@carnil

This comment has been minimized.

carnil commented Nov 24, 2018

This issue was assigned CVE-2018-19517

sysstat added a commit that referenced this issue Nov 26, 2018

Fix #196 and #199: Out of bound reads security issues
Check args before calling memmove() and memset() in remap_struct()
function to avoid out of bound reads which would possibly lead to
unknown code execution and/or sadf command crash.

Signed-off-by: Sebastien GODARD <sysstat@users.noreply.github.com>
@sysstat

This comment has been minimized.

Owner

sysstat commented Nov 26, 2018

Commit fbc691e should hopefully fix the problem.
Thanks go to @bash-c for reporting those issues.

@sysstat sysstat closed this Nov 26, 2018

@bash-c

This comment has been minimized.

bash-c commented Nov 27, 2018

Yes I have checked all the crash POCs using the latest commit fbc691e
and the problem has been fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment