New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bugfix : coredump causes by memcpy in vbf_stp_error #2429
Conversation
|
@Dridi
|
|
IMO the correct fix is to ensure that GetStorage never returns a size larger than what we asked for, but might be more complicated than that. |
|
Testcase (with ASAN): |
|
Test output (panic only): |
The file stevedore may return a buffer larger than asked for when requesting storage. Due to lack of check for this condition, the code to copy the synthetic error memory buffer from vcl_error would overrun the buffer. Fixes: varnishcache#2429
|
@shamger Thanks for the pull request. As you can see, @mbgrydeland has commited the fix you proposed, and I have back ported it to 4.1 as 19a7318. |
|
This is CVE-2017-8807 |
|
This is Varnish Security Vulnerability VSV00002. See https://varnish-cache.org/security/VSV00002.html for details. |
The file stevedore may return a buffer larger than asked for when requesting storage. Due to lack of check for this condition, the code to copy the synthetic error memory buffer from vcl_error would overrun the buffer. Patch by @shamger Fixes: varnishcache#2429
See the code in vbf_stp_error(cache_fetch.c). The variable of l is the storage size that has been got, while ll is the length of VSB_data(synth_body).
In this case, the third parameter of memcpy is 4096, but the actual length of VSB_data(synth_body) is only 284. If the memory address from VSB_data(synth_body)+284 is unavailable, coredump will occur!