Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

malicious server response causes out of bounds read in store_cname function #43

Open
Fusl opened this issue Jan 18, 2024 · 0 comments
Open

malicious server response causes out of bounds read in store_cname function #43

Fusl opened this issue Jan 18, 2024 · 0 comments

Comments

@Fusl
Copy link

Fusl commented Jan 18, 2024

A specially crafted response from a DoH server can cause store_cname to read data out of bounds:

ASan stack trace:

==3100859==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f08f3f00d68 at pc 0x55b90efcb4e6 bp 0x7ffdd6a6f910 sp 0x7ffdd6a6f908
READ of size 8 at 0x7f08f3f00d68 thread T0
    #0 0x55b90efcb4e5 in store_cname /home/fusl/Projects/curl/doh/doh.c:422:13
    #1 0x55b90efcb4e5 in rdata /home/fusl/Projects/curl/doh/doh.c:495:10
    #2 0x55b90efcb4e5 in doh_decode /home/fusl/Projects/curl/doh/doh.c:588:10
    #3 0x55b90efcb4e5 in main /home/fusl/Projects/curl/doh/doh.c:965:18
    #4 0x7f08f622accf  (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    #5 0x7f08f622ad89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    #6 0x55b90ee921c4 in _start (/home/fusl/Projects/curl/doh/doh+0x1f1c4) (BuildId: 1dfaebf7d37031b4a7bb6886e4aabdb4dcec14d6)

Address 0x7f08f3f00d68 is located in stack of thread T0 at offset 3432 in frame
    #0 0x55b90efc856f in main /home/fusl/Projects/curl/doh/doh.c:787

  This frame has 8 object(s):
    [32, 832) 'urls' (line 795)
    [960, 964) 'still_running' (line 799)
    [976, 3432) 'd' (line 801) <== Memory access at offset 3432 overflows this variable
    [3568, 3572) 'queued' (line 804)
    [3584, 3588) 'numfds' (line 922)
    [3600, 3616) 'wait' (line 940)
    [3632, 3640) 'probe' (line 950)
    [3664, 3672) 'response_code' (line 962)

Server response that triggers this out of bounds read:

00000000: 0000 8130 0001 0000 0001 3030 0030 3030  ...0......00.000
00000010: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000020: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000030: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000040: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000050: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000060: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000070: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000080: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000090: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000000a0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000000b0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000000c0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000000d0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000000e0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000000f0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000100: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000110: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000120: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000130: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000140: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000150: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000160: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000170: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000180: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000190: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000001a0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000001b0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000001c0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000001d0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000001e0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000001f0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000200: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000210: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000220: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000230: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000240: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000250: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000260: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000270: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000280: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000290: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000002a0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000002b0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000002c0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000002d0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000002e0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000002f0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000300: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000310: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000320: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000330: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000340: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000350: 3030 0030 3030 3030 3030 3000 0000 3030  00.00000000...00
00000360: 3030 3030 3030 0000 0030 3030 3030 3030  000000...0000000
00000370: 3000 0030 3030 3030 3030 3030 3030 3030  0..0000000000000
00000380: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000390: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000003a0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000003b0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000003c0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000003d0: 3030 3030 3000 3030 3030 3030 3030 0000  00000.00000000..
000003e0: 0030 3030 3030 3030 3000 0000 3030 3030  .00000000...0000
000003f0: 3030 3030 0000 0030 3030 3030 3030 30    0000...00000000

This bug was discovered with the help of AFL++ in combination with ASan.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Fusl