Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 21:17:04 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: siege: off-by-one in load_conf()

Description:
Siege is an http load testing and benchmarking utility.

During the test of a webserver, I hit a segmentation fault. I recompiled 
siege with ASan and it clearly show an off-by-one in load_conf(). The issue 
is reproducible without passing any arguments to the binary.
The complete output:

ago@...loughby ~ # siege
===============================================
==================
==488==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60200000d7f1 at pc 0x00000051ab64 bp 0x7ffcc3d19a70 sp 
0x7ffcc3d19a68
READ of size 1 at 0x60200000d7f1 thread T0
#0 0x51ab63 in load_conf /var/tmp/portage/app-
benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:263:12
#1 0x515486 in init_config /var/tmp/portage/app-
benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:96:7
#2 0x5217b9 in main /var/tmp/portage/app-
benchmarks/siege-3.1.0/work/siege-3.1.0/src/main.c:324:7
#3 0x7fb2b1b93aa4 in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
#4 0x439426 in _start (/usr/bin/siege+0x439426)

0x60200000d7f1 is located 0 bytes to the right of 1-byte region 
[0x60200000d7f0,0x60200000d7f1)
allocated by thread T0 here:
#0 0x4c03e2 in __interceptor_malloc /var/tmp/portage/sys-
devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc:40:3
#1 0x7fb2b1bf31e9 in __strdup /var/tmp/portage/sys-libs/glibc-2.20-
r2/work/glibc-2.20/string/strdup.c:42

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/app-
benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:263 load_conf
Shadow bytes around the buggy address:
0x0c047fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
0x0c047fff9b00: fa fa 03 fa fa fa fd fd fa fa fd fa fa fa fd fd                                                                                                                     
0x0c047fff9b10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd                                                                                                                     
0x0c047fff9b20: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa                                                                                                                     
0x0c047fff9b30: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa                                                                                                                     
0x0c047fff9b40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd                                                                                                                     
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                
Addressable: 00                                                                                                                                                                     
Partially addressable: 01 02 03 04 05 06 07                                                                                                                                         
Heap left redzone: fa                                                                                                                                                               
Heap right redzone: fb                                                                                                                                                              
Freed heap region: fd                                                                                                                                                               
Stack left redzone: f1                                                                                                                                                              
Stack mid redzone: f2                                                                                                                                                               
Stack right redzone: f3                                                                                                                                                             
Stack partial redzone: f4                                                                                                                                                           
Stack after return: f5                                                                                                                                                              
Stack use after scope: f8                                                                                                                                                           
Global redzone: f9                                                                                                                                                                  
Global init order: f6                                                                                                                                                               
Poisoned by user: f7                                                                                                                                                                
Container overflow: fc                                                                                                                                                              
Array cookie: ac                                                                                                                                                                    
Intra object redzone: bb                                                                                                                                                            
ASan internal: fe                                                                                                                                                                   
Left alloca redzone: ca                                                                                                                                                             
Right alloca redzone: cb                                                                                                                                                            
==488==ABORTING                                                                                                                                                                     
Affected version:                                                                                                                                                                   
3.1.0 (and maybe past versions).                                                                                                                                                    
                                                                                                                                                                                    
Fixed version:                                                                                                                                                                      
Not available.                                                                                                                                                                      
                                                                                                                                                                                    
Commit fix:                                                                                                                                                                         
Not available.                                                                                                                                                                      
                                                                                                                                                                                    
Credit:                                                                                                                                                                             
This bug was discovered by Agostino Sarubbo of Gentoo.                                                                                                                              

CVE:
Not assigned.

Timeline:
2015-06-09: bug discovered
2015-06-10: bug reported privately to upstream
2015-07-13: no upstream response
2015-07-14: advisory release

Permalink:
https://blogs.gentoo.org/ago/2015/07/14/siege-off-by-one-in-load_conf


@MITRE:
If you think this deserves a CVE, please assign one.
Thanks.

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ