Date: Mon, 14 Nov 2016 06:53:24 +0100 From: Ondřej Surý <ondrej@...y.org> To: oss-security@...ts.openwall.com, Sam Trenholme <sam-k6mymjcnjpz3fmkieotlt7rbgvqt98qy@...iam.org> Subject: Re: Remote crash in MaraDNS 2.0.13 and git master Hi all, AFL found another 5 crashes totaling to 6 unique crashes. Looking at the backtraces it looks like, it's just 3 unique crashes: - js_readuint16 - js_substr - process_query -> this in fact looks like stack smashing, since it crashes on htons in an unrelated place id:000000 id:000002 Program received signal SIGSEGV, Segmentation fault. js_readuint16 (js=js@...ry=0x6de290, offset=offset@...ry=4) at JsStr.c:1064 1064 (*(js->string + offset + 1) & 0xff); id:000001 id:000005 Program received signal SIGSEGV, Segmentation fault. js_substr (source=source@...ry=0x6de290, dest=dest@...ry=0x6e37f0, start=start@...ry=99, count=count@...ry=63743) at JsStr.c:731 731 *(source->string + counter + start * source->unit_size); NOTE: id000001 cannot be reproduced on git master, but id000005 still crashes it, so they probably are separate issues after all. id:000003 id:000004 Program received signal SIGSEGV, Segmentation fault. proc_query (raw=0x6de5d0, ect=0x7fffffffd940, sock=0) at MaraDNS.c:2615 2615 ip = htonl((z->sin_addr).s_addr); This is after 58 AFL cycles. It will be worth retesting with ASAN enabled. Cheers, -- Ondřej Surý <ondrej@...y.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu On Sat, Nov 12, 2016, at 09:39, Ondřej Surý wrote: > Hi, > > while playing with fuzzing the DNS servers with AFL (2.35b) I found a > remote crash bug in MaraDNS 2.0.13 js_readuint16. It can be also > reproduced using https://github.com/samboy/MaraDNS/ master branch. > > Attached is patch to allow the fuzzing (it overrides getudp() with > read(0, ..)), the input data that crashes MaraDNS, and the bt full > output. > > Please assign CVE, I would provide a patch, but MaraDNS code is > extremely hard to navigate for me, so I'll leave the fix for the code > author. > > AFL has finished only 1 cycle (and found the 1 unique crash), so I'll > keep it running for a while. > > Cheers, > -- > Ondřej Surý <ondrej@...y.org> > Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server > Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, > fast DNS(SEC) resolver > Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro > pečení chleba všeho druhu > Email had 3 attachments: > + maradns.btfull > 5k (application/octet-stream) > + allow-fuzzing.patch > 2k (text/x-patch) > + id:000000,sig:11,src:007564,op:havoc,rep:32 > 1k (application/octet-stream)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ