Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 Nov 2016 06:53:24 +0100
From: Ondřej Surý <ondrej@...y.org>
To: oss-security@...ts.openwall.com,
 Sam Trenholme <sam-k6mymjcnjpz3fmkieotlt7rbgvqt98qy@...iam.org>
Subject: Re: Remote crash in MaraDNS 2.0.13 and git master

Hi all,

AFL found another 5 crashes totaling to 6 unique crashes. Looking at the
backtraces it
looks like, it's just 3 unique crashes:

- js_readuint16
- js_substr

- process_query -> this in fact looks like stack smashing, since it
crashes on htons in an unrelated place

id:000000
id:000002
Program received signal SIGSEGV, Segmentation fault.
js_readuint16 (js=js@...ry=0x6de290, offset=offset@...ry=4) at
JsStr.c:1064
1064               (*(js->string + offset + 1) & 0xff);


id:000001
id:000005
Program received signal SIGSEGV, Segmentation fault.
js_substr (source=source@...ry=0x6de290, dest=dest@...ry=0x6e37f0,
start=start@...ry=99, count=count@...ry=63743) at JsStr.c:731
731               *(source->string + counter + start *
source->unit_size);

NOTE: id000001 cannot be reproduced on git master, but id000005 still
crashes it, so they probably are separate issues after all.

id:000003
id:000004
Program received signal SIGSEGV, Segmentation fault.
proc_query (raw=0x6de5d0, ect=0x7fffffffd940, sock=0) at MaraDNS.c:2615
2615        ip = htonl((z->sin_addr).s_addr);

This is after 58 AFL cycles.

It will be worth retesting with ASAN enabled.

Cheers,
-- 
Ondřej Surý <ondrej@...y.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

On Sat, Nov 12, 2016, at 09:39, Ondřej Surý wrote:
> Hi,
> 
> while playing with fuzzing the DNS servers with AFL (2.35b) I found a
> remote crash bug in MaraDNS 2.0.13 js_readuint16. It can be also
> reproduced using https://github.com/samboy/MaraDNS/ master branch.
> 
> Attached is patch to allow the fuzzing (it overrides getudp() with
> read(0, ..)), the input data that crashes MaraDNS, and the bt full
> output.
> 
> Please assign CVE, I would provide a patch, but MaraDNS code is
> extremely hard to navigate for me, so I'll leave the fix for the code
> author.
> 
> AFL has finished only 1 cycle (and found the 1 unique crash), so I'll
> keep it running for a while.
> 
> Cheers,
> -- 
> Ondřej Surý <ondrej@...y.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
> Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
> fast DNS(SEC) resolver
> Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
> pečení chleba všeho druhu
> Email had 3 attachments:
> + maradns.btfull
>   5k (application/octet-stream)
> + allow-fuzzing.patch
>   2k (text/x-patch)
> + id:000000,sig:11,src:007564,op:havoc,rep:32
>   1k (application/octet-stream)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ