Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 11 Jan 2019 23:44:28 +0530
From: Dhiraj Mishra <mishra.dhiraj95@...il.com>
To: oss-security@...ts.openwall.com
Subject: SEGV in libIEC61850 protocol

Hi List,

## Summary:
An issue has been found in libIEC61850 v1.3.1. Ethernet_setProtocolFilter
in hal/ethernet/linux/ethernet_linux.c has a SEGV, as demonstrated by
sv_subscriber_example.c and sv_subscriber.c.

## Snip code from sv_subscriber.c#L186
        Thread_start(thread);
    }
    else {
        if (DEBUG_SV_SUBSCRIBER)
            printf("SV_SUBSCRIBER: Starting SV receiver failed for
interface %s\n", self->interfaceId);
    }
}

## Memory leak:

Using interface eth0
Error creating raw socket!
ASAN:DEADLYSIGNAL
==1403==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000a (pc
0x55b5675c1284 bp 0x7f92623fee30 sp 0x7f92623fee20 T1)
==1403==The signal is caused by a WRITE memory access.
==1403==Hint: address points to the zero page.
    #0 0x55b5675c1283 in Ethernet_setProtocolFilter
/home/input0/Desktop/libiec61850/hal/ethernet/linux/ethernet_linux.c:209
    #1 0x55b5675ba75f in SVReceiver_startThreadless
/home/input0/Desktop/libiec61850/src/sampled_values/sv_subscriber.c:232
    #2 0x55b5675ba3b7 in svReceiverLoop
/home/input0/Desktop/libiec61850/src/sampled_values/sv_subscriber.c:163
    #3 0x55b5675c1720 in destroyAutomaticThread
/home/input0/Desktop/libiec61850/hal/thread/linux/thread_linux.c:90
    #4 0x7f9265c976da in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #5 0x7f92659c088e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/input0/Desktop/libiec61850/hal/ethernet/linux/ethernet_linux.c:209 in
Ethernet_setProtocolFilter
Thread T1 created by T0 here:
    #0 0x7f9265ee6d2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x55b5675c17ab in Thread_start
/home/input0/Desktop/libiec61850/hal/thread/linux/thread_linux.c:101
    #2 0x55b5675ba49a in SVReceiver_start
/home/input0/Desktop/libiec61850/src/sampled_values/sv_subscriber.c:186
    #3 0x55b5675b9eec in main
/home/input0/Desktop/libiec61850/examples/sv_subscriber/sv_subscriber_example.c:76
    #4 0x7f92658c0b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

==1403==ABORTING

Later CVE-2019-6136 was assigned to this.


Thank you
@mishradhiraj_

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.