[Dnsmasq-discuss] Memory corruption in my_syslog (log.c), SIGABRT (double free)

Stephan Zeisberg stephan.zeisberg at splone.com
Wed May 3 17:47:00 BST 2017


Hello,

opening the attached sample config input file with dnsmasq results in a 
SIGABRT. The input file is fuzzed with american fuzzy 
lop http://lcamtuf.coredump.cx/afl/.

version:

commit b2a9c571ebb333acbaa6bd752142df6821cb410c

how to reproduce:

$ ./src/dnsmasq --test -C <attached config file>

Output (memory map/bt):

dnsmasq: bad option at line 8 of /tmp/dnsmasq_crash
*** Error in `./src/dnsmasq': double free or corruption (out): 0x0000000000ebc680 ***
======= Backtrace: =========
/usr/lib/libc.so.6(+0x722ab)[0x7f5e308612ab]
/usr/lib/libc.so.6(+0x7890e)[0x7f5e3086790e]
/usr/lib/libc.so.6(+0x7911e)[0x7f5e3086811e]
/usr/lib/libc.so.6(_IO_setb+0x4b)[0x7f5e3086522b]
/usr/lib/libc.so.6(_IO_file_close_it+0xae)[0x7f5e3086385e]
/usr/lib/libc.so.6(fclose+0x1bf)[0x7f5e30856def]
/usr/lib/libc.so.6(+0xac5ad)[0x7f5e3089b5ad]
/usr/lib/libc.so.6(+0xab5f9)[0x7f5e3089a5f9]
/usr/lib/libc.so.6(+0xab8dd)[0x7f5e3089a8dd]
/usr/lib/libc.so.6(__vsyslog_chk+0xd4)[0x7f5e308d6114]
./src/dnsmasq[0x4966ab]
./src/dnsmasq[0x4976b2]
./src/dnsmasq[0x422f71]
./src/dnsmasq[0x42159a]
./src/dnsmasq[0x424c3d]
./src/dnsmasq[0x457557]
/usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7f5e3080f511]
./src/dnsmasq[0x40331a]
======= Memory map: ========
00400000-004d2000 r-xp 00000000 fe:03 12073597                           src/dnsmasq
006d1000-006d2000 r--p 000d1000 fe:03 12073597                           src/dnsmasq
006d2000-006d4000 rw-p 000d2000 fe:03 12073597                           src/dnsmasq
006d4000-006e4000 rw-p 00000000 00:00 0 
00eb8000-00ed9000 rw-p 00000000 00:00 0                                  [heap]
7f5e2c000000-7f5e2c021000 rw-p 00000000 00:00 0 
7f5e2c021000-7f5e30000000 ---p 00000000 00:00 0 
7f5e305d8000-7f5e305ee000 r-xp 00000000 fe:02 306247                     /usr/lib/libgcc_s.so.1
7f5e305ee000-7f5e307ed000 ---p 00016000 fe:02 306247                     /usr/lib/libgcc_s.so.1
7f5e307ed000-7f5e307ee000 r--p 00015000 fe:02 306247                     /usr/lib/libgcc_s.so.1
7f5e307ee000-7f5e307ef000 rw-p 00016000 fe:02 306247                     /usr/lib/libgcc_s.so.1
7f5e307ef000-7f5e3098a000 r-xp 00000000 fe:02 264297                     /usr/lib/libc-2.25.so
7f5e3098a000-7f5e30b89000 ---p 0019b000 fe:02 264297                     /usr/lib/libc-2.25.so
7f5e30b89000-7f5e30b8d000 r--p 0019a000 fe:02 264297                     /usr/lib/libc-2.25.so
7f5e30b8d000-7f5e30b8f000 rw-p 0019e000 fe:02 264297                     /usr/lib/libc-2.25.so
7f5e30b8f000-7f5e30b93000 rw-p 00000000 00:00 0 
7f5e30b93000-7f5e30bb6000 r-xp 00000000 fe:02 264298                     /usr/lib/ld-2.25.so
7f5e30d7a000-7f5e30d7c000 rw-p 00000000 00:00 0 
7f5e30db4000-7f5e30db5000 rw-p 00000000 00:00 0 
7f5e30db5000-7f5e30db6000 r--p 00022000 fe:02 264298                     /usr/lib/ld-2.25.so
7f5e30db6000-7f5e30db7000 rw-p 00023000 fe:02 264298                     /usr/lib/ld-2.25.so
7f5e30db7000-7f5e30db8000 rw-p 00000000 00:00 0 
7fffcf4f4000-7fffcf515000 rw-p 00000000 00:00 0                          [stack]
7fffcf53f000-7fffcf541000 r--p 00000000 00:00 0                          [vvar]
7fffcf541000-7fffcf543000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
[1]    25674 abort (core dumped)  ./src/dnsmasq --test -C /tmp/dnsmasq_crash

gdb:

Program terminated with signal SIGABRT, Aborted.
#0  0x00007f5e30822a10 in raise () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007f5e30822a10 in raise () from /usr/lib/libc.so.6
#1  0x00007f5e3082413a in abort () from /usr/lib/libc.so.6
#2  0x00007f5e308612b0 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007f5e3086790e in malloc_printerr () from /usr/lib/libc.so.6
#4  0x00007f5e3086811e in _int_free () from /usr/lib/libc.so.6
#5  0x00007f5e3086522b in __GI__IO_setb () from /usr/lib/libc.so.6
#6  0x00007f5e3086385e in __GI__IO_file_close_it () from /usr/lib/libc.so.6
#7  0x00007f5e30856def in fclose@@GLIBC_2.2.5 () from /usr/lib/libc.so.6
#8  0x00007f5e3089b5ad in __tzfile_read () from /usr/lib/libc.so.6
#9  0x00007f5e3089a5f9 in tzset_internal () from /usr/lib/libc.so.6
#10 0x00007f5e3089a8dd in __tz_convert () from /usr/lib/libc.so.6
#11 0x00007f5e308d6114 in __vsyslog_chk () from /usr/lib/libc.so.6
#12 0x00000000004966ab in my_syslog (priority=2, format=0x4cb3b6 "%s") at log.c:340
#13 0x00000000004976b2 in die (message=0x4cb3b6 "%s", arg1=0xeb8010 "bad option at line 8 of /tmp/dnsmasq_crash", exit_code=1) at log.c:469
#14 0x0000000000422f71 in read_file (file=<optimized out>, f=<optimized out>, hard_opt=<optimized out>) at option.c:4310
#15 0x000000000042159a in one_file (file=0xeb8eb0 "/tmp/dnsmasq_crash", hard_opt=0) at option.c:4396
#16 0x0000000000424c3d in read_opts (argc=4, argv=0x7fffcf513728, compile_opts=<optimized out>) at option.c:4733
#17 0x0000000000457557 in main (argc=2, argv=0x7fffcf5128d0) at dnsmasq.c:89

Regards,
Stephan
-- 
Stephan Zeisberg
Security Researcher

m: stephan.zeisberg at splone.com
pgp: 3C2B 7189 9C16 1E71 5BFB 8690 2C3F EF24 6DBF B588

splone UG (haftungsbeschränkt)
c/o Freie Universität Berlin
Malteserstr. 74-100
12249 Berlin
https://splone.com
HRB 166495 Amtsgericht Charlottenburg
USt-Identnummer: DE300454199

twitter: http://twitter.com/sploneberlin

Confidentiality: This e-mail contains confidential information intended
only for the addressee. If you are not the intended recipient you may
not disclose, copy, use or otherwise distribute the content of this
email.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnsmasq_crash
Type: application/octet-stream
Size: 617 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170503/64bb4539/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170503/64bb4539/attachment-0001.sig>


More information about the Dnsmasq-discuss mailing list