[Dnsmasq-discuss] Memory corruption in my_syslog (log.c), SIGABRT (double free)

Stephan Zeisberg stephan.zeisberg at splone.com
Thu May 4 09:25:00 BST 2017


Sorry for the confusion with the parse_hex bug ;). You are correct, it's not remotely 
exploitable, but maybe a local attacker could create a specially crafted config file
to trigger arbitrary free() calls, which in turn could lead to arbitrary code execution.

Cheers,
Stephan

Simon Kelley:
> This is actually another instance of the parse_hex bug, which caused a
> certain amount of confusion.
> 
> Anyway, fixes for that and the hostname_isequal() one committed to git.
> 
> 
> Thanks for running these tests.
> 
> (In case it's not obvious, these are not security problems, since they
> rely on malformed config files and not untrusted data from the net.)
> 
> Cheers,
> 
> Simon.
> 
> On 03/05/17 17:47, Stephan Zeisberg wrote:
>> Hello,
>>
>> opening the attached sample config input file with dnsmasq results in a 
>> SIGABRT. The input file is fuzzed with american fuzzy 
>> lop http://lcamtuf.coredump.cx/afl/.
>>
>> version:
>>
>> commit b2a9c571ebb333acbaa6bd752142df6821cb410c
>>
>> how to reproduce:
>>
>> $ ./src/dnsmasq --test -C <attached config file>
>>
>> Output (memory map/bt):
>>
>> dnsmasq: bad option at line 8 of /tmp/dnsmasq_crash
>> *** Error in `./src/dnsmasq': double free or corruption (out): 0x0000000000ebc680 ***
>> ======= Backtrace: =========
>> /usr/lib/libc.so.6(+0x722ab)[0x7f5e308612ab]
>> /usr/lib/libc.so.6(+0x7890e)[0x7f5e3086790e]
>> /usr/lib/libc.so.6(+0x7911e)[0x7f5e3086811e]
>> /usr/lib/libc.so.6(_IO_setb+0x4b)[0x7f5e3086522b]
>> /usr/lib/libc.so.6(_IO_file_close_it+0xae)[0x7f5e3086385e]
>> /usr/lib/libc.so.6(fclose+0x1bf)[0x7f5e30856def]
>> /usr/lib/libc.so.6(+0xac5ad)[0x7f5e3089b5ad]
>> /usr/lib/libc.so.6(+0xab5f9)[0x7f5e3089a5f9]
>> /usr/lib/libc.so.6(+0xab8dd)[0x7f5e3089a8dd]
>> /usr/lib/libc.so.6(__vsyslog_chk+0xd4)[0x7f5e308d6114]
>> ./src/dnsmasq[0x4966ab]
>> ./src/dnsmasq[0x4976b2]
>> ./src/dnsmasq[0x422f71]
>> ./src/dnsmasq[0x42159a]
>> ./src/dnsmasq[0x424c3d]
>> ./src/dnsmasq[0x457557]
>> /usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7f5e3080f511]
>> ./src/dnsmasq[0x40331a]
>> ======= Memory map: ========
>> 00400000-004d2000 r-xp 00000000 fe:03 12073597                           src/dnsmasq
>> 006d1000-006d2000 r--p 000d1000 fe:03 12073597                           src/dnsmasq
>> 006d2000-006d4000 rw-p 000d2000 fe:03 12073597                           src/dnsmasq
>> 006d4000-006e4000 rw-p 00000000 00:00 0 
>> 00eb8000-00ed9000 rw-p 00000000 00:00 0                                  [heap]
>> 7f5e2c000000-7f5e2c021000 rw-p 00000000 00:00 0 
>> 7f5e2c021000-7f5e30000000 ---p 00000000 00:00 0 
>> 7f5e305d8000-7f5e305ee000 r-xp 00000000 fe:02 306247                     /usr/lib/libgcc_s.so.1
>> 7f5e305ee000-7f5e307ed000 ---p 00016000 fe:02 306247                     /usr/lib/libgcc_s.so.1
>> 7f5e307ed000-7f5e307ee000 r--p 00015000 fe:02 306247                     /usr/lib/libgcc_s.so.1
>> 7f5e307ee000-7f5e307ef000 rw-p 00016000 fe:02 306247                     /usr/lib/libgcc_s.so.1
>> 7f5e307ef000-7f5e3098a000 r-xp 00000000 fe:02 264297                     /usr/lib/libc-2.25.so
>> 7f5e3098a000-7f5e30b89000 ---p 0019b000 fe:02 264297                     /usr/lib/libc-2.25.so
>> 7f5e30b89000-7f5e30b8d000 r--p 0019a000 fe:02 264297                     /usr/lib/libc-2.25.so
>> 7f5e30b8d000-7f5e30b8f000 rw-p 0019e000 fe:02 264297                     /usr/lib/libc-2.25.so
>> 7f5e30b8f000-7f5e30b93000 rw-p 00000000 00:00 0 
>> 7f5e30b93000-7f5e30bb6000 r-xp 00000000 fe:02 264298                     /usr/lib/ld-2.25.so
>> 7f5e30d7a000-7f5e30d7c000 rw-p 00000000 00:00 0 
>> 7f5e30db4000-7f5e30db5000 rw-p 00000000 00:00 0 
>> 7f5e30db5000-7f5e30db6000 r--p 00022000 fe:02 264298                     /usr/lib/ld-2.25.so
>> 7f5e30db6000-7f5e30db7000 rw-p 00023000 fe:02 264298                     /usr/lib/ld-2.25.so
>> 7f5e30db7000-7f5e30db8000 rw-p 00000000 00:00 0 
>> 7fffcf4f4000-7fffcf515000 rw-p 00000000 00:00 0                          [stack]
>> 7fffcf53f000-7fffcf541000 r--p 00000000 00:00 0                          [vvar]
>> 7fffcf541000-7fffcf543000 r-xp 00000000 00:00 0                          [vdso]
>> ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
>> [1]    25674 abort (core dumped)  ./src/dnsmasq --test -C /tmp/dnsmasq_crash
>>
>> gdb:
>>
>> Program terminated with signal SIGABRT, Aborted.
>> #0  0x00007f5e30822a10 in raise () from /usr/lib/libc.so.6
>> (gdb) bt
>> #0  0x00007f5e30822a10 in raise () from /usr/lib/libc.so.6
>> #1  0x00007f5e3082413a in abort () from /usr/lib/libc.so.6
>> #2  0x00007f5e308612b0 in __libc_message () from /usr/lib/libc.so.6
>> #3  0x00007f5e3086790e in malloc_printerr () from /usr/lib/libc.so.6
>> #4  0x00007f5e3086811e in _int_free () from /usr/lib/libc.so.6
>> #5  0x00007f5e3086522b in __GI__IO_setb () from /usr/lib/libc.so.6
>> #6  0x00007f5e3086385e in __GI__IO_file_close_it () from /usr/lib/libc.so.6
>> #7  0x00007f5e30856def in fclose@@GLIBC_2.2.5 () from /usr/lib/libc.so.6
>> #8  0x00007f5e3089b5ad in __tzfile_read () from /usr/lib/libc.so.6
>> #9  0x00007f5e3089a5f9 in tzset_internal () from /usr/lib/libc.so.6
>> #10 0x00007f5e3089a8dd in __tz_convert () from /usr/lib/libc.so.6
>> #11 0x00007f5e308d6114 in __vsyslog_chk () from /usr/lib/libc.so.6
>> #12 0x00000000004966ab in my_syslog (priority=2, format=0x4cb3b6 "%s") at log.c:340
>> #13 0x00000000004976b2 in die (message=0x4cb3b6 "%s", arg1=0xeb8010 "bad option at line 8 of /tmp/dnsmasq_crash", exit_code=1) at log.c:469
>> #14 0x0000000000422f71 in read_file (file=<optimized out>, f=<optimized out>, hard_opt=<optimized out>) at option.c:4310
>> #15 0x000000000042159a in one_file (file=0xeb8eb0 "/tmp/dnsmasq_crash", hard_opt=0) at option.c:4396
>> #16 0x0000000000424c3d in read_opts (argc=4, argv=0x7fffcf513728, compile_opts=<optimized out>) at option.c:4733
>> #17 0x0000000000457557 in main (argc=2, argv=0x7fffcf5128d0) at dnsmasq.c:89
>>
>> Regards,
>> Stephan
>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
> 
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-- 
Stephan Zeisberg
Security Researcher
m: stephan.zeisberg at splone.com
pgp: 3C2B 7189 9C16 1E71 5BFB 8690 2C3F EF24 6DBF B588

splone UG (haftungsbeschränkt)
c/o Freie Universität Berlin
Malteserstr. 74-100
12249 Berlin
https://splone.com
HRB 166495 Amtsgericht Charlottenburg
USt-Identnummer: DE300454199

twitter: http://twitter.com/sploneberlin

Confidentiality: This e-mail contains confidential information intended
only for the addressee. If you are not the intended recipient you may
not disclose, copy, use or otherwise distribute the content of this
email.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170504/1d07c7fc/attachment.sig>


More information about the Dnsmasq-discuss mailing list