[Dnsmasq-discuss] Memory corruption in parse_hex (util.c), SIGSEGV

Stephan Zeisberg stephan.zeisberg at splone.com
Wed May 3 16:52:00 BST 2017 

Hello,

opening the attached sample config input file with dnsmasq results in a 
crash (SIGSEGV). The input file is fuzzed with american fuzzy 
lop http://lcamtuf.coredump.cx/afl/.

version:

commit b2a9c571ebb333acbaa6bd752142df6821cb410c

how to reproduce:

$ ./src/dnsmasq --test -C <attached config file>

gdb:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f283acdc24e in _int_free () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007f283acdc24e in _int_free () from /usr/lib/libc.so.6
#1  0x00007f283acd922b in __GI__IO_setb () from /usr/lib/libc.so.6
#2  0x00007f283acd785e in __GI__IO_file_close_it () from /usr/lib/libc.so.6
#3  0x00007f283accadef in fclose@@GLIBC_2.2.5 () from /usr/lib/libc.so.6
#4  0x0000000000423003 in read_file (file=<optimized out>, f=<optimized out>, hard_opt=<optimized out>) at option.c:4315
#5  0x000000000042159a in one_file (file=0x1355eb0 "/tmp/dnsmasq_crash", hard_opt=0) at option.c:4396
#6  0x0000000000424c3d in read_opts (argc=4, argv=0x7ffc2f1a2708, compile_opts=<optimized out>) at option.c:4733
#7  0x0000000000457557 in main (argc=989862624, argv=0x0) at dnsmasq.c:89

valgrind:

==23713== Memcheck, a memory error detector
==23713== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==23713== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==23713== Command: ./src/dnsmasq --test -C /tmp/dnsmasq_crash
==23713== 
==23713== Invalid write of size 1
==23713==    at 0x41F5EB: parse_hex (util.c:504)
==23713==    by 0x43AA07: one_opt (option.c:3495)
==23713==    by 0x422E7B: read_file (option.c:4304)
==23713==    by 0x421599: one_file (option.c:4396)
==23713==    by 0x424C3C: read_opts (option.c:4733)
==23713==    by 0x457556: main (dnsmasq.c:89)
==23713==  Address 0x51dd758 is 0 bytes after a block of size 56 alloc'd
==23713==    at 0x4C2CF35: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23713==    by 0x41E647: safe_malloc (util.c:247)
==23713==    by 0x43A8C6: opt_malloc (option.c:557)
==23713==    by 0x43A8C6: one_opt (option.c:3492)
==23713==    by 0x422E7B: read_file (option.c:4304)
==23713==    by 0x421599: one_file (option.c:4396)
==23713==    by 0x424C3C: read_opts (option.c:4733)
==23713==    by 0x457556: main (dnsmasq.c:89)
==23713== 
dnsmasq: syntax check OK.
==23713== 
==23713== HEAP SUMMARY:
==23713==     in use at exit: 3,763 bytes in 28 blocks
==23713==   total heap usage: 31 allocs, 3 frees, 8,430 bytes allocated
==23713== 
==23713== LEAK SUMMARY:
==23713==    definitely lost: 367 bytes in 1 blocks
==23713==    indirectly lost: 0 bytes in 0 blocks
==23713==      possibly lost: 0 bytes in 0 blocks
==23713==    still reachable: 3,396 bytes in 27 blocks
==23713==         suppressed: 0 bytes in 0 blocks
==23713== Rerun with --leak-check=full to see details of leaked memory
==23713== 
==23713== For counts of detected and suppressed errors, rerun with: -v
==23713== ERROR SUMMARY: 9 errors from 1 contexts (suppressed: 0 from 0)

Regards,
Stephan
-- 
Stephan Zeisberg
Security Researcher

m: stephan.zeisberg at splone.com
pgp: 3C2B 7189 9C16 1E71 5BFB 8690 2C3F EF24 6DBF B588

splone UG (haftungsbeschränkt)
c/o Freie Universität Berlin
Malteserstr. 74-100
12249 Berlin
https://splone.com
HRB 166495 Amtsgericht Charlottenburg
USt-Identnummer: DE300454199

twitter: http://twitter.com/sploneberlin

Confidentiality: This e-mail contains confidential information intended
only for the addressee. If you are not the intended recipient you may
not disclose, copy, use or otherwise distribute the content of this
email.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnsmasq_crash
Type: application/octet-stream
Size: 524 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170503/97d61ced/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170503/97d61ced/attachment.sig>

More information about the Dnsmasq-discuss mailing list