[Dnsmasq-discuss] Memory corruption in my_syslog (log.c), SIGABRT (double free)
Simon Kelley
simon at thekelleys.org.uk
Wed May 3 22:59:46 BST 2017
This is actually another instance of the parse_hex bug, which caused a
certain amount of confusion.
Anyway, fixes for that and the hostname_isequal() one committed to git.
Thanks for running these tests.
(In case it's not obvious, these are not security problems, since they
rely on malformed config files and not untrusted data from the net.)
Cheers,
Simon.
On 03/05/17 17:47, Stephan Zeisberg wrote:
> Hello,
>
> opening the attached sample config input file with dnsmasq results in a
> SIGABRT. The input file is fuzzed with american fuzzy
> lop http://lcamtuf.coredump.cx/afl/.
>
> version:
>
> commit b2a9c571ebb333acbaa6bd752142df6821cb410c
>
> how to reproduce:
>
> $ ./src/dnsmasq --test -C <attached config file>
>
> Output (memory map/bt):
>
> dnsmasq: bad option at line 8 of /tmp/dnsmasq_crash
> *** Error in `./src/dnsmasq': double free or corruption (out): 0x0000000000ebc680 ***
> ======= Backtrace: =========
> /usr/lib/libc.so.6(+0x722ab)[0x7f5e308612ab]
> /usr/lib/libc.so.6(+0x7890e)[0x7f5e3086790e]
> /usr/lib/libc.so.6(+0x7911e)[0x7f5e3086811e]
> /usr/lib/libc.so.6(_IO_setb+0x4b)[0x7f5e3086522b]
> /usr/lib/libc.so.6(_IO_file_close_it+0xae)[0x7f5e3086385e]
> /usr/lib/libc.so.6(fclose+0x1bf)[0x7f5e30856def]
> /usr/lib/libc.so.6(+0xac5ad)[0x7f5e3089b5ad]
> /usr/lib/libc.so.6(+0xab5f9)[0x7f5e3089a5f9]
> /usr/lib/libc.so.6(+0xab8dd)[0x7f5e3089a8dd]
> /usr/lib/libc.so.6(__vsyslog_chk+0xd4)[0x7f5e308d6114]
> ./src/dnsmasq[0x4966ab]
> ./src/dnsmasq[0x4976b2]
> ./src/dnsmasq[0x422f71]
> ./src/dnsmasq[0x42159a]
> ./src/dnsmasq[0x424c3d]
> ./src/dnsmasq[0x457557]
> /usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7f5e3080f511]
> ./src/dnsmasq[0x40331a]
> ======= Memory map: ========
> 00400000-004d2000 r-xp 00000000 fe:03 12073597 src/dnsmasq
> 006d1000-006d2000 r--p 000d1000 fe:03 12073597 src/dnsmasq
> 006d2000-006d4000 rw-p 000d2000 fe:03 12073597 src/dnsmasq
> 006d4000-006e4000 rw-p 00000000 00:00 0
> 00eb8000-00ed9000 rw-p 00000000 00:00 0 [heap]
> 7f5e2c000000-7f5e2c021000 rw-p 00000000 00:00 0
> 7f5e2c021000-7f5e30000000 ---p 00000000 00:00 0
> 7f5e305d8000-7f5e305ee000 r-xp 00000000 fe:02 306247 /usr/lib/libgcc_s.so.1
> 7f5e305ee000-7f5e307ed000 ---p 00016000 fe:02 306247 /usr/lib/libgcc_s.so.1
> 7f5e307ed000-7f5e307ee000 r--p 00015000 fe:02 306247 /usr/lib/libgcc_s.so.1
> 7f5e307ee000-7f5e307ef000 rw-p 00016000 fe:02 306247 /usr/lib/libgcc_s.so.1
> 7f5e307ef000-7f5e3098a000 r-xp 00000000 fe:02 264297 /usr/lib/libc-2.25.so
> 7f5e3098a000-7f5e30b89000 ---p 0019b000 fe:02 264297 /usr/lib/libc-2.25.so
> 7f5e30b89000-7f5e30b8d000 r--p 0019a000 fe:02 264297 /usr/lib/libc-2.25.so
> 7f5e30b8d000-7f5e30b8f000 rw-p 0019e000 fe:02 264297 /usr/lib/libc-2.25.so
> 7f5e30b8f000-7f5e30b93000 rw-p 00000000 00:00 0
> 7f5e30b93000-7f5e30bb6000 r-xp 00000000 fe:02 264298 /usr/lib/ld-2.25.so
> 7f5e30d7a000-7f5e30d7c000 rw-p 00000000 00:00 0
> 7f5e30db4000-7f5e30db5000 rw-p 00000000 00:00 0
> 7f5e30db5000-7f5e30db6000 r--p 00022000 fe:02 264298 /usr/lib/ld-2.25.so
> 7f5e30db6000-7f5e30db7000 rw-p 00023000 fe:02 264298 /usr/lib/ld-2.25.so
> 7f5e30db7000-7f5e30db8000 rw-p 00000000 00:00 0
> 7fffcf4f4000-7fffcf515000 rw-p 00000000 00:00 0 [stack]
> 7fffcf53f000-7fffcf541000 r--p 00000000 00:00 0 [vvar]
> 7fffcf541000-7fffcf543000 r-xp 00000000 00:00 0 [vdso]
> ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
> [1] 25674 abort (core dumped) ./src/dnsmasq --test -C /tmp/dnsmasq_crash
>
> gdb:
>
> Program terminated with signal SIGABRT, Aborted.
> #0 0x00007f5e30822a10 in raise () from /usr/lib/libc.so.6
> (gdb) bt
> #0 0x00007f5e30822a10 in raise () from /usr/lib/libc.so.6
> #1 0x00007f5e3082413a in abort () from /usr/lib/libc.so.6
> #2 0x00007f5e308612b0 in __libc_message () from /usr/lib/libc.so.6
> #3 0x00007f5e3086790e in malloc_printerr () from /usr/lib/libc.so.6
> #4 0x00007f5e3086811e in _int_free () from /usr/lib/libc.so.6
> #5 0x00007f5e3086522b in __GI__IO_setb () from /usr/lib/libc.so.6
> #6 0x00007f5e3086385e in __GI__IO_file_close_it () from /usr/lib/libc.so.6
> #7 0x00007f5e30856def in fclose@@GLIBC_2.2.5 () from /usr/lib/libc.so.6
> #8 0x00007f5e3089b5ad in __tzfile_read () from /usr/lib/libc.so.6
> #9 0x00007f5e3089a5f9 in tzset_internal () from /usr/lib/libc.so.6
> #10 0x00007f5e3089a8dd in __tz_convert () from /usr/lib/libc.so.6
> #11 0x00007f5e308d6114 in __vsyslog_chk () from /usr/lib/libc.so.6
> #12 0x00000000004966ab in my_syslog (priority=2, format=0x4cb3b6 "%s") at log.c:340
> #13 0x00000000004976b2 in die (message=0x4cb3b6 "%s", arg1=0xeb8010 "bad option at line 8 of /tmp/dnsmasq_crash", exit_code=1) at log.c:469
> #14 0x0000000000422f71 in read_file (file=<optimized out>, f=<optimized out>, hard_opt=<optimized out>) at option.c:4310
> #15 0x000000000042159a in one_file (file=0xeb8eb0 "/tmp/dnsmasq_crash", hard_opt=0) at option.c:4396
> #16 0x0000000000424c3d in read_opts (argc=4, argv=0x7fffcf513728, compile_opts=<optimized out>) at option.c:4733
> #17 0x0000000000457557 in main (argc=2, argv=0x7fffcf5128d0) at dnsmasq.c:89
>
> Regards,
> Stephan
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170503/54eca9c1/attachment.sig>
More information about the Dnsmasq-discuss
mailing list