|
Message-ID: <6439170.QNVfc3SXO1@arcadia> Date: Tue, 14 Jul 2015 21:17:04 +0200 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: siege: off-by-one in load_conf() Description: Siege is an http load testing and benchmarking utility. During the test of a webserver, I hit a segmentation fault. I recompiled siege with ASan and it clearly show an off-by-one in load_conf(). The issue is reproducible without passing any arguments to the binary. The complete output: ago@...loughby ~ # siege =============================================== ================== ==488==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d7f1 at pc 0x00000051ab64 bp 0x7ffcc3d19a70 sp 0x7ffcc3d19a68 READ of size 1 at 0x60200000d7f1 thread T0 #0 0x51ab63 in load_conf /var/tmp/portage/app- benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:263:12 #1 0x515486 in init_config /var/tmp/portage/app- benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:96:7 #2 0x5217b9 in main /var/tmp/portage/app- benchmarks/siege-3.1.0/work/siege-3.1.0/src/main.c:324:7 #3 0x7fb2b1b93aa4 in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289 #4 0x439426 in _start (/usr/bin/siege+0x439426) 0x60200000d7f1 is located 0 bytes to the right of 1-byte region [0x60200000d7f0,0x60200000d7f1) allocated by thread T0 here: #0 0x4c03e2 in __interceptor_malloc /var/tmp/portage/sys- devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler- rt/lib/asan/asan_malloc_linux.cc:40:3 #1 0x7fb2b1bf31e9 in __strdup /var/tmp/portage/sys-libs/glibc-2.20- r2/work/glibc-2.20/string/strdup.c:42 SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/app- benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:263 load_conf Shadow bytes around the buggy address: 0x0c047fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa 0x0c047fff9b00: fa fa 03 fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff9b10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x0c047fff9b20: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff9b30: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c047fff9b40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==488==ABORTING Affected version: 3.1.0 (and maybe past versions). Fixed version: Not available. Commit fix: Not available. Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: Not assigned. Timeline: 2015-06-09: bug discovered 2015-06-10: bug reported privately to upstream 2015-07-13: no upstream response 2015-07-14: advisory release Permalink: https://blogs.gentoo.org/ago/2015/07/14/siege-off-by-one-in-load_conf @MITRE: If you think this deserves a CVE, please assign one. Thanks. -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.