Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <6439170.QNVfc3SXO1@arcadia>
Date: Tue, 14 Jul 2015 21:17:04 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: siege: off-by-one in load_conf()

Description:
Siege is an http load testing and benchmarking utility.

During the test of a webserver, I hit a segmentation fault. I recompiled 
siege with ASan and it clearly show an off-by-one in load_conf(). The issue 
is reproducible without passing any arguments to the binary.
The complete output:

ago@...loughby ~ # siege
===============================================
==================
==488==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60200000d7f1 at pc 0x00000051ab64 bp 0x7ffcc3d19a70 sp 
0x7ffcc3d19a68
READ of size 1 at 0x60200000d7f1 thread T0
#0 0x51ab63 in load_conf /var/tmp/portage/app-
benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:263:12
#1 0x515486 in init_config /var/tmp/portage/app-
benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:96:7
#2 0x5217b9 in main /var/tmp/portage/app-
benchmarks/siege-3.1.0/work/siege-3.1.0/src/main.c:324:7
#3 0x7fb2b1b93aa4 in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
#4 0x439426 in _start (/usr/bin/siege+0x439426)

0x60200000d7f1 is located 0 bytes to the right of 1-byte region 
[0x60200000d7f0,0x60200000d7f1)
allocated by thread T0 here:
#0 0x4c03e2 in __interceptor_malloc /var/tmp/portage/sys-
devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc:40:3
#1 0x7fb2b1bf31e9 in __strdup /var/tmp/portage/sys-libs/glibc-2.20-
r2/work/glibc-2.20/string/strdup.c:42

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/app-
benchmarks/siege-3.1.0/work/siege-3.1.0/src/init.c:263 load_conf
Shadow bytes around the buggy address:
0x0c047fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
0x0c047fff9b00: fa fa 03 fa fa fa fd fd fa fa fd fa fa fa fd fd                                                                                                                     
0x0c047fff9b10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd                                                                                                                     
0x0c047fff9b20: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa                                                                                                                     
0x0c047fff9b30: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa                                                                                                                     
0x0c047fff9b40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd                                                                                                                     
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                
Addressable: 00                                                                                                                                                                     
Partially addressable: 01 02 03 04 05 06 07                                                                                                                                         
Heap left redzone: fa                                                                                                                                                               
Heap right redzone: fb                                                                                                                                                              
Freed heap region: fd                                                                                                                                                               
Stack left redzone: f1                                                                                                                                                              
Stack mid redzone: f2                                                                                                                                                               
Stack right redzone: f3                                                                                                                                                             
Stack partial redzone: f4                                                                                                                                                           
Stack after return: f5                                                                                                                                                              
Stack use after scope: f8                                                                                                                                                           
Global redzone: f9                                                                                                                                                                  
Global init order: f6                                                                                                                                                               
Poisoned by user: f7                                                                                                                                                                
Container overflow: fc                                                                                                                                                              
Array cookie: ac                                                                                                                                                                    
Intra object redzone: bb                                                                                                                                                            
ASan internal: fe                                                                                                                                                                   
Left alloca redzone: ca                                                                                                                                                             
Right alloca redzone: cb                                                                                                                                                            
==488==ABORTING                                                                                                                                                                     
Affected version:                                                                                                                                                                   
3.1.0 (and maybe past versions).                                                                                                                                                    
                                                                                                                                                                                    
Fixed version:                                                                                                                                                                      
Not available.                                                                                                                                                                      
                                                                                                                                                                                    
Commit fix:                                                                                                                                                                         
Not available.                                                                                                                                                                      
                                                                                                                                                                                    
Credit:                                                                                                                                                                             
This bug was discovered by Agostino Sarubbo of Gentoo.                                                                                                                              

CVE:
Not assigned.

Timeline:
2015-06-09: bug discovered
2015-06-10: bug reported privately to upstream
2015-07-13: no upstream response
2015-07-14: advisory release

Permalink:
https://blogs.gentoo.org/ago/2015/07/14/siege-off-by-one-in-load_conf


@MITRE:
If you think this deserves a CVE, please assign one.
Thanks.

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.