Project

General

Profile

Bug #2809

Memory corruption in yy_reduce (configparser.y), SIGSEGV

Added by stze about 2 months ago. Updated about 1 month ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
core
Target version:
Start date:
2017-05-06
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

Hello,

opening the attached sample config input file with lighttpd results in a
crash (SIGSEGV). The input file is fuzzed with american fuzzy
lop http://lcamtuf.coredump.cx/afl/.

version:
commit b23065e54778dd187c77f1dd37041fb039f21dde

how to reproduce:

$ ./src/lighttpd -t -f <attached config file>

gdb:

Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00000000004208ce in yy_reduce (yyruleno=<optimized out>, yypParser=<optimized out>)
at ./configparser.y:786
786 B->free(B);
(gdb) bt
#0 0x00000000004208ce in yy_reduce (yyruleno=<optimized out>, yypParser=<optimized out>)
at ./configparser.y:786
#1 configparser (yyp=0x161e580, yymajor=<optimized out>, yyminor=<optimized out>, ctx=<optimized out>)
at configparser.c:1795
#2 0x000000000041a34f in config_parse (srv=<optimized out>, context=<optimized out>, t=<optimized out>)
at configfile.c:1119
#3 0x0000000000419cdf in config_parse_file_stream (srv=0x161d010, context=0x7ffe9a9ac990,
filename=0x161e4d0) at configfile.c:1175
#4 0x000000000041bf97 in config_read (srv=<optimized out>, fn=<optimized out>) at configfile.c:1360
#5 0x000000000040c137 in server_main (argc=<optimized out>, argv=<optimized out>, srv=<optimized out>)
at server.c:883
#6 main (argc=4, argv=0x7ffe9a9ad4b8) at server.c:1851

valgrind:

3608 Memcheck, a memory error detector
3608 Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
3608 Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
3608 Command: ./src/lighttpd -t -f findings/crashes/id:000000,sig:11,src:000000,op:ext_AO,pos:1682
3608
Undefined config variable: var.document
3608 Invalid read of size 8
3608 at 0x4208CE: yy_reduce (configparser.y:786)
3608 by 0x4208CE: configparser (configparser.c:1795)
3608 by 0x41A34E: config_parse (configfile.c:1119)
3608 by 0x419CDE: config_parse_file_stream (configfile.c:1175)
3608 by 0x41BF96: config_read (configfile.c:1360)
3608 by 0x40C136: server_main (server.c:883)
3608 by 0x40C136: main (server.c:1851)
3608 Address 0x20 is not stack'd, malloc'd or (recently) free'd
3608
3608
3608 Process terminating with default action of signal 11 (SIGSEGV): dumping core
3608 Access not within mapped region at address 0x20
3608 at 0x4208CE: yy_reduce (configparser.y:786)
3608 by 0x4208CE: configparser (configparser.c:1795)
3608 by 0x41A34E: config_parse (configfile.c:1119)
3608 by 0x419CDE: config_parse_file_stream (configfile.c:1175)
3608 by 0x41BF96: config_read (configfile.c:1360)
3608 by 0x40C136: server_main (server.c:883)
3608 by 0x40C136: main (server.c:1851)
3608 If you believe this happened as a result of a stack
3608 overflow in your program's main thread (unlikely but
3608 possible), you can try to increase the size of the
3608 main thread stack using the --main-stacksize= flag.
3608 The main thread stack size used in this run was 8388608.
3608
3608 HEAP SUMMARY:
3608 in use at exit: 9,736 bytes in 137 blocks
3608 total heap usage: 201 allocs, 64 frees, 12,544 bytes allocated
3608
3608 LEAK SUMMARY:
3608 definitely lost: 0 bytes in 0 blocks
3608 indirectly lost: 0 bytes in 0 blocks
3608 possibly lost: 0 bytes in 0 blocks
3608 still reachable: 9,736 bytes in 137 blocks
3608 suppressed: 0 bytes in 0 blocks
3608 Rerun with --leak-check=full to see details of leaked memory
3608
3608 For counts of detected and suppressed errors, rerun with: -v
3608 ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 3608 segmentation fault valgrind ./src/lighttpd -t -f

Cheers,
Stephan Zeisberg

crash (9.73 KB) crash stze, 2017-05-06 08:27

Associated revisions

Revision 97526207 (diff)
Added by stbuehler about 1 month ago

[core] configparser: fix resource handling in error cases (fixes #2809)

- lemon never calls the destructor for variables on the RHS, make sure
to manually clean up
- outside `if (ctx->ok) { }` always check for NULL pointers, i.e:
- if (x) x->free(x)
- buffer_free and array_free check for NULL on their own
- cleanup RHS variables below `if (ctx->ok) { }` at the bottom
- set variables to NULL before if ownership gets passed on
- move some buffers instead of copying them

x-ref:
"Memory corruption in yy_reduce (configparser.y), SIGSEGV"
https://redmine.lighttpd.net/issues/2809

History

#1 Updated by stze about 2 months ago

#2 Updated by stbuehler about 2 months ago

Minified reproducer:

a = ( b =>

#3 Updated by gstrauss about 2 months ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.46

Thanks, stze.

stbuehler proposed a patch. I am testing it, too.

#4 Updated by gstrauss about 2 months ago

  • Category set to core

#5 Updated by stbuehler about 1 month ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom