Project

General

Profile

Actions

Bug #2810

closed

Missing array entry type check in config_insert (configfile.c), SIGSEGV

Added by stze over 7 years ago. Updated over 7 years ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

Hello,

opening the attached sample config input file with lighttpd results in a
crash (SIGSEGV). The input file is fuzzed with american fuzzy
lop http://lcamtuf.coredump.cx/afl/.

version:
commit b23065e54778dd187c77f1dd37041fb039f21dde

how to reproduce:

$ ./src/lighttpd -t -f <attached config file>

gdb:

Program terminated with signal SIGSEGV, Segmentation fault.
#0 buffer_is_equal_string (a=0x1, s=0x45c52f "mod_indexfile", b_len=13) at buffer.c:396
396 if (a->used != b_len + 1) return 0;
(gdb) bt
#0 buffer_is_equal_string (a=0x1, s=0x45c52f "mod_indexfile", b_len=13) at buffer.c:396
#1 0x000000000041cccb in config_insert (srv=<optimized out>) at configfile.c:413
#2 config_read (srv=<optimized out>, fn=<optimized out>) at configfile.c:1371
#3 0x000000000040c137 in server_main (argc=<optimized out>, argv=<optimized out>, srv=<optimized out>)
at server.c:883
#4 main (argc=4, argv=0x7ffc9bb29da8) at server.c:1851

24102 Memcheck, a memory error detector
24102 Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
24102 Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
24102 Command: ./src/lighttpd -t -f /tmp/crash
24102
2017-05-06 10:31:16: (configfile.c.393) unexpected value for server.modules; expected list of "mod_xxxxxx" strings
24102 Invalid read of size 8
24102 at 0x42C28B: buffer_is_equal_string (buffer.c:396)
24102 by 0x41CCCA: config_insert (configfile.c:413)
24102 by 0x41CCCA: config_read (configfile.c:1371)
24102 by 0x40C136: server_main (server.c:883)
24102 by 0x40C136: main (server.c:1851)
24102 Address 0x9 is not stack'd, malloc'd or (recently) free'd
24102
24102
24102 Process terminating with default action of signal 11 (SIGSEGV): dumping core
24102 Access not within mapped region at address 0x9
24102 at 0x42C28B: buffer_is_equal_string (buffer.c:396)
24102 by 0x41CCCA: config_insert (configfile.c:413)
24102 by 0x41CCCA: config_read (configfile.c:1371)
24102 by 0x40C136: server_main (server.c:883)
24102 by 0x40C136: main (server.c:1851)
24102 If you believe this happened as a result of a stack
24102 overflow in your program's main thread (unlikely but
24102 possible), you can try to increase the size of the
24102 main thread stack using the --main-stacksize= flag.
24102 The main thread stack size used in this run was 8388608.
24102
24102 HEAP SUMMARY:
24102 in use at exit: 6,872 bytes in 102 blocks
24102 total heap usage: 156 allocs, 54 frees, 16,900 bytes allocated
24102
24102 LEAK SUMMARY:
24102 definitely lost: 0 bytes in 0 blocks
24102 indirectly lost: 0 bytes in 0 blocks
24102 possibly lost: 0 bytes in 0 blocks
24102 still reachable: 6,872 bytes in 102 blocks
24102 suppressed: 0 bytes in 0 blocks
24102 Rerun with --leak-check=full to see details of leaked memory
24102
24102 For counts of detected and suppressed errors, rerun with: -v
24102 ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 24102 segmentation fault valgrind ./src/lighttpd -t -f /tmp/crash

Cheers,
Stephan Zeisberg


Files

crash (524 Bytes) crash stze, 2017-05-06 08:31
Actions #1

Updated by stbuehler over 7 years ago

  • Subject changed from Memory corruption in buffer_is_equal_string (buffer.c), SIGSEGV to Missing array entry type check in config_insert (configfile.c), SIGSEGV

Minified reproducer:

server.modules = ( 1 )

config_insert does check the type of the server.modules entries, but doesn't abort immediately. It probably should check the type again in line 411 (ds = (data_string *)srv->srvconf.modules->data[i];), or abort before.

Actions #2

Updated by gstrauss over 7 years ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.46
--- a/src/configfile.c
+++ b/src/configfile.c
@@ -393,9 +393,7 @@ static int config_insert(server *srv) {
                log_error_write(srv, __FILE__, __LINE__, "s",
                                "unexpected value for server.modules; expected list of \"mod_xxxxxx\" strings");
                ret = HANDLER_ERROR;
-       }
-
-       {
+       } else {
                data_string *ds;
                int prepend_mod_indexfile = 1;
                int append_mod_dirlisting = 1;
Actions #3

Updated by gstrauss over 7 years ago

  • Category set to core
Actions #4

Updated by gstrauss over 7 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions

Also available in: Atom