Bug #3197
closedFound an UAF bug in /src/chunk.c
Description
File: /src/chunk.c
Function: chunkqueue_chunk_file_viewadj
Description:
munmap(cfv->mptr, (size_t)cfv->mlen);
is called in this function [Line 1715]
Then in line 1719
c->file.view = chunk_file_view_failed(cfv);
is called, in this function, it called chunk_file_view_release(cfv)
but in function chunk_file_view_release ,
munmap(cfv->mptr, (size_t)cfv->mlen);
is called again as cfv->mptr != MAP_FAILED;
Suggestion:
I found that /*cfv->mptr= MAP_FAILED;*//*(assigned below)*/ was commented out at [Line 1716], which lead to this bug, maybe we should delete the comment mark on this statement.
Updated by gstrauss about 1 year ago
- Category set to core
- Status changed from New to Patch Pending
- Target version changed from 1.4.xx to 1.4.70
Configuring lighttpd to use mmap is not the default in the build and must be enabled in the build with ./configure --enable-mmap
If you found this with a static analyzer, please provide details.
Updated by shangzhi_xu about 1 year ago
gstrauss wrote in #note-1:
Configuring lighttpd to use mmap is not the default in the build and must be enabled in the build with
./configure --enable-mmapIf you found this with a static analyzer, please provide details.
Thanks for your reply! Yes, I found it with static analysis with Goshawk https://github.com/Yunlongs/Goshawk. The details are just like I mentioned above. I think the trace in chunk.c [Line 1715]->[ line 1719]->[Line 156] might lead to a bug. So if you need any further information or details, please tell me~ I'll provide them as soon as possible.
Updated by gstrauss about 1 year ago
The chunk is generally opened prior to this function being called, and this feature is intended to be enabled in the lighttpd build on systems where the filesystem is trusted. Still, to fix this potential issue, I'll move the call to chunk_open_file_chunk() to the top of the func. Thank you for reporting the issue.
Updated by shangzhi_xu about 1 year ago
You are welcome. Thanks for your cooperation! Wish you have a good day~
Updated by gstrauss about 1 year ago
- Status changed from Patch Pending to Fixed
Applied in changeset d50ac8f5f17e6b30a2213a9b39a6b8b275abfae2.
Also available in: Atom