ACE_TAO
ACE_TAO copied to clipboard
DOCGroup
ACE has a out-of-bounds array vulnerability, causing core dump.
Version
ACE+TAO 6.5.14
Host machine and operating system
Linux 4.4.0-131-generic x86_64
Compiler name and version (including patch level)
gcc version 5.4.0 20160609
The problem effects:
Program coredump
Description
Coredump occurs occasionally in the CORBA service. There are two stacks. the first one:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 ACE_Active_Map_Manager<std::pair<CORBA::OctetSeq, TAO_Active_Object_Map_Entry*> >::find (this=0xaaaacaff0f10, this=0xaaaacaff0f10, internal_value=@0xffff4e77b0f0: 0x0, key=...) at /acetao/src/acetao_modify/ace/Active_Map_Manager_T.inl:64
the second one:
#0 TAO::unbounded_value_sequence<unsigned char>::operator== (rhs=..., this=0x7f93dedb7898) at ../../tao/Unbounded_Octet_Sequence_T.h:216
#1 TAO_Persistent_Strategy::find_servant_using_system_id_and_user_id (this=0x55ea0557f0b0, system_id=..., user_id=..., servant=@0x7f93dedb7880: 0x0, entry=@0x7f93dedb7888: 0x1000003f7)
at /acetao/src/acetao_modify/TAO/tao/PortableServer/Active_Object_Map.cpp:906
#2 0x00007f94540c3ec7 in TAO_Active_Object_Map::find_servant_using_system_id_and_user_id (entry=@0x7f93dedb7888: 0x1000003f7, servant=@0x7f93dedb7880: 0x0, user_id=..., system_id=..., this=<optimized out>) at ../../tao/PortableServer/Active_Object_Map.inl:195
#3 TAO::Portable_Server::ServantRetentionStrategyRetain::find_servant (this=0x55ea056c5140, system_id=..., servant_upcall=..., poa_current_impl=...) at /acetao/src/acetao_modify/TAO/tao/PortableServer/ServantRetentionStrategyRetain.cpp:296
#4 0x00007f94540b446f in TAO::Portable_Server::RequestProcessingStrategyServantActivator::locate_servant (this=0x55ea056c50e0, system_id=..., servant_upcall=..., poa_current_impl=..., wait_occurred_restart_call=@0x7f93dedb79cf: false)
at /acetao/src/acetao_modify/TAO/tao/PortableServer/RequestProcessingStrategyServantActivator.cpp:94
#5 0x00007f94540c73fb in TAO::Portable_Server::Servant_Upcall::prepare_for_upcall_i (this=this@entry=0x7f93dedb7a30, key=..., operation=operation@entry=0x55ea21af3470 "report", forward_to=..., wait_occurred_restart_call=@0x7f93dedb79cf: false)
at /acetao/src/acetao_modify/TAO/tao/PortableServer/Servant_Upcall.cpp:123
Sample fix/ workaround
Vulnerable Function:
template <class T> ACE_INLINE int
ACE_Active_Map_Manager<T>::find (const ACE_Active_Map_Manager_Key &key,
T *&internal_value) const
{
ACE_UINT32 slot_index = key.slot_index ();
ACE_UINT32 slot_generation = key.slot_generation ();
if (slot_index > this->total_size_ ||
#if defined (ACE_HAS_LAZY_MAP_MANAGER)
this->search_structure_[slot_index].free_ ||
#endif /* ACE_HAS_LAZY_MAP_MANAGER */
this->search_structure_[slot_index].ext_id_.slot_generation () != slot_generation ||
this->search_structure_[slot_index].ext_id_.slot_index () ==
(ACE_UINT32)this->free_list_id ())
{
return -1;
}
else
{
// This is where the user value is.
internal_value = &this->search_structure_[slot_index].int_id_;
}
return 0;
}
Modifying the Index Judgment Condition Statement like these
-bash-4.2# diff old/ACE/ace/Active_Map_Manager_T.inl new/ACE/ace/Active_Map_Manager_T.inl
64c64
< if (slot_index > this->total_size_ ||
\---
> if (slot_index >= this->total_size_ ||
Please extend one of the unit tests in the ACE/tests directory as reproducer, when you have that, please open a pull request with the test extension and another one for the proposed fix
Please extend one of the unit tests in the ACE/tests directory as reproducer, when you have that, please open a pull request with the test extension and another one for the proposed fix
I cannot reproduce this bug stably. It only occurs when fuzzing is used. I think it's an obvious out-of-bounds array
It seems like this could be tested without fuzzing. The ACE_Active_Map_Manager_Key input parameter can have any value for slot_index, including an invalid one. Using a tool like Address Sanitizer would show invalid memory access.
It seems like this could be tested without fuzzing. The ACE_Active_Map_Manager_Key input parameter can have any value for slot_index, including an invalid one. Using a tool like Address Sanitizer would show invalid memory access.
OK,I'll try to write a UT test the ACE_Active_Map_Manager_Key