ACE_TAO icon indicating copy to clipboard operation
ACE_TAO copied to clipboard

Published 20 hours ago verified publisher icon DOCGroup

ACE has a out-of-bounds array vulnerability, causing core dump.

Open liuxiaolongNew opened this issue 2 years ago • 5 comments

Version

ACE+TAO 6.5.14

Host machine and operating system

Linux 4.4.0-131-generic x86_64

Compiler name and version (including patch level)

gcc version 5.4.0 20160609

The problem effects:

Program coredump

Description

Coredump occurs occasionally in the CORBA service. There are two stacks. the first one:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  ACE_Active_Map_Manager<std::pair<CORBA::OctetSeq, TAO_Active_Object_Map_Entry*> >::find (this=0xaaaacaff0f10, this=0xaaaacaff0f10, internal_value=@0xffff4e77b0f0: 0x0, key=...) at /acetao/src/acetao_modify/ace/Active_Map_Manager_T.inl:64

the second one:

#0  TAO::unbounded_value_sequence<unsigned char>::operator== (rhs=..., this=0x7f93dedb7898) at ../../tao/Unbounded_Octet_Sequence_T.h:216
#1  TAO_Persistent_Strategy::find_servant_using_system_id_and_user_id (this=0x55ea0557f0b0, system_id=..., user_id=..., servant=@0x7f93dedb7880: 0x0, entry=@0x7f93dedb7888: 0x1000003f7)
    at /acetao/src/acetao_modify/TAO/tao/PortableServer/Active_Object_Map.cpp:906
#2  0x00007f94540c3ec7 in TAO_Active_Object_Map::find_servant_using_system_id_and_user_id (entry=@0x7f93dedb7888: 0x1000003f7, servant=@0x7f93dedb7880: 0x0, user_id=..., system_id=..., this=<optimized out>) at ../../tao/PortableServer/Active_Object_Map.inl:195
#3  TAO::Portable_Server::ServantRetentionStrategyRetain::find_servant (this=0x55ea056c5140, system_id=..., servant_upcall=..., poa_current_impl=...) at /acetao/src/acetao_modify/TAO/tao/PortableServer/ServantRetentionStrategyRetain.cpp:296
#4  0x00007f94540b446f in TAO::Portable_Server::RequestProcessingStrategyServantActivator::locate_servant (this=0x55ea056c50e0, system_id=..., servant_upcall=..., poa_current_impl=..., wait_occurred_restart_call=@0x7f93dedb79cf: false)
    at /acetao/src/acetao_modify/TAO/tao/PortableServer/RequestProcessingStrategyServantActivator.cpp:94
#5  0x00007f94540c73fb in TAO::Portable_Server::Servant_Upcall::prepare_for_upcall_i (this=this@entry=0x7f93dedb7a30, key=..., operation=operation@entry=0x55ea21af3470 "report", forward_to=..., wait_occurred_restart_call=@0x7f93dedb79cf: false)
    at /acetao/src/acetao_modify/TAO/tao/PortableServer/Servant_Upcall.cpp:123

Sample fix/ workaround

Vulnerable Function:

template <class T> ACE_INLINE int
ACE_Active_Map_Manager<T>::find (const ACE_Active_Map_Manager_Key &key,
                                 T *&internal_value) const
{
  ACE_UINT32 slot_index = key.slot_index ();
  ACE_UINT32 slot_generation = key.slot_generation ();

  if (slot_index > this->total_size_ ||
#if defined (ACE_HAS_LAZY_MAP_MANAGER)
      this->search_structure_[slot_index].free_ ||
#endif /* ACE_HAS_LAZY_MAP_MANAGER */
      this->search_structure_[slot_index].ext_id_.slot_generation () != slot_generation ||
      this->search_structure_[slot_index].ext_id_.slot_index () ==
                 (ACE_UINT32)this->free_list_id ())
    {
      return -1;
    }
  else
    {
      // This is where the user value is.
      internal_value = &this->search_structure_[slot_index].int_id_;
    }

  return 0;
}

Modifying the Index Judgment Condition Statement like these

-bash-4.2# diff old/ACE/ace/Active_Map_Manager_T.inl new/ACE/ace/Active_Map_Manager_T.inl
64c64
<   if (slot_index > this->total_size_ ||
\---
>   if (slot_index >= this->total_size_ ||

liuxiaolongNew avatar May 20 '22 07:05 liuxiaolongNew

Please extend one of the unit tests in the ACE/tests directory as reproducer, when you have that, please open a pull request with the test extension and another one for the proposed fix

jwillemsen avatar May 20 '22 07:05 jwillemsen

Please extend one of the unit tests in the ACE/tests directory as reproducer, when you have that, please open a pull request with the test extension and another one for the proposed fix

I cannot reproduce this bug stably. It only occurs when fuzzing is used. I think it's an obvious out-of-bounds array

liuxiaolongNew avatar May 20 '22 08:05 liuxiaolongNew

It seems like this could be tested without fuzzing. The ACE_Active_Map_Manager_Key input parameter can have any value for slot_index, including an invalid one. Using a tool like Address Sanitizer would show invalid memory access.

mitza-oci avatar May 20 '22 14:05 mitza-oci

It seems like this could be tested without fuzzing. The ACE_Active_Map_Manager_Key input parameter can have any value for slot_index, including an invalid one. Using a tool like Address Sanitizer would show invalid memory access.

OK,I'll try to write a UT test the ACE_Active_Map_Manager_Key

liuxiaolongNew avatar May 22 '22 03:05 liuxiaolongNew