malicious server response causes out of bounds read in store_cname function

Open Fusl opened this issue 1 year ago • 0 comments

A specially crafted response from a DoH server can cause store_cname to read data out of bounds:

ASan stack trace:

==3100859==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f08f3f00d68 at pc 0x55b90efcb4e6 bp 0x7ffdd6a6f910 sp 0x7ffdd6a6f908
READ of size 8 at 0x7f08f3f00d68 thread T0
    #0 0x55b90efcb4e5 in store_cname /home/fusl/Projects/curl/doh/doh.c:422:13
    #1 0x55b90efcb4e5 in rdata /home/fusl/Projects/curl/doh/doh.c:495:10
    #2 0x55b90efcb4e5 in doh_decode /home/fusl/Projects/curl/doh/doh.c:588:10
    #3 0x55b90efcb4e5 in main /home/fusl/Projects/curl/doh/doh.c:965:18
    #4 0x7f08f622accf  (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    #5 0x7f08f622ad89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    #6 0x55b90ee921c4 in _start (/home/fusl/Projects/curl/doh/doh+0x1f1c4) (BuildId: 1dfaebf7d37031b4a7bb6886e4aabdb4dcec14d6)

Address 0x7f08f3f00d68 is located in stack of thread T0 at offset 3432 in frame
    #0 0x55b90efc856f in main /home/fusl/Projects/curl/doh/doh.c:787

  This frame has 8 object(s):
    [32, 832) 'urls' (line 795)
    [960, 964) 'still_running' (line 799)
    [976, 3432) 'd' (line 801) <== Memory access at offset 3432 overflows this variable
    [3568, 3572) 'queued' (line 804)
    [3584, 3588) 'numfds' (line 922)
    [3600, 3616) 'wait' (line 940)
    [3632, 3640) 'probe' (line 950)
    [3664, 3672) 'response_code' (line 962)

Server response that triggers this out of bounds read:

00000000: 0000 8130 0001 0000 0001 3030 0030 3030  ...0......00.000
00000010: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000020: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000030: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000040: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000050: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000060: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000070: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000080: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000090: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000000a0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000000b0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000000c0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000000d0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000000e0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000000f0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000100: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000110: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000120: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000130: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000140: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000150: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000160: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000170: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000180: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000190: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000001a0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000001b0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000001c0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000001d0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000001e0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000001f0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000200: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000210: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000220: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000230: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000240: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000250: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000260: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000270: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000280: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000290: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000002a0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000002b0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000002c0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000002d0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000002e0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000002f0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000300: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000310: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000320: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000330: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000340: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000350: 3030 0030 3030 3030 3030 3000 0000 3030  00.00000000...00
00000360: 3030 3030 3030 0000 0030 3030 3030 3030  000000...0000000
00000370: 3000 0030 3030 3030 3030 3030 3030 3030  0..0000000000000
00000380: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000390: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000003a0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000003b0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000003c0: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
000003d0: 3030 3030 3000 3030 3030 3030 3030 0000  00000.00000000..
000003e0: 0030 3030 3030 3030 3000 0000 3030 3030  .00000000...0000
000003f0: 3030 3030 0000 0030 3030 3030 3030 30    0000...00000000

This bug was discovered with the help of AFL++ in combination with ASan.

Jan 18 '24 13:01 Fusl