search

InterLinked1 / lbbs

Lightweight BBS For Linux - Bulletin Board System server software
GNU General Public License v2.0
35 stars 4 forks source link

socket.c: SEGV due to integer overflows #23

Closed InterLinked1 closed 8 months ago

InterLinked1 commented 8 months ago

If bbs_node_read returns a negative value, this causes integer overflow since it is stored in a size_t, so the abort check is skipped and memchr attempts to scan 18446744073709551615 (== -1) bytes, causing the segfault.

Example 1:

[2023-10-19 03:21:19.696]   DEBUG[2042509]: node.c:562 node_shutdown: Shutdown pending finalization for node 2
[2023-10-19 03:21:19.696]   DEBUG[2042509]: node.c:579 node_free: Node 2 now freed
[2023-10-19 03:21:19.696]   == Node 2 has exited
[2023-10-19 03:21:19.696]   DEBUG[2042509]: thread.c:122 __thread_unregister: Thread 2042509 is exiting (detached)
[2023-10-19 03:21:21.194]   DEBUG[2042511]: socket.c:1791 bbs_node_readline: Received CR and/or LF from client, but no NUL?
[2023-10-19 03:21:21.194]   DEBUG[2042511]: socket.c:1791 bbs_node_readline: Received CR and/or LF from client, but no NUL?
[2023-10-19 03:21:21.194]   DEBUG[2042511]: socket.c:1791 bbs_node_readline: Received CR and/or LF from client, but no NUL?
[2023-10-19 03:21:21.194]   DEBUG[2042511]: socket.c:1791 bbs_node_readline: Received CR and/or LF from client, but no NUL?
[2023-10-19 03:21:22.332]   DEBUG[2042511]: socket.c:1791 bbs_node_readline: Received CR and/or LF from client, but no NUL?
[2023-10-19 03:21:22.337]   DEBUG[2042511]: auth.c:238 do_authenticate: Attempting password authentication for user 'root'
[2023-10-19 03:21:22.339]   DEBUG[2042511]: mod_mysql.c:361 sql_stmt_fetch: SQL STMT fetch returned no more data
[2023-10-19 03:21:22.473]   DEBUG[2042511]: auth.c:261 do_authenticate: Login rejected by all (1) auth provider
[2023-10-19 03:21:22.474]    AUTH[2042511]: auth.c:566 bbs_user_authenticate: Login attempt rejected for user root (wrong password)
[2023-10-19 03:21:22.474]   DEBUG[2042511]: socket.c:1073 bbs_cidr_match_ipv4: IP comparison (24): 007dacd2/000a7400
[2023-10-19 03:21:22.474]   DEBUG[2042511]: mod_events.c:175 process_bad_ip: IP address 125.172.210.217 blacklist score: 7/0/0/0 (last offense: 18s/17793306us ago
[2023-10-19 03:21:22.474]   DEBUG[2042511]: event.c:127 bbs_event_broadcast: Event NODE_LOGIN_FAILED dispatched and consumed
[2023-10-19 03:21:22.474]   DEBUG[2042511]: term.c:109 bbs_node_set_input: Buffering/echo settings (1/1) have not changed for node 1
[2023-10-19 03:21:31.831]   DEBUG[2042512]: thread.c:129 __thread_unregister: Thread 2042512 is exiting (must be joined)
[2023-10-19 03:21:37.394]   DEBUG[2038892]: socket.c:906 __bbs_tcp_listener: Accepting new TELNET connection from 125.172.210.217
[2023-10-19 03:21:37.394]   DEBUG[2038892]: socket.c:907 __bbs_tcp_listener: accepted fd = 48
[2023-10-19 03:21:37.395]   DEBUG[2038892]: node.c:275 __bbs_node_request: Allocated new node with ID 2
[2023-10-19 03:21:37.395]   DEBUG[2038892]: net_telnet.c:69 telnet_send_command: Sent Telnet command: IAC WILL ECHO
[2023-10-19 03:21:37.395]   DEBUG[2038892]: net_telnet.c:69 telnet_send_command: Sent Telnet command: IAC DO NAWS
[2023-10-19 03:21:37.595]   DEBUG[2042516]: thread.c:95 thread_register: Thread 2042516 spawned from handler               started by thread 2038892 at socket.c:916 __bbs_tcp_listener()
[2023-10-19 03:21:37.595]   DEBUG[2042516]: node.c:1401 bbs_node_begin: Running BBS for node 2
[2023-10-19 03:21:37.595]    AUTH[2042516]: node.c:1402 bbs_node_begin: New TELNET connection to node 2 from 125.172.210.217:60281
[2023-10-19 03:21:37.595]   DEBUG[2042516]: node.c:389 bbs_node_safe_sleep: Sleeping on node 2 for 300 ms
[2023-10-19 03:21:37.595]   DEBUG[2042517]: thread.c:95 thread_register: Thread 2042517 spawned from pty_master            started by thread 2042516 at pty.c:241 bbs_pty_allocate()
[2023-10-19 03:21:38.346]   DEBUG[2042516]: socket.c:2462 bbs_node_wait_key: Waiting 75000 ms for any input
[2023-10-19 03:21:38.346]   DEBUG[2042516]: term.c:116 bbs_node_set_input: Node 2 (fd 51): input now unbuffered, echo disabled
[2023-10-19 03:21:38.506] WARNING[2042511]: socket.c:1497 bbs_node_read: Node 1 has no active slave fd
[2023-10-19 03:21:38.518]   DEBUG[2042516]: socket.c:1951 bbs_node_flush_input: Flushed 3 bytes
[2023-10-19 03:21:38.518]   DEBUG[2042516]: term.c:116 bbs_node_set_input: Node 2 (fd 51): input now buffered, echo enabled
Segmentation fault (core dumped)

Thread 1 (Thread 0x7fbfe2fed6c0 (LWP 2042511)):
#0  __memchr_avx2 () at ../sysdeps/x86_64/multiarch/memchr-avx2.S:224
#1  0x000055b74e20f5dd in bbs_node_readline (node=node@entry=0x7fbfec015950, ms=ms@entry=60000, buf=<optimized out>, buf@entry=0x7fbfe2fec990 "root", len=len@entry=64) at socket.c:1772
        bytes = 18446744073709551615
        res = <optimized out>
        left = <optimized out>
        bytes_read = <optimized out>
        startbuf = 0x7fbfe2fec990 "root"
        term = <optimized out>
        nterm = 0x7fbfe2fec994 ""
        keep_trying = <optimized out>
        __func__ = "bbs_node_readline"
#2  0x000055b74e202872 in authenticate (node=node@entry=0x7fbfec015950) at node.c:1086
        attempts = 1
        username = "root\00012345\nenable\nsystem\nY\001\354\277\177\000\000\001U\"N\267U\000\0008\221\"N\267U\000\0000\313\376\342\277\177\000\000\237\375\345\022\300\177\000"
        password = '\000' <repeats 63 times>
        __func__ = "authenticate"
#3  0x000055b74e204888 in node_intro (node=<optimized out>) at node.c:1224
        timebuf = "Thu Oct 19 2023 03:21 am UTC"
        __func__ = "node_intro"
        __func__ = "node_handler_term"
        node = 0x7fbfec015950
#4  node_handler_term (node=0x7fbfec015950) at node.c:1371
        __func__ = "node_handler_term"
        node = 0x7fbfec015950
#5  bbs_node_handler (varg=varg@entry=0x7fbfec015950) at node.c:1425
        node = 0x7fbfec015950
#6  0x000055b74e215987 in thread_run (data=<optimized out>) at thread.c:357
        __cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {140462410996736, -825731675087032409, 1, 140462274910272, 140462633838640, 140462115442688, -825731675177209945, -6873846711898460249}, _>
        __cancel_routine = 0x55b74e215c40 <thread_unregister>
        __cancel_arg = 0x7fbfe2fed6c0
        __not_first_call = <optimized out>
        ret = <optimized out>
        a = {start_routine = <optimized out>, data = <optimized out>, name = 0x7fbfec001840 "handler", ' '

Example 2:

[2023-10-20 14:50:15.110]   DEBUG[2062868]: thread.c:122 __thread_unregister: Thread 2062868 is exiting (detached)
[2023-10-20 14:50:26.339] WARNING[2062862]: socket.c:1497 bbs_node_read: Node 1 has no active slave fd
Segmentation fault (core dumped)

Thread 1 (Thread 0x7fba557f26c0 (LWP 2062862)):
#0  __memchr_avx2 () at ../sysdeps/x86_64/multiarch/memchr-avx2.S:224
#1  0x000056265c2775dd in bbs_node_readline (node=node@entry=0x7fba5c0019d0, ms=ms@entry=60000, buf=<optimized out>, buf@entry=0x7fba557f1990 "sh", len=len@entry=64) at socket.c:1772
        bytes = 18446744073709551615
        res = <optimized out>
        left = <optimized out>
        bytes_read = <optimized out>
        startbuf = 0x7fba557f1990 "sh"
        term = <optimized out>
        nterm = 0x7fba557f1992 ""
        keep_trying = <optimized out>
        __func__ = "bbs_node_readline"
#2  0x000056265c26a872 in authenticate (node=node@entry=0x7fba5c0019d0) at node.c:1086
        attempts = 2
        username = "sh\000uxshell\000\377\377\377\377\377\000\000\000\000\000\000\000\000\320\031\000\\\272\177\000\000\001\325(\\&V\000\0008\021)\\&V\000\0000\033\177U\272\177\000\000\237}낺\177\000"
        password = '\000' <repeats 63 times>
        __func__ = "authenticate"
#3  0x000056265c26c888 in node_intro (node=<optimized out>) at node.c:1224
        timebuf = "Fri Oct 20 2023 02:50 pm UTC"
        __func__ = "node_intro"
        __func__ = "node_handler_term"
        node = 0x7fba5c0019d0
#4  node_handler_term (node=0x7fba5c0019d0) at node.c:1371