search

couchbase / forestdb

A Fast Key-Value Storage Engine Based on Hierarchical B+-Tree Trie
Apache License 2.0
1.29k stars 172 forks source link

Crash when parsing malformed FDB #23

Open retpoline opened 2 years ago

retpoline commented 2 years ago

Hi folks,

An interesting crash was found while fuzz testing of the forestdb_dump binary which can be triggered via a malformed database file. Although this malformed file only crashes the program as-is, it could potentially be crafted further and create a security issue where these kinds of files would be able compromise the process's memory through taking advantage of affordances given by memory corruption. It's recommend to harden the code to prevent these kinds of bugs as it could greatly mitigate such this issue and even future bugs.

crash.fdb.txt

(renamed to .txt for github)

$ forestdb_dump crash.fdb
Segmentation fault (core dumped)

$ gdb -q forestdb_dump
Reading symbols from forestdb_dump...

(gdb) r crash.fdb
Starting program: forestdb_dump crash.fdb
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff79f2700 (LWP 1245583)]
[New Thread 0x7ffff71f1700 (LWP 1245584)]
[New Thread 0x7ffff69f0700 (LWP 1245585)]
[New Thread 0x7ffff61ef700 (LWP 1245586)]

Thread 1 "forestdb_dump" received signal SIGSEGV, Segmentation fault.
_sb_read_given_no (file=0x5555555df630, sb_no=<optimized out>, sb=<optimized out>, log_callback=<optimized out>) at forestdb/src/superblock.cc:1520
1520            sb->bmp_doc_offset[i] = _endian_decode(enc_u64);

(gdb) bt
#0  _sb_read_given_no (file=0x5555555df630, sb_no=<optimized out>, sb=<optimized out>, log_callback=<optimized out>) at forestdb/src/superblock.cc:1520
#1  0x00005555555a7aa7 in sb_read_latest (file=0x5555555df630, sconfig=..., log_callback=<optimized out>) at forestdb/src/superblock.cc:1674
#2  0x000055555557d75e in filemgr_open (filename=filename@entry=0x7fffffffc5c0 "crash.fdb", ops=<optimized out>, config=config@entry=0x7fffffffc270, 
    log_callback=log_callback@entry=0x5555555db048) at forestdb/src/filemgr.cc:1005
#3  0x0000555555584036 in _fdb_open (handle=handle@entry=0x5555555daee0, filename=filename@entry=0x7fffffffe6b0 "crash.fdb", filename_mode=filename_mode@entry=FDB_VFILENAME, 
    config=config@entry=0x7fffffffdf10) at forestdb/src/forestdb.cc:1689
#4  0x0000555555585ae1 in fdb_open (ptr_fhandle=0x7fffffffe160, filename=0x7fffffffe6b0 "crash.fdb", fconfig=0x7fffffffe1a0)
    at forestdb/src/forestdb.cc:833
#5  0x0000555555563654 in process_file (opt=0x7fffffffe2e0) at forestdb/tools/forestdb_dump.cc:254
#6  0x0000555555561f75 in main (argc=2, argv=0x7fffffffe418) at forestdb/tools/forestdb_dump.cc:390

(gdb) i r
rax            0x68                104
rbx            0x5555555dfc00      93824992803840
rcx            0x5555555e0d30      93824992808240
rdx            0x88f46760570fd337  -8578117726758776009
rsi            0x652e23e27000      111248844943360
rdi            0x0                 0
rbp            0x7ffffffd4b20      0x7ffffffd4b20
rsp            0x7ffffffd4850      0x7ffffffd4850
r8             0x0                 0
r9             0x0                 0
r10            0x5555555ea000      93824992845824
r11            0xfffffffffffff000  -4096
r12            0xe744e44a068       15892692115560
r13            0x5555555df630      93824992802352
r14            0x7ffffffd48b8      140737488177336
r15            0xdeadcafebeefc002  -2401039830844719102
rip            0x5555555a7783      0x5555555a7783 <_sb_read_given_no(filemgr*, size_t, superblock*, err_log_callback*)+883>
eflags         0x10202             [ IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

(gdb) x/i $rip
=> 0x5555555a7783 <_sb_read_given_no(filemgr*, size_t, superblock*, err_log_callback*)+883>:    mov    %rdx,-0x68(%r8,%rax,1)

(gdb) exploitable
Description: Access violation near NULL on destination operand
Short description: DestAvNearNull (15/22)
Hash: d6199a1b37a756f3d37f258a8faaa290.ecc8eda54691748cb17fcce5cae118bb
Exploitability Classification: PROBABLY_EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.
Other tags: AccessViolation (21/22)