RUN cd /app/pound && git pull && ./bootstrap && export LDFLAGS='-fsanitize=address,undefine
d' CFLAGS='-fsanitize=address,undefined -g' && ./configure && make -j$(nproc) && make insta
ll
RUN cat < /usr/local/etc/pound.cfg
ListenHTTP
Address 127.0.0.1
Port 8000
Service
Backend
Address 127.0.0.1
Port 8001
End
End
End
EOF
=================================================================
==11==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000005d57 at pc 0x61f3f6a99d79 bp 0x760aa27fd050 sp 0x760aa27fd048
READ of size 1 at 0x502000005d57 thread T4
0 0x61f3f6a99d78 in backend_response /app/pound/src/http.c:3611
#1 0x61f3f6aa69f7 in do_http /app/pound/src/http.c:4817
#2 0x61f3f6aa7012 in thr_http /app/pound/src/http.c:4864
#3 0x760aa3c5b2d5 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234
#4 0x760aa32a36c1 (/lib/x86_64-linux-gnu/libc.so.6+0x8c6c1) (BuildId: 652dfccae16d17796a09de192ed332fd65dc9abb)
#5 0x760aa331df6f in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x106f6f) (BuildId: 652dfccae16d17796a09de192ed332fd65dc9abb)
0x502000005d57 is located 5 bytes after 2-byte region [0x502000005d50,0x502000005d52)
allocated by thread T4 here:
0 0x760aa3ceede0 in strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:578
#1 0x61f3f6a91808 in http_request_read /app/pound/src/http.c:2692
#2 0x61f3f6a998e9 in backend_response /app/pound/src/http.c:3596
#3 0x61f3f6aa69f7 in do_http /app/pound/src/http.c:4817
#4 0x61f3f6aa7012 in thr_http /app/pound/src/http.c:4864
#5 0x760aa3c5b2d5 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234
Thread T4 created by T0 here:
0 0x760aa3cecbb1 in pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:245
#1 0x61f3f6ab814b in worker_start /app/pound/src/pound.c:252
#2 0x61f3f6abbac3 in server /app/pound/src/pound.c:733
#3 0x61f3f6abe89b in main /app/pound/src/pound.c:1138
#4 0x760aa3240c89 (/lib/x86_64-linux-gnu/libc.so.6+0x29c89) (BuildId: 652dfccae16d17796a09de192ed332fd65dc9abb)
SUMMARY: AddressSanitizer: heap-buffer-overflow /app/pound/src/http.c:3611 in backend_response
Shadow bytes around the buggy address:
0x502000005a80: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x502000005b00: fa fa fd fa fa fa fd fd fa fa 02 fa fa fa 00 03
0x502000005b80: fa fa fd fd fa fa 00 00 fa fa fd fa fa fa fd fa
0x502000005c00: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x502000005c80: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
=>0x502000005d00: fa fa fd fa fa fa fd fd fa fa[02]fa fa fa fa fa
0x502000005d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000005e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000005e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000005f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000005f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11==ABORTING
The bug
When Pound receives certain invalid responses from backends, it may access a heap buffer out of bounds.
To reproduce
WORKDIR /app
RUN apt -y update && apt -y upgrade && apt -y install --no-install-recommends perl autoconf automake libssl-dev wget git ca-certificates build-essential texinfo ncat
RUN git clone --recurse-submodules https://github.com/graygnuorg/pound
RUN cd /app/pound && git pull && ./bootstrap && export LDFLAGS='-fsanitize=address,undefine d' CFLAGS='-fsanitize=address,undefined -g' && ./configure && make -j$(nproc) && make insta ll
RUN cat < /usr/local/etc/pound.cfg
ListenHTTP
Address 127.0.0.1
Port 8000
Service
Backend
Address 127.0.0.1
Port 8001
End
End
End
EOF
RUN mkdir -p /usr/local/var/run
CMD printf 'A\r\n\r\n' | ncat -l 127.0.0.1 8001 &>/dev/null & sleep 1; pound -e & sleep 5; wget http://localhost:8000
================================================================= ==11==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000005d57 at pc 0x61f3f6a99d79 bp 0x760aa27fd050 sp 0x760aa27fd048 READ of size 1 at 0x502000005d57 thread T4
0 0x61f3f6a99d78 in backend_response /app/pound/src/http.c:3611
0x502000005d57 is located 5 bytes after 2-byte region [0x502000005d50,0x502000005d52) allocated by thread T4 here:
0 0x760aa3ceede0 in strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:578
Thread T4 created by T0 here:
0 0x760aa3cecbb1 in pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:245
SUMMARY: AddressSanitizer: heap-buffer-overflow /app/pound/src/http.c:3611 in backend_response Shadow bytes around the buggy address: 0x502000005a80: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x502000005b00: fa fa fd fa fa fa fd fd fa fa 02 fa fa fa 00 03 0x502000005b80: fa fa fd fd fa fa 00 00 fa fa fd fa fa fa fd fa 0x502000005c00: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x502000005c80: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa =>0x502000005d00: fa fa fd fa fa fa fd fd fa fa[02]fa fa fa fa fa 0x502000005d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x502000005e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x502000005e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x502000005f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x502000005f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==11==ABORTING