Openvas-scanner 6.0 dies with segfault if hostlist is too long

[tdussa]

Hi,

I have run into an issue since I updated to openvas-scanner 6.0. We've installed via the atomic repo on CentOS 7, and all packages are up-to-date. I have not found any relevant bug reports that seem to address this issue.

The problem is that openvas-scanner dies with a segfault if the host list is too long (haven't nailed it down to the last byte, but it does suspiciously look like 255 or 256 bytes).

Expected behavior

Scan the hosts listed in the host list.

Current behavior

/var/log/gvm/openvassd.log shows that the scanner tries to resolve interesting host names and subsequently falls over (logs below). This very much looks like a buffer overflow to me, and some bisection testing shows that for a hostname list that is 242 characters long, everything works fine, but one hostname more (for a total of 265 characters) triggers the problem. This suspiciously looks like a static buffer of size 256 to me.

Steps to reproduce

1. Create a target with a host list that is more than 265 characters long.
2. Create a scan task with that target.
3. Run that scan task.

GVM versions

gsa: Greenbone Security Assistant 8.0.0

gvm: Greenbone Vulnerability Manager 8.0.0

openvas-scanner: OpenVAS Scanner 6.0.0

gvm-libs: 10.0.0-6924.el7.art

openvas-smb: 1.0.5-6923.el7.art

Environment

Operating system: CentOS Linux release 7.6.1810 (Core)

Installation method/source: Packaged via AtomiCorp.

Logfiles

/var/log/gvm/openvassd.log:

[...]
base hosts:WARNING:2019-05-24 09h09.08 utc:27074: Couldn't resolve hostname 0
base hosts:WARNING:2019-05-24 09h09.08 utc:27074: Couldn't resolve hostname 
base hosts:WARNING:2019-05-24 09h09.09 utc:27074: Couldn't resolve hostname ) $|crea1
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: SIGSEGV occurred!
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock(sighand_segv+0x39) [0x40dc29]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: /lib64/libc.so.6(+0x36280) [0x7f20d21dc280]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: /lib64/libgvm_base.so.10(gvm_hosts_resolve+0x40) [0x7f20d3a67dc0]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock(attack_network+0x213) [0x407923]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock() [0x40ab0e]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock(create_process+0xdd) [0x40d9dd]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock(main+0x34b) [0x405c9b]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f20d21c83d5]
sd   main:WARNING:2019-05-24 09h09.09 utc:27074: openvassd: Serving /var/run/openvassd.sock() [0x405eb8]
[...]

[cfi-gb]

As outlined in https://community.greenbone.net/t/openvas-scanner-6-0-dies-with-segfault-for-too-many-hosts/2507 this might be already fixed / resolved by https://github.com/greenbone/gvm-libs/pull/228 (Backport of https://github.com/greenbone/gvm-libs/pull/227 and parts of https://github.com/greenbone/gvm-libs/pull/211) which is shipped in the next maintenance release of GVM-10.

[tdussa]

Keeping my fingers crossed. I browsed through the commits in #228 (they're quite small anyway), and nothing in there looks like an obvious candidate to fix the above problem, but who knows. :)

[cfi-gb]

I browsed through the commits in #228 (they're quite small anyway), and nothing in there looks like an obvious candidate to fix the above problem, but who knows. :)

Just to note that #228 is completely unrelated and wasn't linked in my previous comment. I had linked https://github.com/greenbone/gvm-libs/pull/228 there which is in a different repository (gvm-libs). :)

A new release for gvm-libs (10.0.1) is available since yesterday: https://github.com/greenbone/gvm-libs/releases/tag/v10.0.1

[jjnicola]

Not reproducible.