search

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
3.86k stars 899 forks source link

Stack overflow caused by invalid write in `ndpi_automa_match_string_subprotocol` #2020

Closed utoni closed 1 year ago

utoni commented 1 year ago

Describe the bug

A wild stack overflow appeares. Found by the LLVM fuzzer on the current dev branch.

How to reproduce the reported bug

Reproducible using ndpiReader?

./fuzz/fuzz_ndpi_reader ./tests/crash-7a609ca81770bd664e9d9037ad256fce754fd4cf ./fuzz/fuzz_ndpi_reader ./tests/crash-925894061eefab70402f87a35b3539ca99cd5bf2

Crashes: llvm-fuzz-crashes.tar.gz

(due to an Out-Of-Time exception, I can not fix the issue right now, seems like a simple string off-by-one mistake)

koltiradw commented 1 year ago

@utoni hi! i cannot reproduce this bug on current dev branch.

utoni commented 1 year ago

Sorry. I forgot to mention what CC I am using. Initially, I was using clang-11 and tried it now again with clang-15.

Configure && Compile: ./autogen.sh --with-sanitizer --enable-fuzztargets CC=clang-15 CXX=clang++-15 --enable-option-checking=fatal --enable-debug-messages && make -j10

ASAN Output:

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2335160254
INFO: Loaded 1 modules   (3962 inline 8-bit counters): 3962 [0x55fc672862d4, 0x55fc6728724e), 
INFO: Loaded 1 PC tables (3962 PCs): 3962 [0x55fc67287250,0x55fc672969f0), 
./fuzz/fuzz_ndpi_reader: Running 1 inputs 1 time(s) each.
Running: /home/toni/Downloads/crash-7a609ca81770bd664e9d9037ad256fce754fd4cf
ndpi_main.c:ndpi_validate_protocol_initialization:1023 - [0]: [NDPI] INTERNAL ERROR missing protoName initialization for [protoId=346]: recovering
ndpi_main.c:ndpi_load_protocols_file:4298 - [0]: Unable to open file protos.txt [No such file or directory]
ndpi_main.c:ndpi_load_categories_file:4036 - [0]: Unable to open file categories.txt [No such file or directory]
ndpi_main.c:ndpi_load_risk_domain_file:4113 - [0]: Unable to open file risky_domains.txt [No such file or directory]
ndpi_main.c:ndpi_load_malicious_ja3_file:4163 - [0]: Unable to open file ja3_fingerprints.csv [No such file or directory]
ndpi_main.c:ndpi_load_malicious_sha1_file:4227 - [0]: Unable to open file sha1_fingerprints.csv [No such file or directory]
ndpi_main.c:8637:5: runtime error: index 256 out of bounds for type 'char[256]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ndpi_main.c:8637:5 in 
=================================================================
==26548==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e30f01d20 at pc 0x55fc668a605d bp 0x7ffddcf00770 sp 0x7ffddcf00768
WRITE of size 1 at 0x7f9e30f01d20 thread T0
==26548==WARNING: invalid path to external symbolizer!
==26548==WARNING: Failed to use and restart external symbolizer!
    #0 0x55fc668a605c  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x70905c) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #1 0x55fc668a557b  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x70857b) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #2 0x55fc669e3875  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x846875) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #3 0x55fc669d76eb  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x83a6eb) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #4 0x55fc669cf0ee  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x8320ee) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #5 0x55fc669ca080  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x82d080) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #6 0x55fc669c8eff  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x82beff) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #7 0x55fc6685e02c  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x6c102c) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #8 0x55fc6685f757  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x6c2757) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #9 0x55fc6685f3f7  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x6c23f7) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #10 0x55fc668714fb  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x6d44fb) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #11 0x55fc6686d1c7  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x6d01c7) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #12 0x55fc667e067c  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x64367c) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #13 0x55fc667dbbce  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x63ebce) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #14 0x55fc667b2ea2  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x615ea2) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #15 0x55fc666d7242  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x53a242) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #16 0x55fc666c1370  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x524370) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #17 0x55fc666c6ff7  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x529ff7) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #18 0x55fc666f0582  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x553582) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)
    #19 0x7f9e32e46189  (/lib/x86_64-linux-gnu/libc.so.6+0x27189) (BuildId: 0401bd8da6edab3e45399d62571357ab12545133)
    #20 0x7f9e32e46244  (/lib/x86_64-linux-gnu/libc.so.6+0x27244) (BuildId: 0401bd8da6edab3e45399d62571357ab12545133)
    #21 0x55fc666bbb70  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x51eb70) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)

Address 0x7f9e30f01d20 is located in stack of thread T0 at offset 288 in frame
    #0 0x55fc668a5c5f  (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x708c5f) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7)

  This frame has 2 object(s):
    [32, 288) 'm' (line 8633) <== Memory access at offset 288 overflows this variable
    [352, 608) 'm125' (line 8659)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/toni/git/nDPI/fuzz/fuzz_ndpi_reader+0x70905c) (BuildId: 563176f963ee03b4bb3c80f9378df3c0b55c47d7) 
Shadow bytes around the buggy address:
  0x0ff4461d8350: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0ff4461d8360: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0ff4461d8370: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0ff4461d8380: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff4461d8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff4461d83a0: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8
  0x0ff4461d83b0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x0ff4461d83c0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3
  0x0ff4461d83d0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff4461d83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff4461d83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==26548==ABORTING
koltiradw commented 1 year ago

i see. thx!