oss-sec mailing list archives
Re: Remote crash in MaraDNS 2.0.13 and git master
From: Ondřej Surý <ondrej () sury org>
Date: Mon, 14 Nov 2016 07:03:04 +0100
And attachments. O. -- Ondřej Surý <ondrej () sury org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu On Mon, Nov 14, 2016, at 06:53, Ondřej Surý wrote:
Hi all, AFL found another 5 crashes totaling to 6 unique crashes. Looking at the backtraces it looks like, it's just 3 unique crashes: - js_readuint16 - js_substr - process_query -> this in fact looks like stack smashing, since it crashes on htons in an unrelated place id:000000 id:000002 Program received signal SIGSEGV, Segmentation fault. js_readuint16 (js=js@entry=0x6de290, offset=offset@entry=4) at JsStr.c:1064 1064 (*(js->string + offset + 1) & 0xff); id:000001 id:000005 Program received signal SIGSEGV, Segmentation fault. js_substr (source=source@entry=0x6de290, dest=dest@entry=0x6e37f0, start=start@entry=99, count=count@entry=63743) at JsStr.c:731 731 *(source->string + counter + start * source->unit_size); NOTE: id000001 cannot be reproduced on git master, but id000005 still crashes it, so they probably are separate issues after all. id:000003 id:000004 Program received signal SIGSEGV, Segmentation fault. proc_query (raw=0x6de5d0, ect=0x7fffffffd940, sock=0) at MaraDNS.c:2615 2615 ip = htonl((z->sin_addr).s_addr); This is after 58 AFL cycles. It will be worth retesting with ASAN enabled. Cheers, -- Ondřej Surý <ondrej () sury org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu On Sat, Nov 12, 2016, at 09:39, Ondřej Surý wrote:Hi, while playing with fuzzing the DNS servers with AFL (2.35b) I found a remote crash bug in MaraDNS 2.0.13 js_readuint16. It can be also reproduced using https://github.com/samboy/MaraDNS/ master branch. Attached is patch to allow the fuzzing (it overrides getudp() with read(0, ..)), the input data that crashes MaraDNS, and the bt full output. Please assign CVE, I would provide a patch, but MaraDNS code is extremely hard to navigate for me, so I'll leave the fix for the code author. AFL has finished only 1 cycle (and found the 1 unique crash), so I'll keep it running for a while. Cheers, -- Ondřej Surý <ondrej () sury org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu Email had 3 attachments: + maradns.btfull 5k (application/octet-stream) + allow-fuzzing.patch 2k (text/x-patch) + id:000000,sig:11,src:007564,op:havoc,rep:32 1k (application/octet-stream)
Attachment:
id:000000,sig:11,src:007564,op:havoc,rep:32
Description:
Attachment:
id:000001,sig:11,src:009775,op:arith8,pos:2,val:+6
Description:
Attachment:
id:000002,sig:11,src:009794+007532,op:splice,rep:2
Description:
Attachment:
0.bin
Description:
Attachment:
id:000004,sig:11,src:009854,op:arith8,pos:0,val:-29
Description:
Attachment:
id:000005,sig:11,src:009792,op:flip2,pos:2
Description:
Current thread:
- Remote crash in MaraDNS 2.0.13 and git master Ondřej Surý (Nov 12)
- Re: Remote crash in MaraDNS 2.0.13 and git master Ondřej Surý (Nov 14)
- Re: Remote crash in MaraDNS 2.0.13 and git master Ondřej Surý (Nov 14)
- Re: Remote crash in MaraDNS 2.0.13 and git master cve-assign (Nov 14)
- Re: Re: Remote crash in MaraDNS 2.0.13 and git master Salvatore Bonaccorso (Dec 05)
- Re: Remote crash in MaraDNS 2.0.13 and git master Ondřej Surý (Nov 14)