Page MenuHomeFreeBSD

Test for ns_parserr() and got a heap-buffer-overflow
ClosedPublic

Authored by cy on Sep 4 2019, 7:14 PM.

Details

Summary

This revision fixes a possible out of bounds read which can result in a DoS.

It is documented at https://android-review.googlesource.com/c/platform/bionic/+/1093130:

In ns_name_skip of ns_name.c, there is a possible out of bounds read due to
a missing bounds check. This could lead to remote denial of service with no
additional execution privileges needed. User interaction is not needed for
exploitation.

Google's fix is applied in this patch.

I was notified by maya@NetBSD.org of this in an email stating:

Date: Tue, 3 Sep 2019 13:54:18 -0700
From: enh <enh@google.com>
To: "tech-userlevel@netbsd.org User-Level Technical" <tech-userlevel@netbsd.org>
Subject: Fwd: Change in aosp/bionic[master]: [fuzzers] Test for ns_parserr() and got a heap-buffer-overflow.

FYI, https://android-review.googlesource.com/c/platform/bionic/+/1093130
fixes a bug recently found by fuzzing the DNS code we share with
NetBSD.

  • Forwarded message ---------

Subject: Change in aosp/bionic[master]: [fuzzers] Test for
ns_parserr() and got a heap-buffer-overflow.

Bruce Chen would like Elliott Hughes to review this change.

View Change

Test for ns_parserr() and got a heap-buffer-overflow

In ns_name_skip of ns_name.c, there is a possible out of bounds read due to
a missing bounds check. This could lead to remote denial of service with no
additional execution privileges needed. User interaction is not needed for
exploitation.

Bug: 137346580
Test: built, flashed, booted
Test: ns_parserr_fuzzer test

Change-Id: Ib023bd9b2ae97795d64195de9922a6a32d7b2f37

M libc/dns/nameser/ns_name.c
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libc/dns/nameser/ns_name.c b/libc/dns/nameser/ns_name.c
index 3a202c1..c2dc80f 100644

  • a/libc/dns/nameser/ns_name.c

+++ b/libc/dns/nameser/ns_name.c
@@ -692,7 +692,7 @@
{

const u_char *cp;
u_int n;
  • int l;

+ int l=0;

cp = *ptrptr;
while (cp < eom && (n = *cp++) != 0) {

@@ -702,7 +702,7 @@

cp += n;
continue;
case NS_TYPE_ELT: /* EDNS0 extended label */
  • if ((l = labellen(cp - 1)) < 0) {

+ if (cp < eom && (l = labellen(cp - 1)) < 0) {

errno = EMSGSIZE; /* XXX */
return(-1);
}

To view, visit change 1093130. To unsubscribe, or for help writing
mail filters, visit settings.

  • End forwarded message -----

NetBSD committed this at http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/nameser/ns_name.c.diff?r1=1.11&r2=1.12&only_with_tag=MAIN

Test Plan

Build and install locally, use prior to commit.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

cy created this revision.Sep 4 2019, 7:14 PM
delphij accepted this revision.Sep 5 2019, 5:56 AM
This revision is now accepted and ready to land.Sep 5 2019, 5:56 AM
ume accepted this revision.Sep 5 2019, 5:26 PM

It seems good to me.

This revision was automatically updated to reflect the committed changes.