Page MenuHomeFreeBSD
Differential D21523

Test for ns_parserr() and got a heap-buffer-overflow
ClosedPublic
Actions

Authored by cy on Sep 4 2019, 7:14 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Feb 3, 10:46 AM
Unknown Object (File)
Fri, Jan 17, 10:04 PM
Unknown Object (File)
Jan 15 2025, 3:13 PM
Unknown Object (File)
Dec 7 2024, 1:54 AM
Unknown Object (File)
Nov 30 2024, 2:37 PM
Unknown Object (File)
Nov 29 2024, 8:04 AM
Unknown Object (File)
Nov 23 2024, 7:33 PM
Unknown Object (File)
Nov 20 2024, 3:40 PM
View All Files
Subscribers
None

Details

Reviewers
ume
imp
kib
emaste
delphij
Group Reviewers
secteam
Commits
rS352027: MFC r351889:
rS351889: Bounds check again after advancing cp, otherwise we have a possible
Summary

This revision fixes a possible out of bounds read which can result in a DoS.

It is documented at https://android-review.googlesource.com/c/platform/bionic/+/1093130:

In ns_name_skip of ns_name.c, there is a possible out of bounds read due to
a missing bounds check. This could lead to remote denial of service with no
additional execution privileges needed. User interaction is not needed for
exploitation.

Google's fix is applied in this patch.

I was notified by maya@NetBSD.org of this in an email stating:

Date: Tue, 3 Sep 2019 13:54:18 -0700
From: enh <enh@google.com>
To: "tech-userlevel@netbsd.org User-Level Technical" <tech-userlevel@netbsd.org>
Subject: Fwd: Change in aosp/bionic[master]: [fuzzers] Test for ns_parserr() and got a heap-buffer-overflow.

FYI, https://android-review.googlesource.com/c/platform/bionic/+/1093130
fixes a bug recently found by fuzzing the DNS code we share with
NetBSD.

  • Forwarded message ---------

Subject: Change in aosp/bionic[master]: [fuzzers] Test for
ns_parserr() and got a heap-buffer-overflow.

Bruce Chen would like Elliott Hughes to review this change.

View Change

Test for ns_parserr() and got a heap-buffer-overflow

In ns_name_skip of ns_name.c, there is a possible out of bounds read due to
a missing bounds check. This could lead to remote denial of service with no
additional execution privileges needed. User interaction is not needed for
exploitation.

Bug: 137346580
Test: built, flashed, booted
Test: ns_parserr_fuzzer test

Change-Id: Ib023bd9b2ae97795d64195de9922a6a32d7b2f37

M libc/dns/nameser/ns_name.c
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libc/dns/nameser/ns_name.c b/libc/dns/nameser/ns_name.c
index 3a202c1..c2dc80f 100644

  • a/libc/dns/nameser/ns_name.c

+++ b/libc/dns/nameser/ns_name.c
@@ -692,7 +692,7 @@
{

const u_char *cp;
u_int n;
  • int l;

+ int l=0;

cp = *ptrptr;
while (cp < eom && (n = *cp++) != 0) {

@@ -702,7 +702,7 @@

cp += n;
continue;
case NS_TYPE_ELT: /* EDNS0 extended label */
  • if ((l = labellen(cp - 1)) < 0) {

+ if (cp < eom && (l = labellen(cp - 1)) < 0) {

errno = EMSGSIZE; /* XXX */
return(-1);
}

To view, visit change 1093130. To unsubscribe, or for help writing
mail filters, visit settings.

  • End forwarded message -----

NetBSD committed this at http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/nameser/ns_name.c.diff?r1=1.11&r2=1.12&only_with_tag=MAIN

Test Plan

Build and install locally, use prior to commit.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
head/
lib/
libc/
nameser/
4 lines

Diff 61702

View Options

head/lib/libc/nameser/ns_name.c

Loading...